White Paper. The Information-Centric Security Architecture. By: Jon Oltsik Enterprise Strategy Group. July 2007

Transcription

1 White Paper The Information-Centric Security Architecture By: Jon Oltsik Enterprise Strategy Group July 2007 Copyright The Enterprise Strategy Group, Inc. All Rights Reserved.

2 Table of Contents Table of Contents...i Overview... 2 One Step Forward, Two Steps Back... 3 What Is Going On?... 4 Think In Terms of Security Architecture, Not Security Products... 6 Storage Infrastructure Services...8 Data Management Services...9 Management Services...9 Access Services...10 The Information-Centric Security Architecture At Work EMC and the Information-Centric Security Architecture The Bottom Line i

3 Overview A year ago, in response to growing concerns about the state of information security, ESG published a white paper titled,. As a review, 2005 held the dubious distinction as the worst year on record for publicly-disclosed data breaches. In the United States alone, there were a total of 130 publicly disclosed data breaches exposing the private data (i.e. social security number, health information, credit card number, etc.) of over 55 million American citizens (source: privacyrights.org). The ESG paper was written to provide an analysis of the problem and some risk management guidance. Has there been any progress in the past year? Yes, in areas such as: Data security standards. Federal, state, and industry mandates continue to impose more stringent data security requirements. For example, in the United States, OMB Directive M (published May, 2007) required government agencies to establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records. In another instance, the September 2006 Payment Card Industry Data Security Standard (PCI DSS) version 1.1 clarified user confusion around the initial specification while enhancing data security requirements and safeguards. The 5 founding PCI members (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) also established the PCI Security standards council an independent body formed to develop, enhance, disseminate and assist with implementation of security standards for payment account security ( ESG believes that PCI is rapidly becoming a leading data security model and expects other industries to follow this example. Technology adoption. To bolster data security, ESG Research indicates that large organizations are deploying more technology safeguards such as multi-factor authentication, data leakage protection, Security Incident Management (SIM) software, and various forms of data encryption. For example, ESG found that 77% of large organizations are encrypting the data on many of their laptop computers (see Figure 1). This high penetration rate is certainly in reaction to the large number of visible data breaches resulting from lost/stolen laptops over the past few years. Figure 1. Laptop Encryption Penetration Has your organization implemented laptop encryption? (Percentage of Respondents, N = 206) No, w e have not implemented laptop encryption and have no plans to do so, 10% Don't know, 4% No, w e have not implemented laptop encryption but plan on doing so in the next 12 months, 9% Yes, w e have implemented laptop encryption, 77% - 2

4 Privacy regulations. In the United States, 35 states had enacted privacy legislation by the end of 2006 while 9 states have introduced privacy bills or amendments in At the federal government level, there are numerous data privacy and identity theft bills in various stages in both the U.S. House of Representatives and Senate. For example, S. 495: Personal Data Privacy and Security Act of 2007 (aka: The Specter/Leahy Bill) was introduced into the Judiciary Committee for deliberation on February 6, This bill is intended to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. One Step Forward, Two Steps Back Clearly the examples described above are signs of progress but it seems like each ray of hope is overshadowed by a tidal wave of bad news. In 2006, there were a total of 342 publicly-disclosed data breaches exposing the personal records of over 49 million American citizens (source: privacyrights.org) more than doubling the amount of reported incidents from the previous year! These breaches impacted large and small organizations in every type of industry segment, and the breaches themselves ranged from human error to criminal intent (see Table 1). Table 1: Examples of Data Breaches in 2006 (source: privacyrights.org) Date Organization Breach Number of records January 26,2006 Providence Home Stolen tapes 365,000 Services February 16, 2006 U.S. Department of 350,000 Agriculture March 22, 2006 Hewlett-Packard Stolen laptop 196,000 April 23, 2006 U. of Texas, Hacker attack 197,000 McCombs Business School May 22, 2006 U.S. Department of Stolen laptop 26,500,000 Veterans Affairs June 13, 2006 KDDI Hacker attack 4,000,000 July 21, 2006 Special Funds Stolen computer 540,000 Conservation Committee August 2, 2006 Vassar Brothers Stolen laptop 257,800 Medical Center September 7, 2006 Chase Card Services Disposal-Tapes 2,500,000 October 24, 2006 Chicago Board of Web application 780,000 Election attack November 27, 2006 Greenville South Disposal-Computer 100,000 Carolina County School District December 12, 2006 Aetna Inc./Group Health Insurance Inc./ Nationwide Stolen tapes 396,279 The 342 publicly-disclosed data breaches in 2006 or the subset illustrated above represent a true cross section of U.S.-based private and public organizations. Some of these institutions may have lax security but others are amongst the most technically sophisticated security focused organizations in the country. Just how widespread is the data breach problem? According to a recent ESG Research survey of security professionals, nearly one-third of organizations with over - 3

