Understanding Data-Centric Security
|
|
- Susan Berry
- 8 years ago
- Views:
Transcription
1 CHANNEL PARTNERS April 2013 US$39.00 S P E C I A L R E P O R T Understanding Data-Centric Security By Art Wittmann COMMUNICATIONS
2 Table of Contents Introduction...3 Protecting Data...5 Setting Policy...7 Selecting Technologies...8 Identity Management and Access Control Logical Network Segmentation Encryption Educating Users About The Author Channel Partners Copyright 2013 VIRGO Publishing, LLC. All rights reserved. The publisher reserves the right to accept or reject any advertising or editorial material. Advertisers, and/or their agents, assume the responsibility for all content of published advertisements and assume responsibility for any claims against the publisher based on the advertisement. Editorial contributors assume responsibility for their published works and assume responsibility for any claims against the publisher based on the published work. Editorial content may not necessarily reflect the views of the publisher. Materials contained on this site may not be reproduced, modified, distributed, republished or hosted (either directly or by linking) without our prior written permission. You may not alter or remove any trademark, copyright or other notice from copies of content. You may, however, download material from the site (one machine readable copy and one print copy per page) for your personal, noncommercial use only. We reserve all rights in and title to all material downloaded. Channel Partners Business Value Toolbox Data-Centric Security 2 toolbox.channelpartnersonline.com
3 Introduction It wasn t all that long ago that if you had a firewall, antivirus/antimalware, VPN, and good Web and filtering, you had what most IT pros thought was a good security architecture. The idea was to build up a few layers of defense, creating a security perimeter around your corporate network and limiting access to corporate resources. The problem is, it s never worked. Malware authors stay ahead of antimalware systems, and those who are after valuable data will either work their way around basic security systems, or they ll avoid the frontal assault and take a completely different path. The Complexity of IT Security FILTER WEB CONTENT FILTER Public Internet NETWORK INTRUSION PREVENTION SYSTEM DATA LEAK PREVENTION User VIRTUAL PRIVATE NETWORK SSL VPN NETWORK BASED ANOMALY DETECTION Demilitarized Zone Host-based antivirus, antimalware, firewall, etc. Monitored Data Center With the complexity of IT security, what could possibly go wrong? More technology isn t the answer. Unless carefully managed, security spending can yield a complex array of technologies which may or may not meet your security needs. Start with a policy, and then apply technology as needed. Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 3 toolbox.channelpartnersonline.com
4 One needs look only as far as the exploits by Anonymous and Wikileaks to see how vulnerable data is. Both groups have broken into some of the most protected systems in the world and released sensitive data sometimes with the help of insiders, and sometimes without. Look at it this way, if the protection provided to the U.S. State Department isn t good enough, what would make you think a $5,000 firewall is all you need to protect your data? That s not to say that technology doesn t play a part in security, it absolutely does. And that s not to say you don t need a firewall, you do. But before you even think about technology, you need to do some planning and auditing of your current environment. You ll also need to determine who will be responsible for security, and develop and communicate your strategy. Channel Partners Business Value Toolbox Data-Centric Security 4 toolbox.channelpartnersonline.com
5 Protecting Data The first step in the process is to realize that your goal is not to protect systems. Servers, storage and networking gear will come and go, and apart from the utility they provide, they re pretty much worthless to the company. It s the data they hold and the processing they do that s valuable. That s why experts recommend a datacentric approach. If your IT department can understand what data is critical to the company s operation and what customer data is most sensitive, then it will have clear marching orders on what to protect and how to allocate resources. Determining the value and sensitivity of data is not something the IT department can do itself. In much the same way as a bank keeps and uses your money, the IT department keeps and manages data for its internal and external customers. However, unlike a bank, the IT department really doesn t know the value of the data it holds. That s something that must be determined by the business managers. The last thing you want is to discover a data loss and then find out it was far more important to the organization than you knew. Another reason to work with business managers in determining data value is that once they realize what the IT department is protecting, they ll be much more likely to cooperate rather than complain about security measures. Doing audits, setting priorities and communicating security policies usually are not