1 / 26

Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters

Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters. Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor, ISSMP, PMP Director , Security Consulting Services ENCODE SA. Greek ICT Forum, October 2007. Agenda. The Business Problem…

arnie
Download Presentation

Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Leak Prevention:Safeguarding Corporate Informationin a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP,ISO 27001 Lead Auditor, ISSMP, PMP Director, Security Consulting Services ENCODE SA Greek ICT Forum, October 2007

  2. Agenda • The Business Problem… • Why Traditional Controls Fail? • Are We Making the Right Investments? • What We Can Do!

  3. Agenda • The Business Problem… • Why Traditional Controls Fail? • Are We Making the Right Investments? • What We Can Do!

  4. Impact from Data Leakage … CONFIDENTIAL • Brand damage • Stock price • Regulatory fines • Loss of customers/business • Legal and contract liability • Notification and compensation • Increased security costs • Marketing and security response • Lawsuits

  5. The Economics of Data Leakage The Financial Services Authority (FSA) has fined Nationwide Building Society (Nationwide)£980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home. ChoicePoint to pay $15 million over data breach Data broker sold information on 163,000 people to alleged crime ring In addition to a $10 million fine, ChoicePoint will also create a $5 million fund to help consumers who became victims of identity theft… DuPont Employee Walked Away With $400 Million In Trade Secrets Company scientist downloaded 22,000 sensitive documents and accessed 16,000 others as he got ready to take a job with a competitor… TJX says 45.7 million customer records were compromisedwith an estimated cost over $1 billion … .. for a Regulated industry the cost per data record leaked is from $90 to $305 … Forrester Research

  6. Executive Directive … • Simple to say but complex to deliver • Find the data • Data discovery • Data classification • Monitor the data • Identify data use and users • Watch the data at rest and in use • Protect the data • Stop data misuse • Encrypt at rest based on risk • Encrypt in transit on the network or device “Protect My Sensitive Data! …and don’t interfere with the business!”

  7. Agenda • The Business Problem… • Why Traditional Controls Fail? • Are We Making the Right Investments? • What We Can Do!

  8. Defining a Critical System Databases Applications Systems Networks / Directories • Usually we define a system as: • Data • Business Application • Database Server(s) • Application/Web Servers and/or Mainframe • Supportive network infrastructure • …

  9. Traditional Security Efforts Databases Applications Systems Networks / Directories • So we apply: • Network Perimeter Security • Simple/Common: “Border Firewall” • Advanced: Internal Segmentation, IPS • Access Control on Systems/Applications • Simple/Common: username/password, app/sys permissions • Advanced: Strong authentication, RBAC and IDM • System Auditing (for the very advanced) • Disaster Recovery But still we face critical security issues

  10. What traditional security efforts cannot counter • Exposed output files from the systems • Information Leakage by authorised users • Changes by authorised users • Outsourcers • Collection Agencies • Call Centers • Printing Houses • IT Outsourcers (Service Providers, Development…) • Administrators • Mobile Users • Lost laptops, Removable media (USBs…) • …

  11. Redefining Business System Users Databases Applications Systems Networks / Directories • In essence we had omitted • the Points of Use of the Information/Data processed by the system, i.e. the various workstations/laptops • the People • the Processes ?

  12. Business Data Main Categories • Application data: data that is managed by various applications. • Files: documents,emails, presentations, etc. Application Data Transactions Financial info Files Subscriber Info PDFs Emails Spreadsheets Word Documents

  13. “Why traditional controls fail” • Privileged Users • Privileged users should and have access to the systems and data, so Access Control at Apps/servers cannot help a lot • On the other hand we have no “Access Control” at the Point of Use, i.e. the user’s PC/Laptop, Terminal Services • Vanishing Perimeters • With so many parties accessing systems and data inside the border firewall we cannot talk about network perimeters anymore • Infrastructure-centric Controls are not enough • Our Data live beyond Infrastructure controls (e.g. laptops, outsourcers, business partners…) • With current Infrastructure-centric controls is very difficult to obtain a view of our data “whereabouts”, who accessed what and what they did with it!