5 1,000 employees suffered a data breach in the last 12 months (see Figure 2). The frightening reality is that when it comes to data breaches, no one is immune. Figure 2. Data Breach Incidents over the Past 12 Months To the best of your knowledge, has your organization experienced one or more confidential data security breaches over the past 12 months? (Percent of respondents, N = 206) Don't know, 10% Yes, 32% No, 58% What Is Going On? This situation makes no sense! Data breaches continue to plague organizations in spite of increasing privacy legislation and additional security investments. Unfortunately, this disconnect continues because: Confidential data is everywhere and volume continues to grow. In a 2005 survey of 227 North American-based security professionals working at organizations with at least 1,000 employees, 47% of respondent said that they would classify at least half of their data as confidential. This data is spread throughout the enterprise in various data formats (structured databases, unstructured file systems, and IM content, etc.), systems (mainframes, servers, PCs, mobile devices, etc.), and applications. With the introduction of additional laptop computers, wireless networks, and business applications in 2006, confidential data distribution is further out of control. Vulnerabilities are on the rise. After a few years of relative stability, the number of vulnerabilities tracked by CERT was up precipitously in 2005 and 2006 (see Figure 3). The combination of more vulnerabilities and an ever-growing amount of confidential data presents the digital equivalent of dynamite and a match - hackers have more nefarious roads to breach confidential data than ever before. - 4

6 Figure 3. CERT Vulnerabilities Are On the Rise Enterprise Strategy Group Tactical security solutions can t span the enterprise. Yes, organizations are adding security defenses but they continue to proceed on a tactical basis with point technologies to address the threat du jour. A laptop gets stolen at one company so another implements laptop encryption. Patient data is leaked through an unprotected so the next hospital implements a data leakage appliance at its network gateway. These solutions may provide a bit of relief but they don t talk amongst each other and are glued onto the infrastructure rather than amalgamated into the data model. Simply stated, tactical security defenses grow as a function of the threat landscape, changing legislation, and budgets - slowly and steadily. At the same time, confidential data growth and distribution proceeds unabated while the number of vulnerabilities continues to climb. This creates an ever-growing risk gap that increases the threat to information assets on a daily basis (see Figure 4). Clearly, enterprises need a new way to address these problems systematically and quickly to break this vicious cycle. - 5

7 Figure 4. The Confidential Data Security Risk Gap Growth Confidential Data Growth Confidential Data Breach Risk Gap Number of Vulnerabilities Security Investment Time Think In Terms of Security Architecture, Not Security Products The problem with tactical security products is that they address discrete threats and finite amounts of data in a series of solution silos. Enterprises can continue to add individual confidential security silos for added protection, but this model can quickly become a costly operations nightmare and can t offer the security benefits of an integrated, layered defense. To keep up with sophisticated threats and avalanche of data growth, large organizations need to address confidential data security with a more horizontal, architectural approach. ESG believes that this will ultimately create an Information-centric security architecture. Rather than a series of vertical security tools, the Information-centric security architecture is made up of bottom-up of 4 horizontal services (see Figure 5): - 6

8 Figure 5. Information-Centric Security Alternatives Today s Information-centric security silos The ESG Information-centric security architecture Rights management Secure storage Content scanner Access Management Access Services Management Services Data Services Data Data Data Data Laptop Storage array store File server Storage Infrastructure Services 1. Storage infrastructure services 2. Data services 3. Management services 4. Access services Each architectural layer provides services for specific protection across multiple data repositories like storage arrays, file systems, s and content management archives. The layers work in concert; enabling data access, policy enforcement, and management oversight that can be tailored to business processes across the enterprise (see Figure 6). - 7