a core competence for the IT department. This is a good place to bring in outside help. Even if the IT department could do the work itself, bringing in an experienced and impartial observer can be a good way to avoid any political challenges that may exist within the organization. Outside consultants also may be more schooled in determining the risks associated with new technologies, like software-as-a-service applications, smartphones, tablets and more. Determining what data you have is generally harder than determining its value. Typically, you can use the following three value classifications: Sensitive. This data should been seen and used only for a very limited set of reasons. Social Security numbers and credit card numbers clearly fall into this bucket, as do most sales data, new products descriptions and plans, and so on. Internal. If internal data were to fall into the wrong hands, it s not good, but it s not a business-threatening event. Most company data falls into this category. Examples include your company roster along with home address and phone numbers as well as regarding ongoing operations. External. The third classification is external content that customers see and represents your business. Examples include sales literature, content on your website and so forth. External data may need more stringent protection than internal data; while you don t want to restrict who can see it, you very much care about who can modify it. Channel Partners Business Value Toolbox Data-Centric Security 5 toolbox.channelpartnersonline.com
6 1STEP CLASSIFY DATA Steps to Data-Centric Security 2STEP 3STEP 4STEP DETERMINE CREATE EVALUATE PROTECTION POLICIES TECHNOLOGIES 5STEP EDUCATE USERS Define a few buckets such as sensitive, internal and external and determine what data goes in each bucket Determine which protections must be in place before data can be used for each application or by each set of users Create a detailed set of policies that implement the protection schemes for your data Evaluate existing technology and proposed technology purchases on their ability to implement your policies Hold educational sessions for system users and provide updates by video, , etc. PARTICIPANTS IT pros, business data owners IT pros, business data owners IT pros with business data owner signoff IT pros with C-level signoff IT pros with business management backing Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 6 toolbox.channelpartnersonline.com
7 Setting Policy And that brings us to the next big challenge one that has only a little to do with technology creating policies. IT policies need to be more than something you haul out when internal or external customers complain about what the IT department is doing. IT policies: Need to be living documents that are created with and understood by the IT department s customers. Cannot be created fully independent of technology, but likewise policies should not be made simply on the basis of the technology available. Must be reasonably straightforward to implement, so they must consider the technology at hand to provide enforcement of the policy. Should avoid being dependent on the technology choices end users make. In the rise of BYOD, for instance, Android phones lacked some key security features that enterprise IT pros insisted on. The answer for most organizations was to write a policy that didn t allow Android devices on corporate networks. The wrong thing to do is to create one policy for Android users and another for iphone users. The choice of a phone doesn t make the data on it more or less worthy of protection either you need a set of protections and rules, or you don t. While the end user s choice of technology should not affect policy, the work function of the end user should. A one-policy-fits-all approach to end users might sound like an easily defended approach, but certain users deal with more sensitive information than others and policies should reflect that difference. It makes sense to create policies on a group-by-group basis, so accountants get different access than salespeople, who get different access than engineers, and so on. Channel Partners Business Value Toolbox Data-Centric Security 7 toolbox.channelpartnersonline.com
8 Selecting Technologies Once policies are developed and data is classified, the value and utility of technologies becomes clearer. Just as laws without law enforcement are ineffective, policies without the technology to automatically enforce them also will be ineffective. Good, automated policy enforcement requires three technologies: Identity management and access control Logical network segmentation Encryption The goal is to make certain that only the right people with the proper applications are accessing corporate data as your policies dictate. Identity Management and Access Control Identity management systems have been around forever, but recently have started to catch on in a big way. Back when users only used company - provided equipment and needed just a few applications that accessed corporate data in fairly prescribed ways, identity management and access control systems seemed like more work than they were worth. But now anyone who s used