Understanding Data-Centric Security

Transcription

1 CHANNEL PARTNERS April 2013 US$39.00 S P E C I A L R E P O R T Understanding Data-Centric Security By Art Wittmann COMMUNICATIONS

2 Table of Contents Introduction...3 Protecting Data...5 Setting Policy...7 Selecting Technologies...8 Identity Management and Access Control Logical Network Segmentation Encryption Educating Users About The Author Channel Partners Copyright 2013 VIRGO Publishing, LLC. All rights reserved. The publisher reserves the right to accept or reject any advertising or editorial material. Advertisers, and/or their agents, assume the responsibility for all content of published advertisements and assume responsibility for any claims against the publisher based on the advertisement. Editorial contributors assume responsibility for their published works and assume responsibility for any claims against the publisher based on the published work. Editorial content may not necessarily reflect the views of the publisher. Materials contained on this site may not be reproduced, modified, distributed, republished or hosted (either directly or by linking) without our prior written permission. You may not alter or remove any trademark, copyright or other notice from copies of content. You may, however, download material from the site (one machine readable copy and one print copy per page) for your personal, noncommercial use only. We reserve all rights in and title to all material downloaded. Channel Partners Business Value Toolbox Data-Centric Security 2 toolbox.channelpartnersonline.com

3 Introduction It wasn t all that long ago that if you had a firewall, antivirus/antimalware, VPN, and good Web and filtering, you had what most IT pros thought was a good security architecture. The idea was to build up a few layers of defense, creating a security perimeter around your corporate network and limiting access to corporate resources. The problem is, it s never worked. Malware authors stay ahead of antimalware systems, and those who are after valuable data will either work their way around basic security systems, or they ll avoid the frontal assault and take a completely different path. The Complexity of IT Security FILTER WEB CONTENT FILTER Public Internet NETWORK INTRUSION PREVENTION SYSTEM DATA LEAK PREVENTION User VIRTUAL PRIVATE NETWORK SSL VPN NETWORK BASED ANOMALY DETECTION Demilitarized Zone Host-based antivirus, antimalware, firewall, etc. Monitored Data Center With the complexity of IT security, what could possibly go wrong? More technology isn t the answer. Unless carefully managed, security spending can yield a complex array of technologies which may or may not meet your security needs. Start with a policy, and then apply technology as needed. Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 3 toolbox.channelpartnersonline.com

4 One needs look only as far as the exploits by Anonymous and Wikileaks to see how vulnerable data is. Both groups have broken into some of the most protected systems in the world and released sensitive data sometimes with the help of insiders, and sometimes without. Look at it this way, if the protection provided to the U.S. State Department isn t good enough, what would make you think a $5,000 firewall is all you need to protect your data? That s not to say that technology doesn t play a part in security, it absolutely does. And that s not to say you don t need a firewall, you do. But before you even think about technology, you need to do some planning and auditing of your current environment. You ll also need to determine who will be responsible for security, and develop and communicate your strategy. Channel Partners Business Value Toolbox Data-Centric Security 4 toolbox.channelpartnersonline.com

5 Protecting Data The first step in the process is to realize that your goal is not to protect systems. Servers, storage and networking gear will come and go, and apart from the utility they provide, they re pretty much worthless to the company. It s the data they hold and the processing they do that s valuable. That s why experts recommend a datacentric approach. If your IT department can understand what data is critical to the company s operation and what customer data is most sensitive, then it will have clear marching orders on what to protect and how to allocate resources. Determining the value and sensitivity of data is not something the IT department can do itself. In much the same way as a bank keeps and uses your money, the IT department keeps and manages data for its internal and external customers. However, unlike a bank, the IT department really doesn t know the value of the data it holds. That s something that must be determined by the business managers. The last thing you want is to discover a data loss and then find out it was far more important to the organization than you knew. Another reason to work with business managers in determining data value is that once they realize what the IT department is protecting, they ll be much more likely to cooperate rather than complain about security measures. Doing audits, setting priorities and communicating security policies usually are not a core competence for the IT department. This is a good place to bring in outside help. Even if the IT department could do the work itself, bringing in an experienced and impartial observer can be a good way to avoid any political challenges that may exist within the organization. Outside consultants also may be more schooled in determining the risks associated with new technologies, like software-as-a-service applications, smartphones, tablets and more. Determining what data you have is generally harder than determining its value. Typically, you can use the following three value classifications: Sensitive. This data should been seen and used only for a very limited set of reasons. Social Security numbers and credit card numbers clearly fall into this bucket, as do most sales data, new products descriptions and plans, and so on. Internal. If internal data were to fall into the wrong hands, it s not good, but it s not a business-threatening event. Most company data falls into this category. Examples include your company roster along with home address and phone numbers as well as regarding ongoing operations. External. The third classification is external content that customers see and represents your business. Examples include sales literature, content on your website and so forth. External data may need more stringent protection than internal data; while you don t want to restrict who can see it, you very much care about who can modify it. Channel Partners Business Value Toolbox Data-Centric Security 5 toolbox.channelpartnersonline.com