9 Figure 6. The ESG Information-Centric Security Architecture Access Services Authentication Authorization/rights management Management Services Key management Policy management Monitoring/alerting Reporting/auditing Data Services Storage Infrastructure Services Discovery Classification Data modeling Data mapping Meta data repository Secure storage network Secure storage partitioning Cryptographic processing ILM services (archiving, consolidation, tiering, etc.) Infrastructure services (mirroring, virtualization, cloning, etc.) Storage Infrastructure Services Since storage devices such as hard disk drives, tape libraries, and storage arrays ultimately house all the data, the information-centric security architecture starts with this physical tier. The objective is to add security protection to the existing storage infrastructure with capabilities such as: Secure storage networking and partitioning. The storage layer should support features for secure storage networking like trusted relationships between devices, secure Fibre Channel switch zoning, and LUN masking. Progress here depends upon the creation and implementation of standards such as the Fibre Channel Security Protocol (FC-SP), ANSI T10 and T11, IEEE p1691, and the Trusted Computing Group s storage specification. Cryptographic processing. Over the next few years, more and more cryptographic processing will migrate from software and appliances to dedicated co-processors on storage devices. Indeed, this is already happening with a growing sub-set of laptop hard drives and tape drives. As on-board cryptographic processors become more ubiquitous, encryption will become a core storage security service in the information-centric security architecture. Information lifecycle management functionality. Storage software functionality such as automated archiving, data consolidation and tiering must merge with security protection for encryption, key management and auditing. The storage security services tier will be built with secure open interfaces to enable secure ILM. - 8

10 Data Management Services Information security is an information management problem. You can t secure what you don t manage, and you can t manage what you don t know exists. Data management inventory and tag sensitive data, and make this intelligence available to other layers in the stack to enable policy enforcement. These key services include: Data discovery and classification. Data and infrastructure sprawl has created islands of information across the organization that would-be stewards may not even know exist. Discovery tools must auto-discover repositories and shares of information, and classify this information automatically based on file metadata, predefined patterns, or advanced semantic analysis. Data modeling. Once the data is discovered and classified relationships between data elements must be modeled to define the right access and usage rights needed for business processes. While complex, this exercise can help enable business collaboration while simultaneously identifying areas of significant risk. Meta data tagging. Data classification must be enabled through standard Meta data tagging of all data elements. These tags travel with the data and tell technology devices what actions need to be taken. For example, the payroll file can be tagged as confidential specifying who can see it and what actions they can take. When a malicious HR administrator tries to copy the file to a flash drive, it to a headhunter or export the data to an Access Database, she will be foiled in all cases by intelligent infrastructure acting on the encapsulated Meta data. This type of policy enforcement will only work when storage devices can enforce policies based upon specific instructions contained in the Meta data tags. Data mapping. To keep up with activities, the management layer will know where confidential data is, when it changes, and where it moves to. This information will likely be stored in a database but will be supported by strong visualization and analysis tools. When the Chief Privacy Officer wants to see where data flows, she will be able to get real-time and historical maps to review to look for policy and technology vulnerabilities. Management Services The management services tier provides shared services for instituting, monitoring, and enforcing security and privacy policies. These services are centralized in order to provide scale, improve security, and streamline operations. Information-centric security needs will vary across data sets, business processes, and functional IT teams. To accommodate these diverse needs management services must provide published APIs for integration with many types of individual applications. Furthermore, management services must support role-based access control to ensure that users are limited to functionality needed for their job responsibilities and nothing more. Management services include: Policy management. The goal here is implement once, enforce broadly. In other words, the information-centric security architecture centralizes policy creation and changes. Once established, technology widgets throughout the enterprise are provided with policy enforcement rules. When Acme Co. decides to buy XYZ Inc., it sets up a policy that covers all data (i.e. s, documents, database objects, etc.) related to the due diligence process. This action triggers specific data management and security policies that are enforced across the architecture: Document storage will be limited to specific repositories with restricted access to a cross-functional group of employees and external constituents. All data will be encrypted at rest and in flight, and accessing documents will require two-factor authentication. - 9