a few online services understands the problem. If each application has its own user management system and its own password rules and access control capabilities, and none can be coordinated centrally by the IT department, then the task of fielding a coherent security policy is impossible. Before the adoption of SaaS applications and BYOD requirements, Microsoft s Active Directory, which authenticates Windows users, filled the bill nicely for most companies. Depending on your attitude toward keeping Microsoft and Active Directory as the basis for your identity management system, products that extend Active Directory can be a highly effective way to bring access control to platforms that are not running Microsoft operating systems. Microsoft is mentioned here only because Active Directory is so commonly used, but many vendors offer alternatives. The primary things to look for in an identity management system are: Adequate security Some organizations may require two-factor authentication while others may be just fine with passwords. Extensibility to all platforms you want to support If you re going to have consistent policies across devices, then all must be supported by your chosen identity management system. Delegated authority Small organizations may not need to delegate authority for managing a particular application or set of users, but it s a nice ability to have. In particular, tie-ins to HR applications can be helpful, so the HR professionals can limit access based on job moves, new hires or fires. Channel Partners Business Value Toolbox Data-Centric Security 8 toolbox.channelpartnersonline.com
9 Software-as-a-service (SaaS) support Many SaaS applications will support user and rights administration through Lightweight Directory Access Protocol (LDAP), but if a SaaS app doesn t support identity management, then it s probably not an application you want to use. Extending Identity Management Cloud Cloud Apps Corporate Headquarters With Identity Managment System Such as Active Directory or LDAP Mobile Devices Look for authentication and ID management tools that extend your existing identity management and access control systems into the cloud and onto mobile devices. Source: Art Wittmann for Business Value Toolbox Logical Network Segmentation Logical network segmentation lets you create a single logical segment per application so that you can monitor traffic for the application and limit the visibility of network traffic from one application to the next. This not only lets you monitor the performance of applications, it helps you create security zones so that if one application is compromised, other applications still are protected. For enterprise architects, much of the discussion of software defined networks (SDNs) or network overlays, comes from this desire. Small companies may not need tools to create overlays or switches compatible with OpenFlow; a simple VLAN configuration may do the job. For bigger companies, VLANs quickly become too hard to manage without some sort of tool help you keep the logical network straight. Moving traffic between network segments can be a function of an SDN, or it can be done by a traditional router or firewall. For highly sensitive data and applications, you may require that data not leave the LAN unless it is encrypted. Channel Partners Business Value Toolbox Data-Centric Security 9 toolbox.channelpartnersonline.com
10 Segmenting the Corporate Network Business Office Sales Team Engineering Team Accounting/ Back Office Engineering App Internet By segmenting networks either through a router or firewall, the impact of a security breach can be limited. Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 10 toolbox.channelpartnersonline.com
11 Encryption That brings us to the third must have technology: encryption. Whether you re doing it as part of your corporate governance strategy or because regulation requires it, sensitive data simply must be encrypted period. If you re keeping credit card numbers or Social Security numbers or HIPAA-regulated data, chances are there s a law requiring you to encrypt the data both when it s at rest on your storage devices and when it s traversing the network. For outside parties looking to steal data, nothing is a better deterrent than encryption. Comparing Encryption Techniques TYPE PURPOSE EXAMPLE Full Disk Encryption Protects mobile devices from loss and theft BitLocker File / Folder Encryption Protects single documents or folders usually for transmission to others PK-Zip, Win-Zip, FileVault Database Encryption Protects entire databases or columns within a database usually where sensitive data is kept Appliances integrated encryption technology Application Level Protects data applications create or store Microsoft Office (particularly Office 2007 and later) Protects transmissions and can be easier to use than file encryption S/MIME, PGP Web/ Internet Protects Web-based applications using various protocols SSL/TLS FTP, SSH Wi-Fi Networks Protects wirelessly transmitted data WEP and WPA (not secure) WPA (preferred/secure) Source: Art Wittmann for Business Value Toolbox Channel Partners Business Value Toolbox Data-Centric Security 11 toolbox.channelpartnersonline.com