6 1STEP CLASSIFY DATA Steps to Data-Centric Security 2STEP 3STEP 4STEP DETERMINE CREATE EVALUATE PROTECTION POLICIES TECHNOLOGIES 5STEP EDUCATE USERS Define a few buckets such as sensitive, internal and external and determine what data goes in each bucket Determine which protections must be in place before data can be used for each application or by each set of users Create a detailed set of policies that implement the protection schemes for your data Evaluate existing technology and proposed technology purchases on their ability to implement your policies Hold educational sessions for system users and provide updates by video, , etc. PARTICIPANTS IT pros, business data owners IT pros, business data owners IT pros with business data owner signoff IT pros with C-level signoff IT pros with business management backing Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 6 toolbox.channelpartnersonline.com

7 Setting Policy And that brings us to the next big challenge one that has only a little to do with technology creating policies. IT policies need to be more than something you haul out when internal or external customers complain about what the IT department is doing. IT policies: Need to be living documents that are created with and understood by the IT department s customers. Cannot be created fully independent of technology, but likewise policies should not be made simply on the basis of the technology available. Must be reasonably straightforward to implement, so they must consider the technology at hand to provide enforcement of the policy. Should avoid being dependent on the technology choices end users make. In the rise of BYOD, for instance, Android phones lacked some key security features that enterprise IT pros insisted on. The answer for most organizations was to write a policy that didn t allow Android devices on corporate networks. The wrong thing to do is to create one policy for Android users and another for iphone users. The choice of a phone doesn t make the data on it more or less worthy of protection either you need a set of protections and rules, or you don t. While the end user s choice of technology should not affect policy, the work function of the end user should. A one-policy-fits-all approach to end users might sound like an easily defended approach, but certain users deal with more sensitive information than others and policies should reflect that difference. It makes sense to create policies on a group-by-group basis, so accountants get different access than salespeople, who get different access than engineers, and so on. Channel Partners Business Value Toolbox Data-Centric Security 7 toolbox.channelpartnersonline.com

8 Selecting Technologies Once policies are developed and data is classified, the value and utility of technologies becomes clearer. Just as laws without law enforcement are ineffective, policies without the technology to automatically enforce them also will be ineffective. Good, automated policy enforcement requires three technologies: Identity management and access control Logical network segmentation Encryption The goal is to make certain that only the right people with the proper applications are accessing corporate data as your policies dictate. Identity Management and Access Control Identity management systems have been around forever, but recently have started to catch on in a big way. Back when users only used company - provided equipment and needed just a few applications that accessed corporate data in fairly prescribed ways, identity management and access control systems seemed like more work than they were worth. But now anyone who s used a few online services understands the problem. If each application has its own user management system and its own password rules and access control capabilities, and none can be coordinated centrally by the IT department, then the task of fielding a coherent security policy is impossible. Before the adoption of SaaS applications and BYOD requirements, Microsoft s Active Directory, which authenticates Windows users, filled the bill nicely for most companies. Depending on your attitude toward keeping Microsoft and Active Directory as the basis for your identity management system, products that extend Active Directory can be a highly effective way to bring access control to platforms that are not running Microsoft operating systems. Microsoft is mentioned here only because Active Directory is so commonly used, but many vendors offer alternatives. The primary things to look for in an identity management system are: Adequate security Some organizations may require two-factor authentication while others may be just fine with passwords. Extensibility to all platforms you want to support If you re going to have consistent policies across devices, then all must be supported by your chosen identity management system. Delegated authority Small organizations may not need to delegate authority for managing a particular application or set of users, but it s a nice ability to have. In particular, tie-ins to HR applications can be helpful, so the HR professionals can limit access based on job moves, new hires or fires. Channel Partners Business Value Toolbox Data-Centric Security 8 toolbox.channelpartnersonline.com

