1 / 21

A Practical Approach to Data Loss Prevention

A Practical Approach to Data Loss Prevention. Richard Trezza, CISSP DLP Enterprise Solution Architect McAfee, an Intel Company Institute of Internal Auditors Long Island Chapter Annual Conference Melville Marriott Hotel May 10, 2013. Agenda. Welcome to the Wild West 2.0

les
Download Presentation

A Practical Approach to Data Loss Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Practical Approach to Data Loss Prevention Richard Trezza, CISSP DLP Enterprise Solution Architect McAfee, an Intel Company Institute of Internal Auditors Long Island Chapter Annual Conference Melville Marriott Hotel May 10, 2013

  2. Agenda • Welcome to the Wild West 2.0 • Privacy versus Protection • Different Languages • “Private Data” or “Personal Data” • Best Practices

  3. Welcome to the Wild West 2.0

  4. Privacy versus Protection

  5. Privacy versus Protection • Does a Reasonable Expectation of Privacy Exist in Cyberspace? What about at Work?

  6. “Private Data” or “Personal Data” It depends where in the world you are: • Australia = Personal Information • India = Sensitive Personal Data • Canada = Personal Information • Brazil = Personal Information • Germany = Personal Data • Netherlands = Dutch Works Council Definition • United States = Varies Based on State Laws

  7. “Private Data” or “Personal Data” What is kind of data is “Private” or “Personal”? Some details are obvious: Name, Address, Phone, Gender, Religion, Age, Identity Number (SSN), Primary Account Numbers (PAN), etc. Some details are not: MAC Address, IP Address, Computer type, Browser, Smartphone Brand, City

  8. Data Classification is Key Defines what data is “Private”, “Personal” or “Company Confidential” and how said data shall be protected. It also specifies who does what if data is breached.

  9. Data-in-Motion Data-in-Use Data-at-Rest Framing The Data Loss Problem Data Loss Vectors Data Types Network IM Chat Email Web Post File Share Database Desktop Laptop Removable Media Printer Screen Clipboard

  10. Ubiquitous Access Compounds Risk People have numerous accounts People have multiple devices People don’t perceive they have data to lose Data is co-mingled all over the cloud People don’t perceive they have data to lose

  11. Mobile Data Loss PreventionSimilar, Yet Different Similarities to PC Unique to Mobile Mobile OSes are closed and diverse CPU, memory, battery and performance limitations New and expanded privacy concerns (lost devices, permission abuse) More attack channels (SMS, 4G, Bluetooth, NFC, WiFi, SD Card...) Increasing reliance on the cloud Critical mass of devices with rich data…attractive to cybercriminals Valuable personal and business data resides and flows through the devices Software vulnerabilities that create exploit opportunities Traditional threats (Phishing, Rootkits, Key Loggers, Polymorphics) Text here Text here Source: McAfee Labs April 2012

  12. The Challenges of Bring Your Own Device (BYOD) People have numerous accounts People have multiple devices People don’t perceive they have data to lose Data is co-mingled all over the cloud People don’t perceive they have data to lose

  13. There is NO “Silver Bullet” Technology • A comprehensive approach is needed… • A combination of: • Technologies • Best practices • Business processes • Well Defined & Communicated Policies

  14. Desktop Virtualization Simplifies Data Loss Risk in BYOD Environments Data remains on server, in your datacenter Users view/consume data, but cannot download to their system Loss vectors are reduced (USB, DVD) and transmissions controlled through Organization’s Data Center

  15. Desktop Virtualization Simplifies Data Loss Risk

  16. Agenda • Welcome to the Wild West 2.0 • Privacy versus Protection • Different Languages • “Private Data” or “Personal Data” • Best Practices

  17. Best Practices • Understand your Business • Are you a data broker selling information? • Are you a marketing firm buying data? • Are you a manufacturer with Intellectual Property to protect? • Identify the data are you collecting and storing • Customers, Employees, Users of your Web Site • Only collect data that you NEED or USE • Don’t collect data that you don’t NEED or USE • Do customers, users or employees have an expectation of privacy? • What do your policies say? Revise as needed

  18. Best Practices • Do you have a privacy policy and does it clearly state what data is collected, how it will be used and how it will be protected (adequate security)? • Has the policy been communicated to employees, customers and partners? • Do they understand the policy? • Do you audit for compliance with the privacy policy? • Monitoring for compliance is complicated because European Nations have “Works Councils” that must approve monitoring for data loss and compliance • Germany, Netherlands, Belgium are examples • Always seek approval in local Countries

  19. Best Practices • European Laws prohibit transmission of EU Citizen data outside of the EU • Unless the recipient maintains the same levels of protection and privacy safeguards as the EU • Anonymous data is safest • Don’t combine Names, Account Numbers unless absolutely necessary • If monitoring for compliance, clearly identify what is being monitored and require “four eyes” to identify users transmitting data • Always Encrypt “personal data” when stored or transmitted

  20. Best Practices • Seek Legal Advice and Executive Sponsorship • Utilizing and protecting data without compromising privacy in Global markets is among the most complex, dynamic IT problems today • Communicate these considerations with Management

  21. A Practical Approach to Data Loss PreventionQuestions? Richard Trezza, CISSPDLP Enterprise Solution ArchitectMcAfee, an Intel CompanyRichard_Trezza@mcafee.com

More Related