  14. Agenda • The Business Problem… • Why Traditional Controls Fail? • Are We Making the Right Investments? • What We Can Do!

  15. Priorities for data protection Which type of breaches are a top or high priority to your company? 86% Network or system vulnerabilities 77% Trojans on employee computers 75% Web site vulnerabilities Attacks on customer desktops 75% 73% Insider abuse: unauthorized access 70% Spyware on employee computers 57% Insider abuse: authorized users 51% Hardware theft 49% Social engineering 48% Theft of backup tapes 39% Paper theft Percentages reflect those who answered “top priority” or “high priority.” Source: Forrester user survey of 83 data protection decision-makers, December 2005

  16. Where data breaches are really occurring What are the primary means by which data breaches occurred in 2005? 39% Insider abuse: authorized users 29% Hardware theft 29% Trojans on employee computers 21% Spyware on employee computers 18% Attack on customer desktops 14% Social engineering 14% Insider abuse: unauthorized access 11% Paper theft 11% Web site vulnerabilities 7% Network or system vulnerabilities 4% Don't know 0% Theft of backup tapes Base: 28 of the 83 (34%) data protection decision-makers, who experienced at least one breach Source: Forrester user survey of 83 data protection decision-makers, December 2005

  17. Protection priorities don't align with reality PriorityGap Degree of likelihood Degree of concern 6 6 3 3 2 -1 -1 -1 -2 -6 -9 Insider abuse: authorized users Hardware theft Social engineering Paper theft Spyware on employee computers Trojans on employee computers Attack on customer desktops Theft of backup tapes Insider abuse: unauthorized access Web site vulnerabilities Network or system vulnerabilities Lowest Highest Source: Forrester user survey of 83 data protection decision-makers, December 2005

  18. Agenda • The Business Problem… • Why Traditional Controls Fail? • Are We Making the Right Investments? • What We Can Do!

  19. What we have to do • Even the best Access Control at the Application/Server level cannot help much with Data Protection when it comes to authorised users (internal or otherwise) • What we have to do: • Accountability & Control at the Point of Use or the Endpoint • Distribute controls throughout our “redefined” system • Ensure that these controls cannot be bypassed even by privileged users (e.g. Admin) and can be centrally managed • Data-centric controls instead of only infrastructure-centric ones • Context-based controls instead of “black & white” ones

  20. What DLP products do …they Secure The “Virtual Perimeter” for Data

  21. How DLP technology works [1] • Monitor & Control every data access/transfer activity • File access • Network uploads/transfers • Print Operations • Removable media • Clipboard operations • Application field-level logging • Enforce Risk/Classification-based policies • Allow business operations – stop/alert for unauthorised/suspicious ones!

  22. How DLP technology works [2] 1 4 2 3 What is the Policy regarding Actions to be taken? Where Did the Data Come From? (What Classification?) What is the User Doing With It? Read, Write, Print, Move, Burn, Copy/Paste, Upload, etc. Where Is the Data Going? Devices Applications Networks

  23. How DLP technology works [3] • “All files coming from the xyzFile Share should be “vaulted” in a specific directory” • “All files coming from the xyz Client Application should be “vaulted” in a specific directory” • No Copy/Pasteoutside from the Biz App Client xyz • “Files in Directory xyz can be Printed only on Printer ABC” • “Files in Directory xyz cannot be copied to Removable Media (e.g. USB sticks, CD/DVD)” • “All files coming from the xyzFile Share should be “transparently encrypted” • …

  24. Putting all together… Databases Applications Systems Networks / Directories Business Data Employees Data flows to the user Partners Outsourcers Traditional Controls DLP Controls (protecting virtual perimeter)

  25. But most important… • Understand your risk profile. • Set proper priorities. • Allocate budgets accordingly.

  26. www.encodegroup.com _

More Related