12 Educating Users Once you ve got your data inventoried, created policies and put an identity management in place that can manage all of your apps and users platforms, segmented your network into manageable chunks and encrypted all the data that requires encryption, you can lean back and relax, right? Of course not it s never quite that easy. All the best laid security policies and technologies in the world can be thwarted by well-intentioned employees. Phishing scams by clever and sometimes not-soclever attackers are still some of the most productive tools for bad guys. Users can be convinced to give up passwords or otherwise grant access to sensitive data. Employees with the best of intentions also will take home data they shouldn t and, from time to time, they ll lose the device that s storing that sensitive data. One of the big five accounting firms estimated that it will lose up to 10 percent of its end-user equipment annually. Your users may not be that class of road warriors, but you can bet that sooner or later, you ll be dealing with lost or stolen equipment. Users will generally play by the rules you set if you provide the necessary education and provide timely, helpful responses when an employee wants to do something that doesn t conform to your security policies. They ll help you do your job if you help them do theirs. Channel Partners Business Value Toolbox Data-Centric Security 12 toolbox.channelpartnersonline.com
13 About The Author Art Wittmann, a freelance technology journalist, has more than 20 years of experience in high-tech publishing. Most recently, he was the director of InformationWeek Reports, where he oversaw both the business and content of InformationWeek s research and reports business. During his career, he also was editor-in-chief of Network Magazine, IT Architect and Network Computing. Prior to his work in IT journalism, Wittmann was associate director of the Computer Aided Engineering Center at the University of Wisconsin, Madison. Channel Partners Channel Partners magazine is the leading publication for telecom and IT distribution channels. For more than 25 years, Channel Partners has been the undisputed leader in providing news, analysis and education to the indirect sales channels serving the business technology and communications industry. In addition, Channel Partners online (channelpartnersonline.com) delivers a constant content stream of unique and breaking industry news, feature articles and premium downloadable content. As official media of the Channel Partners Conference & Expo, (channelpartnersconference.com), Channel Partners is the market leader that channel professionals turn to first. Channel Partners Business Value Toolbox Data-Centric Security 13 toolbox.channelpartnersonline.com
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationBeyond the Hype: Advanced Persistent Threats
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationWhat Are Certificates?
The Essentials Series: Code-Signing Certificates What Are Certificates? sponsored by by Don Jones W hat Are Certificates?... 1 Digital Certificates and Asymmetric Encryption... 1 Certificates as a Form
More informationTNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is
1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationThe Business Value of SIP Trunking
July 2013 US$39.00 S P E C I A L R E P O R T The Business Value of SIP Trunking By Khali Henderson Editor-in-Chief, Channel Partners COMMUNICATIONS Table of Contents Introduction... 3 What Is SIP Trunking?...
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationWLAN Security Networking with Confidence
WLAN Security Networking with Confidence Introduction So you ve just installed a new wireless local area network (WLAN) in your small business or home. The access point is on and connected, the client
More informationSecuring Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper
Securing Patient Data in Today s Mobilized Healthcare Industry Securing Patient Data in Today s Mobilized Healthcare Industry 866-7-BE-GOOD good.com 2 Contents Executive Summary The Role of Smartphones
More informationSecuring Endpoints without a Security Expert
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Securing Endpoints without a Security Expert sponsored by Introduction to Realtime Publishers by Don Jones, Series
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationPlease note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).
Introduction This document serves as a guide for TCS Retail users who are credit card merchants. It is written to help them become compliant with the PCI (payment card industry) security requirements.
More information10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011
10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection September 2011 10 Potential Risks Facing Your IT Department: Multi-layered Security & Network Protection 2 It s
More informationThe Evolving Threat Landscape and New Best Practices for SSL
The Evolving Threat Landscape and New Best Practices for SSL sponsored by Dan Sullivan Chapter 2: Deploying SSL in the Enterprise... 16 Infrastructure in Need of SSL Protection... 16 Public Servers...
