1 / 59

Data Protection: Securing Data In Motion, In Use, and In Storage

This article discusses the risks of data leakage and the importance of securing data in various stages such as in motion, in use, and in storage. It covers real-life examples, emerging technologies, and strategies for risk management.

parksjohn
Download Presentation

Data Protection: Securing Data In Motion, In Use, and In Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Protection: Securing Data In Motion, In Use, and In Storage John Merryman Services Director, GlassHouse Technologies

  2. Introduction/Overview • Part 1: Enterprise Files & Data Leakage Risks • Why the Risk is Real - Data Leakage Examples • Critical Role of Data Files • Emerging Technologies – Information Classification & Management • Part 2: Technology Trends for File Data & Risk Management • Emerging Technologies – Data Loss Prevention • Adapting Information Risk Management Frameworks • Conclusion • Q & A

  3. Part 1: Enterprise Files & Data Leakage Risks

  4. About GlassHouse • GlassHouse Technologies is the leading independent consulting and services firm focused on transforming IT infrastructure. • Founded in 2001, Headquartered in Framingham, MA • Global Reach • North America: Framingham, MA (Corporate HQ); Carlsbad, CA; Pleasanton, CA; Washington D.C.; Chicago, IL; Minneapolis, MN; Durham, N.C.; New York, NY; Dallas, TX • EMEA: Weybridge, UK (EMEA HQ); Havant, UK; Raanana, Israel; Istanbul, Turkey • Over 450 people, worldwide • Over 1,000 clients in the financial services, insurance, healthcare, government, bio-pharmaceutical, life sciences and technology sectors • More than 50% of Fortune 100 companies • Recent acquisitions expanded our Data Center Services and introduced GlassHouse into the virtualization and database management space

  5. Enterprise Files & Data Leakage RisksWhy the Risk is Real • Government • U.S. Department of Veterans Affairs after the personal information of 26.5 million veterans was stolen from an employee's home (DBA took copy of database home) • November 20, 2007. The personal information of 25 million Britons, including names, addresses, dates of birth, and details of employment and bank accounts, was lost by Revenue & Customs officials when CD-ROMs containing the highly sensitive data were sent between government departments via internal mail. • JULY 20, 2007. A former U.S. Marine and FBI analyst was sentenced to 10 years in federal prison for espionage charges in connection with stealing classified national defense documents from the White House, the FBI, the Department of Defense, and the U.S. Department of State. Text messages, Web-based e-mail accounts and database queries were used to pull off the espionage • Commercial • In 2005, just before leaving DuPont to work for a competitor, a senior research scientist downloaded $400M worth of trade secrets from DuPont’s data library • Deutsche Bank was pulled from the Hertz IPO after an inappropriate email was forwarded to around 175 institutional accounts - at an estimated cost of €10 million to the bank. • September 22, 2007. After a business analyst at ABN Amro Mortgage in Florida signed up last year to use a popular peer-to-peer file-sharing network, she inadvertently exposed many documents from her work computer, including 5,200 unique Social Security numbers and mortgage information for thousands of people. • Black Market • From 1989 to 1997, a Senior Research Engineer for Avery Denison sold adhesive formulas to a Chinese competitor. Avery’s losses were estimated at $30M-$50M • Stolen credit card details (including verification codes) can be purchased for between $1 and $6, while a whole identity, including bank account details, credit card, date-of-birth, and government-issued identity number, can be bought for a modest $14 to $18

  6. Enterprise Files & Data Leakage RisksExamples of Risk Distribution

  7. Traditional Boundaries Stress Point Exploitations Internal Conflicts Enterprise Files & Data Leakage RisksCommon Gap Areas Information is shared with partners and service providers Limited Control over information once accessed from the server Mobile users download sensitive data, use portable media, or go on the road Remote users access business and IT systems w/ broad information access Conflict of interest between internal groups (All or Nothing)

  8. The Critical Role of Data FilesFile Server Data Management – Perfect World • File management is organized • No capacity / availability issues • Appropriate groups / owners have access • Everything is compliant (information access, retention, security, etc.) • Document management is the final repository for critical files • Users can always find their data • Application data is segregated from user data

  9. The Critical Role of Data FilesFile Server Data Management - Reality • Files, Files, Everywhere (Servers, Desktops, Laptops, Removable Media, etc.) • File management is a mess • File Servers / NAS out of space • Too much access, but no idea how to reign it in • Document Management system is ignored • Explosive SharePoint growth • Web 2.0 an emerging alternative • Compliance, you’re kidding right?

