From perimeter-based to data-centric security. Why and How we walked that way!? Christian Schmalisch, Business Development IMTF

Transcription

1 From perimeter-based to data-centric security. Why and How we walked that way!? Christian Schmalisch, Business Development IMTF

2 From perimeter-based to data-centric security. Why and How we walked that way!? AGENDA 1 IMTF = information is king 2 Findings = the wall is cracking 3 Consequences = uncertainty 4 Our solution approach = data centric security 5 How our clients classify data # 2

3 IMTF`s basis for 27 years Secure Document Management solutions! competencies: promise: Compliance & Secure Document Management (DMS, CMS, LMS, RMS, Archive) 1. avaiod reputational damage 2. prevent data leaks protect client data protect personal data protect intellectual property 3. comply with regulations PRIVACY AVAILABILITY dealing with: OR/GeBüV, HaREGV, ElDI-V, ITAR, DSG, EU DPD, etc. Sarbanes Oxlex, SEC, MiFiD, Finma Annex 3, Basel II, ISchV etc. ISO QM, HIPPA, SOX, GxP, etc. # 3

4 How are we dealing with it? Our secret: within our DMS we have everything in place to fully protect information: Our EDOC format is the enterprise wide, object oriented and homogenous IMTF standard container for all information = data-centric security approach a generalized and enterprise wide model allowing meta data: Digital Signature, Encryption and Data Classification to fully protect information within our system (aligned to directives and standards reg. PCI-DSS, PII, PHI, CID, HIPPA etc.) + Information Usage Policy enforcement: Directory Services & Metadata = Authentication/Authorization, Access Control, Logging, Information Permission Management: Black Page, Print, Share, View etc. WHO can use the information WHAT can each person/group/role do with/to the information WHEN can the information be used WHERE can the information be used + Security Layer / Connector to take over external and to communicate our protection parameters to a certain extent # 4

5 # 5

6 # 6 How to replicate our data-centric / container-concept for the Outside??? in which we believed for the last 27 years.

7 what have we done? Analyses of our client needs: discussions and interviews within our network * Question: Make or Buy // Answer: Buy, cooperate and integrate High-level analysis of the market: Study of IT security concepts Study of IT security solutions Cooperation e3 AG and PWC Discussions with relevant stake holder / subject experts Detailed studies on IMTF compatibility with SB DLP, FINMA RS08/21, ISO27001 (ISMS), ISchV and ISG Incorporate an GTM # 7

8 Within our our DMS = we synonym could fully for confined protect information. and isolated, Outside our perimeter-based DMS, it was just IT environments! not our business and HYPERSUITE/5 Secure Document Management # 8

9 outside became chaotic! We saw the cracks in the wall and we saw the established solutions failing to effectively protect information. more & more business applications more & more locations more & more access & exit points changing communication processes overstrained security tools # 9

10 All concepts have certain limits, but to effectively protect information assets, we have to turn towards a data-centric security paradigm. Perimeter-centric and Exit-point Information Security Tools last line of defense too technical missing competencies in the information life cycle unreasonable monitoring burden Encrypted Gateways & Locations media- and locations-based protection only Information Right Management Platforms focus on enforcement by the author but the right data-centriy approach: WHO can use the information WHAT can each person/group do with/to the information WHEN can the information be used WHERE can the information be used # 10

11 Major issues in todays global, competitive and interconnected world to secure the most valuable asset: information Exchange of data incl. meta data compatibility with other systems Distributed IT Foundation functional differentiation vs. accurate data dispersed locations with the claim of data to be integer / accurate / up-to-date / accessible / usable / searchable / traceable etc. on a need-to-know basis Access / Exit Points have become chaotic controlling & awareness Stop the bleeding of structured and unstructured data Structured and unstructured data is growing exponentially in volume, in velocity, in variety and in complexity Daily mails, Source Radicati Group Tighter internal and external regulations compliance with more and more complex directives Average number of s received daily Average number of s sent daily s received with attachments daily # 11

12 Consequences and just some more informative facts Todays IT environments are borderless and as soon as information is created and exchanged it is exposed Once data it is generated and out of control, it is just out of control Increasing demanding responsibility for end-customers and suppliers Need to protect information throughout the entire lifecycle: creation + processing + collaboration + storage + archive + search + controlled deletion Businesses are slow and limited to self-detect breach activity the average time from initial breach to detection is 210 days (64% needed 90 days / 5% needed 3 years) Increased appreciation of IT security and data governance to protect information No or limited definition and enforcement of information security polices definition: What to be protected? Who can When and Where do What? enforcement: How to depict with which technology? # 12

13 # 13 How to replicate our data-centric / container-concept for the Outside??? our solution approach.

14 From perimeter-based to data-centric information protection approach its all about the first step: Classification! But how to classify data!? A Generic context B Parameter context goal: avaiod data leakage What to be protected? - Information types - Assets - etc. Why to be protected? - Regulations - Intelectual Properties - Defence - Reputation - etc. Protective Mechanism? Source? - Employees - Business units - Applications - Locations - etc. Consideration to End-User? Processes/ Use Cases? Final destination? - - Repositories - etc. structured approach DLP tools IRM platforms Classification 2 Processes 1 end-point encryption IAM labeling context # 14

15 We truly believe that Data-Centric-Security is all about embedding security and usage policy within the information itself because then, the information (metadata) itself can trigger suitable protection mechanisms! RMS / IRM 100% accurate LifeCycle Classification flexible & dynamic considering context automatic to manual = protecting vs teaching To derive suitable protection mechanism 100% Secure Creation & Access Points Open Creation & Access Points technical processes Information Protection Open Creation & Access Points Secure Creation & Access Points Open Creation & Access Points Secure Creation & Access Points perimeter # 15

16 Summary and discussion points Classification is the basis for a data-centric security approach and needs to be taken in two steps: 1. Theory = knowledge of processes & methods * 2. Technology = Classification Technology needs to be integrated into IRM platforms and Perimeter-based solutions To effectively protect and govern information assets from a technology perspective, we truly believe in the combination of: IRM platforms + DLP systems + Classification solutions Classification needs to be dynamic and flexible to adapt the life cycle of information. # 16

17 # 17 Q&A

18 # 18 Informatique-MTF SA Christian Schmalisch, Business Development