More informationSecuring Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly
Securing Internet Facing Applications Ten years ago protecting the corporate network meant deploying traditional firewalls and intrusion detection solutions at the perimeter of the trusted network in order
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSecurity Awareness. Wireless Network Security
Security Awareness Wireless Network Security Attacks on Wireless Networks Three-step process Discovering the wireless network Connecting to the network Launching assaults Security Awareness, 3 rd Edition
More informationIntegrating Single Sign-on Across the Cloud By David Strom
Integrating Single Sign-on Across the Cloud By David Strom TABLE OF CONTENTS Introduction 1 Access Control: Web and SSO Gateways 2 Web Gateway Key Features 2 SSO Key Features 3 Conclusion 5 Author Bio
More informationIdentity Theft - Problems and Prevention Steps
Identity Theft and the Tax Practice Edward K. Zollars, CPA www.cperesources.com www.currentfederaltaxdevelopments.com New Mexico Tax Conference Today s Session Identity Theft in General Size of the Problem
More informationADDING STRONGER AUTHENTICATION for VPN Access Control
ADDING STRONGER AUTHENTICATION for VPN Access Control Adding Stronger Authentication for VPN Access Control 1 ADDING STRONGER AUTHENTICATION for VPN Access Control A VIRTUAL PRIVATE NETWORK (VPN) allows
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationIbrahim Yusuf Presales Engineer at Sophos ibz@sophos.com. Smartphones and BYOD: what are the risks and how do you manage them?
Ibrahim Yusuf Presales Engineer at Sophos ibz@sophos.com Smartphones and BYOD: what are the risks and how do you manage them? Tablets on the rise 2 Diverse 3 The Changing Mobile World Powerful devices
More informationSecurity. TestOut Modules 12.6 12.10
Security TestOut Modules 12.6 12.10 Authentication Authentication is the process of submitting and checking credentials to validate or prove user identity. 1. Username 2. Credentials Password Smart card
More informationMOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES
MOBILITY & INTERCONNECTIVITY Features SECURITY OF INFORMATION TECHNOLOGIES Frequent changes to the structure of enterprise workforces mean that many are moving away from the traditional model of a single
More informationSecurely Moving Your Business Into the Cloud
Securely Moving Your Business Into the Cloud Alex Stamos Partner SOURCE Boston April 21, 2010 Your Humble Narrator Alex Stamos Co Founder and Partner of isec LBNL, Loudcloud, @stake UC Berkeley BS EECS
More informationInternet Security Good Practice Guide. August 2009
Internet Security Good Practice Guide August 2009 contents 1 Introduction to Good Practice Guides 3 2 Internet Security Overview 3 3 Internet Security Good Practice Guidelines 4 4 Appendix A: Definitions
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationMobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall
Mobile security and your EMR Presented by: Shawn Tester & Allen Cornwall Date: October 14, 2011 Overview General Security Challenges & best practices Mobile EMR interfaces - EMR Access - Today & Future
More informationTop 10 Questions to Ask when Choosing a Secure File Transfer Solution
Top 10 Questions to Ask when Choosing a Secure File Transfer Solution Top 10 Questions to Ask when Choosing a Secure File Transfer Solution Companies that have made an investment in a Secure File Transfer
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More information11 Best Practices for Mobile Device Management (MDM)
MaaS360.com > White Paper 11 Best Practices for Mobile Device Management (MDM) 11 Best Practices for Mobile Device Management (MDM) www.maas360.com Copyright 2014 Fiberlink Communications Corporation.
More informationHow Reflection Software Facilitates PCI DSS Compliance
Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit
More informationThis session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationFIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES
FIREWALL Features SECURITY OF INFORMATION TECHNOLOGIES To ensure that they stay competitive and in order to expand their activity, businesses today know it is in their best interests to open up more channels
More informationNetwork Security. Mike Trice, Network Engineer mtrice@asc.edu. Richard Trice, Systems Specialist rtrice@asc.edu. Alabama Supercomputer Authority
Network Security Mike Trice, Network Engineer mtrice@asc.edu Richard Trice, Systems Specialist rtrice@asc.edu Alabama Supercomputer Authority What is Network Security Network security consists of the provisions
More informationMobile Device Strategy
Mobile Device Strategy Technology Experience Bulletin, TEB: 2012-01 Mobile Device Strategy Two years ago, the Administrative Office of Pennsylvania Courts (AOPC) standard mobile phone was the Blackberry.