  10. The Critical Role of Data FilesCorporate File Landscape – What you get

  11. Emerging TechnologiesData At Rest

  12. Information Classification and ManagementVendor Functionality Matrix * Based on ongoing market research

  13. Information Classification and ManagementCommon Traits • Centralized Enterprise management model • Federated Search / Reporting (global, across all instances) • Adaptable and scalable taxonomies and indexing rules • LDAP / Active Directory Integration* • Minimal invasiveness of technology (NFS, CIFS mounts) • Metadata repository (for most solutions)

  14. Information Classification and ManagementSolution Architectures – Typical Example

  15. Information Classification and ManagementCommon Applications • Data Management • Information Lifecycle Management (archive, tiering, purge) • Data Management / Cleanup (purging junk, identify + move data, etc.) • Security • Content identification, risk analysis, remediation (PII, PCI, etc.) • High-Risk File Identification, Ownership Analysis, Remediation • Classification / Tagging • Search • Advanced Search (owner, content, proximity, metadata, etc.) • Secure Hold • Audit Reporting

  16. Information Classification and ManagementThe Classic ILM Vision - Issues • Vendor Lock-in issues • Limited technologies to accomplish automated data movement • File data is ideally on midrange storage • Price point b/w tiers is less and less compelling • Users expect fast retrievals • Cost Benefit vs. Level of Effort • What about purge? • Not advised for ‘the current hardware mess’

  17. Information Classification and ManagementClassic ILM Vision – Technology Enablers • Network Attached Storage • Built to suit #files and data growth • Optimized file systems for file data • Advanced copy and replication feature for data recovery • File Server Virtualization • Global Name Space (this is the real home-run) • Support for Storage Tiers • Basic (very basic) policies for data movement (file age) • Information Classification and Management • Advanced reporting and actions (copy, move, purge, stubbing, etc.)

  18. Information Classification and ManagementFile Data Management & ILM – Realized Today

  19. Information Classification and ManagementWhat about Purge? • Initial Cleanup Opportunities • Duplicate Data* • Non-Business Files • Junk Files • Data Retention and Purge Challenges • Operational Risk (of not having data) • Regulatory Risk (of not keeping data long enough) • Legal Risk (either having too much or too little) • Before Delete, Rationalize • File servers are not the ideal place to retain official business records, but that won’t stop users • But until document/content management (or other) systems are institutionally embraced, it’s good to error on the side of caution and retain data to ‘the outer limit’

  20. Information Classification and ManagementData Management / ILM – Getting Started • Standardize technology platform (FS, NAS, Virtualization, etc.) • Start with file level analysis (lay of the land) • Exercise Pilot or Proof of Concept, including people and process aspects • Develop use-cases for various data management opportunities (archive, purge, move, copy, etc.) • Document results, indicating benefits of high-value activities • Develop and communicate policies to support high-value activities • Deploy policies via routine data management operations • Encourage end users to actively participate

  21. Information Classification and ManagementData Security – Risk Profiles • High-Risk Data • Executables Files (traditional threats, etc.) • Payment Card Industry (PCI) Data • Visa, MasterCard, American Express • Personal Identifiable Information • Full name (if not common) • National identification number • Telephone number • Street address • E-mail address • IP address (in some cases) • Vehicle registration plate number • Driver's license number • Face, fingerprints, or handwriting • Credit card numbers • Digital identity • Gramm-Leach-Bliley Act (GLBA) • EU Data Protection / Privacy Laws • High-Risk Practices • No profile of users creating/using high risk information • No idea where high-risk data is stored • Group shares w/ high-risk data • Granting too much access to group shares • Nested group shares, and inherited permissions • Lack of auditing for group share access

