Data-centric Security

Transcription

1 Data-centric Security Rui Melo Biscaia Watchful Software Director, Product Management

2 Dead Horse Wisdom Graham, Texas Beat the horse faster, in an attempt to make it go faster Hire a consultant to point out all the reasons why the horse isn t running fast or at all Form a Tiger Team to study the issue and come back with revelations and recommendations Tie two dead horses together in an attempt to double the speed Search the internet to see how other people manage to ride dead horses Change riders Lowering the standards so that the performance of the dead horse is considered acceptable Declaring that dead horses are lower operating cost and therefore carry an acceptable ROI!! How about GET A NEW HORSE! 9/23/2013 Copyright All Rights Reserved. 2

3 Information is an asset fast becoming a target 9/23/2013 Copyright All Rights Reserved. 3

4 Are data leaks going to happen? 9/23/2013 Copyright All Rights Reserved. 4

5 The Insider Threat Security breaches (by malice or neglect), are increasingly costing more Confidential information is increasingly handled in digital formats. Easy to store but also to leak The economic downturn impels once trusted workers to borrow information and leverage it Distinction between Need: covered by compliance mandates. PCI-DSS, SOX,, state data privacy laws Should: core intellectual property, customer data Could: Internal price lists, privileged communications Well Meant Insider Malicious Insider 9/23/2013 Copyright All Rights Reserved. 5

6 What do I Need to Know? RightsWATCH and the Multi-level Security Model 9/23/2013 Copyright All Rights Reserved. 6

7 The Perimeter is no more! Name: Chuck Department: Finance Task: M&A Project Name: Bob Department: IT Task: 2014 IT Budget Name: John Department: HR Task:Payroll 9/23/2013 Copyright All Rights Reserved. 7

8 BYOD is a given Enterprise Rights Management Mobile devices have crossed the perimeter and are far beyond from Mobile system Device Management defences, opening massive holes in information security Network Access Control FORBID IS A POLICY 9/23/2013 Copyright All Rights Reserved. 8

9 The Cloud = The NEW Perimeter 9/23/2013 Copyright All Rights Reserved. 9

10 The Multi-Level Security Model The organization defines its Information Security levels The policy determines the security levels Secret Each user is assigned a security credential Policy defines rights each credential has over each level of information Access to information depends on the security credential of the user Anything over Public is encrypted Confidential Internal Public Actions can be controlled by the credentials Print, Edit, Forward, Copy, etc. 9/23/2013 Copyright All Rights Reserved. 10

11 How does it work? EVP Oops VP CEO 9/23/2013 Copyright All Rights Reserved. 11

12 A New Paradigm in Data Centric security Data Centric Security = RightsWATCH Data Classification for enhanced compliance & decrease liability; IRM Information Rights Management to enforce data protection; DLP Data Loss Prevention to apply and uphold policies. 9/23/2013 Copyright All Rights Reserved. 12

13 RightsWATCH is Data-centric Security 9/23/2013 Copyright All Rights Reserved. 13

14 Passwords do not suffice! Lack persistent verification inside the perimeter 9/23/2013 Copyright All Rights Reserved. 14

15 How secure are our Digital Identities? 9/23/2013 Copyright All Rights Reserved. 15

16 RightsWATCH is Data-centric Security Rui Melo Biscaia Watchful Software Director, Product Management

17 9/23/2013 Copyright All Rights Reserved. 17

18 Data-centric Security that: Applies Multilevel Security & Dynamic User Profiling Provides context and content-aware data labeling, tagging and protection; Delivers an enhanced user experience in requiring the user to apply a classification and/or provide automatic classification to new s and documents, based on Regular Expressions and patterns; Applies Watermarking and fingerprinting to protected content; Enhances and expands AD RMS server-side and client-side reporting and auditing, for audit trails and compliance; Extends protection support beyond Office and to ALL file formats Addresses the BYOD trend, extending AD RMS to ios, Android and BlackBerry 9/23/2013 Copyright All Rights Reserved. 18

19 1. Multilevel Security & Dynamic User Profiling Segregate access to sensitive information based on vertical and horizontal Scopes/Context: Department, Project, Supply Chain, Costumers, Partners, Ability to grant/revoke each user with multiple security clearances: In a given moment in time Within a specific role performed Secret Confidential Internal Use Public 9/23/2013 Copyright All Rights Reserved. 19

20 2. Content & Context Aware Protection Intelligent and automatic information classification based on: Regular Expressions Content Context Patterns Enforces corporate policies where compliance is: Mandatory or Suggested not prone to human error 9/23/2013 Copyright All Rights Reserved. 20

21 3. Enhanced User Experience 9/23/2013 Copyright All Rights Reserved. 21

22 3. Enhanced User Experience ( ) 9/23/2013 Copyright All Rights Reserved. 22

23 4. Watermarking and Fingerprinting Watermarking Automatic adding of watermarks, headers, footers and disclaimers to educate users and make classification explicit: Decrease company liability if and when a leak occurs Visual Labeling Fingerprinting Include metadata onto s, docs, etc in order to transform unstructured data into a more structure form, allowing it to be better picked up by Fullfeatured DLPs and/or gateways 9/23/2013 Copyright All Rights Reserved. 23

24 4. Watermarking and Fingerprinting ( ) Protects the company from a legal and compliance perspective Rules-based configuration to allow flexibility Dynamic watermark support Automatic protection policies without requiring Exchange server or server-side modifications 9/23/2013 Copyright All Rights Reserved. 24

25 5. Audit Trails & Compliance Audit Trails for: Compliance and Forensic analysis Monitor and audit company governance policies Logging of user actions (producing, saving, printing, exporting,.) over the information Logging of admin actions and the system Blacklisting On-the-Fly discretionary measures to prevent data leakages 9/23/2013 Copyright All Rights Reserved. 25

26 5. Audit Trails & Compliance ( ) Rich System Admin Experience Rapid learning curve for administrators and infrequent users alike Access segregation to information being accessed by different stakeholders; Detailed & Incremental configuration and Roll-out Deploy and use at your own pace. Doesn t disrupt workflows and existing procedures and processes Serving multiple and heterogeneous environments System integrity controls To perform damage control actions To prevent mistakes and harmful actions against AD 9/23/2013 Copyright All Rights Reserved. 26

27 6. Extending AD RMS to ALL file formats 9/23/2013 Copyright All Rights Reserved. 27

28 7. Addressing the BYOD Trend RightsWATCH keeps sensitive information safe in a BYOD world by extending Information Protection & Control to Smartphones and Tablets RMS protection goes mobile: Full Featured RMS encryption extended to mobile environments No need for extra servers The messages are accessible on the mobile devices. Possibility to reply/forward information is controlled according to user rights Create protected Consume protected ios Yes Yes Android Yes Yes BlackBerry Yes Yes Windows Phone No Yes 9/23/2013 Copyright All Rights Reserved. 28

29 Access policy to information USER CLAIMS User.Department = Finance User.Clearance = High DEVICE CLAIMS Device.Department = Finance Device.Managed = True FILE PROPERTIES File.Department = Finance File.Impact = High ACCESS POLICY For access to finance information that has high business impact, a user must be a finance department employee with a high security clearance, and be using a managed device registered with the finance department 9/23/2013 Copyright All Rights Reserved. 29