More informationA Better Way to Segregate Data by Classification Level
A Better Way to Segregate Data by Classification Level By David Frymier, Vice President and CISO, Unisys Corporation White Paper 1 2 The Problem Today, many companies see their once protective corporate
More informationThe Shortcut Guide To
tm The Shortcut Guide To Securing Your Exchange Server and Unified Communications Infrastructure Using SSL Don Jones Ch apter 3: Best Practices for Securing Your Exchange Server... 32 Business Level Concerns
More informationRunning Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS
Wireless Data Network Security 1 Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS Wireless Data Network Security for Hospitals: Various Solutions to Meet HIPAA Requirements. Jody Barnes East
More informationBring Your Own Device:
Bring Your Own Device: Finding the perfect balance between Security, Performance, Flexibility & Manageability SECURELINK WHITEPAPER 2012 By Frank Staut Management summary This white paper discusses some
More informationEndUser Protection. Peter Skondro. Sophos
EndUser Protection Peter Skondro Sophos Agenda Sophos EndUser Solutions Endpoint Usecases Sophos Mobile Solutions Mobile Usecases Endpoint Sophos EndUser Solutions EndUser Protection AV Firewall Application
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationPCI Wireless Compliance with AirTight WIPS
A White Paper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Introduction Although [use
More informationTHREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS
THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS Learn more about Symantec security here OVERVIEW Data and communication protection isn t a problem limited to large enterprises. Small and
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationControlling and Managing Security with Performance Tools
Security Management Tactics for the Network Administrator The Essentials Series Controlling and Managing Security with Performance Tools sponsored by Co ntrolling and Managing Security with Performance
More information8 Ways to Better Monitor Network Security Threats in the Age of BYOD January 2014
8 Ways to Better Monitor Network Security Threats in the Age of BYOD January 2014 8 Ways to Better Monitor Network Security Threats in the Age of BYOD 2 Unless you operate out of a cave, chances are your
More informationProtecting Your Network Against Risky SSL Traffic ABSTRACT
Protecting Your Network Against Risky SSL Traffic ABSTRACT Every day more and more Web traffic traverses the Internet in a form that is illegible to eavesdroppers. This traffic is encrypted with Secure
More informationHow To Prevent Hacker Attacks With Network Behavior Analysis
E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal
More informationThe Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
More informationWHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email
WHITE PAPER Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email EXECUTIVE SUMMARY Data Loss Prevention (DLP) monitoring products have greatly
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationThe Essential Security Checklist. for Enterprise Endpoint Backup
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
More informationImportance of Web Application Firewall Technology for Protecting Web-based Resources
Importance of Web Application Firewall Technology for Protecting Web-based Resources By Andrew J. Hacker, CISSP, ISSAP Senior Security Analyst, ICSA Labs January 10, 2008 ICSA Labs 1000 Bent Creek Blvd.,
More informationIntroduction to Cyber Security / Information Security
Introduction to Cyber Security / Information Security Syllabus for Introduction to Cyber Security / Information Security program * for students of University of Pune is given below. The program will be
More informationSecuring Corporate Email on Personal Mobile Devices
Securing Corporate Email on Personal Mobile Devices Table of Contents The Impact of Personal Mobile Devices on Corporate Security... 3 Introducing LetMobile Secure Mobile Email... 3 Solution Architecture...
More informationAchieving PCI Compliance: How Red Hat Can Help. Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl.