9 Software-as-a-service (SaaS) support Many SaaS applications will support user and rights administration through Lightweight Directory Access Protocol (LDAP), but if a SaaS app doesn t support identity management, then it s probably not an application you want to use. Extending Identity Management Cloud Cloud Apps Corporate Headquarters With Identity Managment System Such as Active Directory or LDAP Mobile Devices Look for authentication and ID management tools that extend your existing identity management and access control systems into the cloud and onto mobile devices. Source: Art Wittmann for Business Value Toolbox Logical Network Segmentation Logical network segmentation lets you create a single logical segment per application so that you can monitor traffic for the application and limit the visibility of network traffic from one application to the next. This not only lets you monitor the performance of applications, it helps you create security zones so that if one application is compromised, other applications still are protected. For enterprise architects, much of the discussion of software defined networks (SDNs) or network overlays, comes from this desire. Small companies may not need tools to create overlays or switches compatible with OpenFlow; a simple VLAN configuration may do the job. For bigger companies, VLANs quickly become too hard to manage without some sort of tool help you keep the logical network straight. Moving traffic between network segments can be a function of an SDN, or it can be done by a traditional router or firewall. For highly sensitive data and applications, you may require that data not leave the LAN unless it is encrypted. Channel Partners Business Value Toolbox Data-Centric Security 9 toolbox.channelpartnersonline.com

10 Segmenting the Corporate Network Business Office Sales Team Engineering Team Accounting/ Back Office Engineering App Internet By segmenting networks either through a router or firewall, the impact of a security breach can be limited. Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 10 toolbox.channelpartnersonline.com

11 Encryption That brings us to the third must have technology: encryption. Whether you re doing it as part of your corporate governance strategy or because regulation requires it, sensitive data simply must be encrypted period. If you re keeping credit card numbers or Social Security numbers or HIPAA-regulated data, chances are there s a law requiring you to encrypt the data both when it s at rest on your storage devices and when it s traversing the network. For outside parties looking to steal data, nothing is a better deterrent than encryption. Comparing Encryption Techniques TYPE PURPOSE EXAMPLE Full Disk Encryption Protects mobile devices from loss and theft BitLocker File / Folder Encryption Protects single documents or folders usually for transmission to others PK-Zip, Win-Zip, FileVault Database Encryption Protects entire databases or columns within a database usually where sensitive data is kept Appliances integrated encryption technology Application Level Protects data applications create or store Microsoft Office (particularly Office 2007 and later) Protects transmissions and can be easier to use than file encryption S/MIME, PGP Web/ Internet Protects Web-based applications using various protocols SSL/TLS FTP, SSH Wi-Fi Networks Protects wirelessly transmitted data WEP and WPA (not secure) WPA (preferred/secure) Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 11 toolbox.channelpartnersonline.com

12 Educating Users Once you ve got your data inventoried, created policies and put an identity management in place that can manage all of your apps and users platforms, segmented your network into manageable chunks and encrypted all the data that requires encryption, you can lean back and relax, right? Of course not it s never quite that easy. All the best laid security policies and technologies in the world can be thwarted by well-intentioned employees. Phishing scams by clever and sometimes not-soclever attackers are still some of the most productive tools for bad guys. Users can be convinced to give up passwords or otherwise grant access to sensitive data. Employees with the best of intentions also will take home data they shouldn t and, from time to time, they ll lose the device that s storing that sensitive data. One of the big five accounting firms estimated that it will lose up to 10 percent of its end-user equipment annually. Your users may not be that class of road warriors, but you can bet that sooner or later, you ll be dealing with lost or stolen equipment. Users will generally play by the rules you set if you provide the necessary education and provide timely, helpful responses when an employee wants to do something that doesn t conform to your security policies. They ll help you do your job if you help them do theirs. Channel Partners Business Value Toolbox Data-Centric Security 12 toolbox.channelpartnersonline.com

13 About The Author Art Wittmann, a freelance technology journalist, has more than 20 years of experience in high-tech publishing. Most recently, he was the director of InformationWeek Reports, where he oversaw both the business and content of InformationWeek s research and reports business. During his career, he also was editor-in-chief of Network Magazine, IT Architect and Network Computing. Prior to his work in IT journalism, Wittmann was associate director of the Computer Aided Engineering Center at the University of Wisconsin, Madison. Channel Partners Channel Partners magazine is the leading publication for telecom and IT distribution channels. For more than 25 years, Channel Partners has been the undisputed leader in providing news, analysis and education to the indirect sales channels serving the business technology and communications industry. In addition, Channel Partners online (channelpartnersonline.com) delivers a constant content stream of unique and breaking industry news, feature articles and premium downloadable content. As official media of the Channel Partners Conference & Expo, (channelpartnersconference.com), Channel Partners is the market leader that channel professionals turn to first. Channel Partners Business Value Toolbox Data-Centric Security 13 toolbox.channelpartnersonline.com