  22. Information Classification and ManagementExecutable Files – Reporting Example

  23. Information Classification and ManagementExecutable Files – Reporting Example • 4 .exe files are of “unknown” type • Admin owner • 1 text license key • Admin owner • 6 HTML format • 4 Admin owner • 2 User owner • 15 direct executable format • 7 Admin owner • 8 User owner • 28 are classed as “other” being linked to the following: • MS Word • MS Works • MS PowerPoint • MS Outlook • MS Excel • MS Cab • JPEG Interchange • Self extract LZH • 3 Adobe • Admin owner • 295 are 7-bit text .exe files • 206 Admin owner • 89 User owner • 611 self-extracting .zip/.exe files • 466 Admin owner • 145 user owner • 46 Windows icon files • Admin owner • 36 Google toolbars • 16 Yahoo installers (3 server related) • 122 game .exe files (many duplicated) • 46 iTune .exe files (music)

  24. Information Classification and ManagementData Security - Reporting Example Source: Kazeon

  25. Information Classification and ManagementData Security - Reporting Example Source: Kazeon

  26. Information Classification and ManagementData Security – Technical Challenges • Volume and cost of metadata storage (often 5% of total volume) • Time to ‘deep crawl’ and index all data • Canned vs. Custom Rules or Taxonomies • Signal : Noise Ratios • False Positives, False Negatives, etc • Creating Meaningful and Actionable Output • Creating process / workflow to support remediation

  27. Information Classification and ManagementData Security – Getting Started • Profile Risks • Create focus (data location, organization, data types) • Exercise Pilot or Proof of Concept, including people and process aspects • Collect content/metadata information • Quantify Risk (Data Types, Location, Owner) • Outline Remediation Steps and Activities • Execute Remediation Activities • Use results to drive policies • Deploy policies via routine remediation operations • Encourage end users to actively participate

  28. Information Classification and ManagementE-Discovery Situation Current State Future State Legal E-Discovery needs are driven by adhoc processes and controls; External vendors are often leveraged to support discovery and analysis Legal Discovery requests and releases are presented in consistent format, which is structured to bridge Legal and IT perspectives Discovery! Discovery! Standard processes map Discovery Requests and Hold Releases to Structured Data, Unstructured Data, and Messaging Data Application / Service Teams Application / Service Teams Discovery Requests follow Reactive and via adhoc processes, and often require re-work Discovery Requests are often labor intensive due to the lack of process, organizational, and technology readiness Organization, procedures, and technology base is oriented to support requests Infrastructure Teams Infrastructure Teams

  29. Information Classification and ManagementE-Discovery- Why Should Infrastructure Care? 1-3 Million / TB • Supports Pre-Trial and Trial Proceedings • Typically ‘external face’ for litigation affairs • Typically subcontracts or delivers EDD services Data and Cash Outside Legal Counsel In-House Legal Counsel • Works with IT teams on legal hold, discovery, search initiatives • Often has a dedicated ‘E-Discovery’ staff • Rarely seen in court • Budgets for legal costs and activities Electronic Data Discovery Firms Data • Use advanced search tools to do the heavy lifting • Specialized legal / technical skills • IT budgets rarely reflect time / effort associated with E-Discovery and Legal Hold • These are negative hits to cap/opex budgets • Requests ‘Roll Downhill’ • Rarely seen in court…unless IT

  30. Information Classification and ManagementE-Discovery- Why Should Infrastructure Care? • Companies with gross revenues of $1 billion or more: • Reported that their median number of pending cases was 86 (ca. 2004) • By 2006, the number of lawsuits soared to 556 cases, with almost half facing 50 new suits annually • Recent updates to Federal Rules of Civil Procedure (FRCP) (12/2006) • Legal and compliance pressures to extend paper records retention practices to data retention and management are unprecedented Source: www.fulbright.com/litigationfindings

  31. Information Classification and ManagementSearch – E-Discovery Example • Search Attributes • Keyword Search • Fielded Search • Boolean Search • Fuzzy Search • Term Boosting • Give higher weight to certain terms. • Proximity Search • Search for words within a specific distance. • Range Searches. • Field values between the lower and upper bound Source: Kazeon

  32. Information Classification and ManagementSearch – Technical Challenges • Identifying relevant users/data locations (enterprise, desktop, remote, etc.) • Volume and cost of metadata storage AND storing search results • Bridging legal expertise w/ technology search (interface, search language, output mgmt, etc.) • Securing search results (maintaining the “golden copy”)