11 Key management. It is likely that actual cryptographic processing will be take place on storage devices, databases, file systems, laptops, and appliances. This is a good model as it maximizes performance and allows for scale over time. That said however, enterprise organizations will want to centralize key management. Why? Keys need to be closely guarded and administered or data gets lost, stolen, or rendered unreadable. Centralized key management must provide high-availability, role-based access controls, strong data management, and detailed auditing. Auditing and reporting. Each services layer will provide health and status data for analysis. This data will be accessible as a management services for analysis, reporting, and auditing customized for different roles and needs, including proof of regulatory compliance. Access Services This layer is centered on who gets the right to use data and what they allowed to do with it once they gain access. Services include: Authentication. Whether a knowledge worker wants a document or a storage administrator needs access to a Fibre Channel switch, everyone will authenticate through a central service. This will help map users, roles, and groups to specific activities while providing an audit trail. Fine-grained authorization. When users gain access to devices, networks, or data repositories someone still has to define what they can see and do. In the informationcentric security architecture, this authorization moves from individual applications to become a shared service. Actual policy enforcement is communicated from the policy management service to the authorization service and then to technology elements for enforcement. The Information-Centric Security Architecture At Work By layering these services, the information-centric security architecture can monitor and enforce security/privacy policies AND enable collaborative business processes. Geographically dispersed individuals with no organizational ties to each other can securely share documents on an ad hoc basis. These documents carry rules with them so that each technology element can enforce policies while logs capture activities and violations. Process automation and service integration allows organizations to respond as business or security needs change over time. Figure 7 below presents an example of how an information-centric security architecture can enable a specific business process for a pharmaceutical company. To formulate a new drug, the chief scientist of a major pharmaceutical company hires a university professor as a part-time consultant. Even though the professor is not an employee, he is given access to extremely confidential documents for review. Since these documents have been tagged as top secret, they are stored and transmitted in Ciphertext. The remote professor can only access these documents by authenticating using multi-factor authentication and while the Chief Scientist can save these documents and view them on a home computer, the professor is granted read-only access. When the professors consulting project ends after 30 days he can no longer view the encrypted file (see Figure 7). - 10

12 Figure 7. The Information-Centric Security Architecture at Work University Professor Chief Scientist 30 day key read-only 4 Internet LAN The policy created for access/usage rules for Top Secret documents 2. Document is classified as Top Secret and tagged accordingly 3. University professor hired as consultant and given access to Top Secret document 4. An encrypted copy is sent to the professor with authorization rules. Professor can only read the document while the chief scientist is allowed to save it to a flash drive. 5. After 30 days, the professor s local encryption key is destroyed and he can no longer access the file. The business policies described above are enforced through the cooperation services and multiple technology elements in the Information-centric security architecture. Privacy and security officer designate usage policies and then use the policy management engine to create a profile and enforcement rules for top secret documents. Business managers are provided with drag and drop tools to classify documents on their own. When the university professor is hired as a consultant, business and IT managers undertake a formal workflow process to add him to the access control list and assign specific digital rights to his account (i.e. account duration, privacy enforcement, confidentiality enforcement, acceptable usage, etc.). In this way, the informationcentric security architecture creates, monitors and enforces secure relationships between users, data, and technologies EMC and the Information-Centric Security Architecture A standards-based heterogeneous information-centric security architecture remains a vision today but some vendors can be categorized as early leaders as they are moving in this direction. One pioneer in information-centric security architecture is EMC Corporation. With its acquisition of RSA Security, Network Intelligence, Authentica and others, EMC has many of the necessary building blocks in place. Furthermore, EMC plans to integrate these security technologies together into common services that mirror the ESG information-centric security architecture (see Figure 8) and leverage individual security technologies to bolster security in its existing product portfolio. Some examples include: - 11

13 Figure 8. EMC elements of an Information-Centric Security Architecture Access Services Management Services Data Services Storage Infrastructure Services RSA Authentication RSA Access Technologies Technologies RSA Key Manager RSA envision Documentum Information Rights Management (Authentica) Infoscape data classification Documentum/eRoom content management Secure Symmetrix EMC Centera SRDF EMC Backup Professional Services Partnerships Multi-factor authentication on its Symmetrix enterprise storage systems for role-based access control based on RSA SecurID and RSA Authentication Manager. Integration between Documentum secure content management and Authentica enterprise digital rights management. Centralized log management and compliance reporting using RSA envision (formerly Network Intelligence). Data classification with its Infoscape products. RSA Key Manager for centralized key management. EMC supports individual technologies with professional services that can help large organizations address short-term needs while building for a strategic architectural solution over time. EMC also works with numerous 3 rd parties in order to introduce complementary technologies into its overall information-centric security architecture. The Bottom Line In spite of increasing privacy regulations and a wave of publicly-disclosed data breaches, most organizations remain at risk. ESG believes that the ONLY way to effectively mitigate this risk over time is through an information-centric security architecture, not an ever-growing lineup of tactical security silos. The information-centric security architecture depends upon horizontal security - 12

14 services that work in concert, enabling data access, policy enforcement, and management oversight that can be tailored to business processes across the enterprise. This is a only vision today, but farsighted vendors, such as EMC are adding and integrating security technologies with the goal of making this vision a reality. As such, business and technology executives should consider EMC as they look to implement technology safeguards to help them institute, monitor and enforce their privacy and confidential data security policies. - 13