Achieving PCI Compliance: How Red Hat Can Help Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl. Agenda Understanding Compliance Security Features within Red Hat Backporting Choice
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationBest Practices for Outdoor Wireless Security
Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged
More informationBeef O Brady's. Security Review. Powered by
Beef O Brady's Security Review Powered by Why install a Business Class Firewall? Allows proper segmentation of Trusted and Untrusted computer networks (PCI Requirement) Restrict inbound and outbound traffic
More information4 Steps to Effective Mobile Application Security
Mobile Application Security Whitepaper 4 Steps to Effective Mobile Application Security Table of Contents Executive Summary 3 Mobile Security Risks in Enterprise Environments 4 The Shortcomings of Traditional
More informationSOOKASA WHITEPAPER CASB SECURITY OVERVIEW. www.sookasa.com
SOOKASA WHITEPAPER CASB SECURITY OVERVIEW www.sookasa.com Sookasa Overview Nearly 90 percent of enterprises currently use the public cloud, and by 2020, practically every business across the country is
More informationTHE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER
THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER How to ensure a cloud-based phone system is secure. BEFORE SELECTING A CLOUD PHONE SYSTEM, YOU SHOULD CONSIDER: DATA PROTECTION.
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationWhat Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationNetzwerkvirtualisierung? Aber mit Sicherheit!
Netzwerkvirtualisierung? Aber mit Sicherheit! Markus Schönberger Advisory Technology Consultant Trend Micro Stephan Bohnengel Sr. Network Virtualization SE VMware Agenda Background and Basic Introduction
More informationScott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.
Juniper Networks Next Generation Security for a Cybercrime World Lior Cohen Principal Solutions Architect Scott Lucas Director of Product Marketing, Branch Solutions Service Layer Technologies Business
More informationWays. to Shore Up. Security. Your. ABSTRACT: By Trish Crespo
6 Ways to Shore Up Your Security ABSTRACT: By Trish Crespo February 04 Microsoft's SharePoint collaboration software is an excellent tool for enterprise users, but some individuals have pointed to it as
More informationThe SMB Cyber Security Survival Guide
The SMB Cyber Security Survival Guide Stephen Cobb, CISSP Security Evangelist The challenge A data security breach can put a business out of business or create serious unbudgeted costs To survive in today
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationWireless Network Best Practices for General User
Wireless Network Best Practices for General User I n Hong Kong, the number of Wi-Fi access points (hotspots) has reached 31,000 in 2015 1. Unfortunately, not all of them are well-protected. In fact, wireless
More informationPragmatic Version Control
Extracted from: Pragmatic Version Control using Subversion, 2nd Edition This PDF file contains pages extracted from Pragmatic Version Control, one of the Pragmatic Starter Kit series of books for project
More informationDeveloping Network Security Strategies
NETE-4635 Computer Network Analysis and Design Developing Network Security Strategies NETE4635 - Computer Network Analysis and Design Slide 1 Network Security Design The 12 Step Program 1. Identify network
More informationDatabase Security, Virtualization and Cloud Computing
Whitepaper Database Security, Virtualization and Cloud Computing The three key technology challenges in protecting sensitive data in modern IT architectures Including: Limitations of existing database
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationEnsuring the security of your mobile business intelligence
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
More informationAPWG. (n.d.). Unifying the global response to cybecrime. Retrieved from http://www.antiphishing.org/
DB1 Phishing attacks, usually implemented through HTML enabled e-mails, are becoming more common and more sophisticated. As a network manager, how would you go about protecting your users from a phishing
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationHow To Manage A Mobile Device Management (Mdm) Solution
Mobile Device Management Buyers Guide IT departments should be perceived as the lubricant in the machine that powers an organization. BYOD is a great opportunity to make life easier for your users. But
More informationThe following chart provides the breakdown of exam as to the weight of each section of the exam.
Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationEasiShare Whitepaper - Empowering Your Mobile Workforce
Accessing files on mobile devices and sharing them with external parties presents serious security risks for companies. However, most current solutions are either too cumbersome or not secure enough for
More informationSecurity for the Road Warrior
Security for the Road Warrior Mark K. Mellis Associate Information Security Officer Stanford University Information Security Office Version 1.1 We are all mobile We all travel from home to campus or from
More information