  33. Information Classification and ManagementSearch – Getting Started • Talk to legal and compliance • Review existing legal hold / discovery practices • Identify gaps and inefficiencies • Lack of tools, inefficient methods • Emailing ‘hold notifications’ • Cost of data discovery services • Lack of secure storage • Exercise Pilot or Proof of Concept • Actively engage w/ legal staff • Identify focus (Data Types, Location, Owner) • Conduct search • Document results (quantity of data, time to obtain, etc.) • Update routine search / discovery operations

  34. Part 2: Technology Trends for File Data & Risk Management • Emerging Technologies – Data Loss Prevention • Adapting Information Risk Management Frameworks • Trend Spotting • Conclusion • Q & A

  35. Data Loss PreventionData in Motion

  36. Corporate Network Mobile Workers/Branch Offices Datacenter Gateway Servers Network Client Branch Offices Unix Servers Wireless Users Data in Motion DLP DLP DLP SGS SGS SGS SGS DLP Windows Servers Internet Remote Users DMZ Servers Linux Servers Mobile Clients Data at Rest Data in Use Web farm, portals, mail Data Loss PreventionSolution Architectures – Typical Network Layer Solution

  37. Enterprise Application Server Information Use Policies Audit Data Data Loss PreventionSolution Architectures – Typical Integrated Solution • Client-Server Software Architecture • Client software modules for desktop, laptop, other end-point devices • Integration w/ LDAP & Active Directory • Policy Language / Console • Reporting, auditing and, forensics

  38. Data Loss PreventionHost vs. Network Based • Host Based • End-user is involved • AD / LDAP integration and functions, identity based management • Flexibility / customization capabilities • Think Layer 7 and above • Network Based • Commonly deployed, but not for enforcement • Passive monitoring, rarely enforcement • Easy to deploy, relatively static configurations • Enforcement capability is often all or nothing • Think Layer 7 and down

  39. Data Loss PreventionA Look at Emerging Technologies * Based on ongoing market research

  40. Data Loss PreventionCommon Traits • Centralized Enterprise management model • Federated Monitoring and Reporting (global, across all instances) • Adaptable and scalable policies • LDAP / Active Directory Integration***** • Agent Based Software (Desktop, Laptop, Mobile Devices) • Auditing, Reporting, Logging • Workflow and automation*****

  41. Data Loss PreventionTechnology Scope • End Point Devices • Thumb drives • flash drives • Pen drives • Memory sticks • USB drives • Blackberry’s • Digital cameras • Ipods • Services • File servers • Email • Instant messenger • Web portals • Blog / Wiki • Printing • SharePoint servers • Custom dev. • Scenarios • Enterprise systems • LAN connected desktops • WAN connected Laptops • VPN • Citrix • Remote Desktops • Mobile devices / users

  42. Data Loss PreventionCommon Applications • End Point Data Protection • Limiting flow of information via externally facing services • Limiting use / mis-use of removable media devices • Confidentiality & Segregation of Duties • Limiting information flow between competing groups • Segregating information access and use by group or role • ‘Business Firewalls’ • IP Protection • Limiting risk of IP leakage via trading partners and service providers

  43. Data Loss PreventionPolicies – End Point Example Source: NextLabs

  44. Data Loss PreventionDocument Classification / Tagging Example Source: NextLabs

  45. Data Loss PreventionData Movement Controls - Example Source: NextLabs

  46. Data Loss PreventionEmail Content Inspection - Example Source: Orchestria

  47. Data Loss PreventionWeb Posting - Example Source: Orchestria

  48. Data Loss PreventionAudit / Reporting - Example Source: Orchestria

  49. Data Loss PreventionOverall Challenges • Identifying and deploying appropriate staff / resources • Reaching agreement on policies across disparate groups (risk, security, network, infrastructure, etc.) • Overly aggressive policies, resulting in ‘lock down’ • Potential performance impact to end-users • Open files / scanning content • Agent bloat • Deployment • Workflow management

  50. Manual Policies & Procedures Technology Silos Acceptance of Risk • Risk Management Demands • Operational Integrity • Regulatory Compliance • Protect Critical Information • Customer & Employee Privacy Extended Enterprise Demands Collaboration w/ Customers & Suppliers Mobile and Telecommuting Employees Contract, 3rd Party, & Outsource Staff Multinational Organization Structures Information Control Business Efficiency Adapting Information Risk ManagementTraditional IRM vs. An Evolving Enterprise

More Related