The Network Alone Can t Protect Your Data

The Network Alone Can t Protect Your Data SESSION ID: STU-T07B Elliot Lewis Chief Security Architect Dell / Dell Software Group @elliotdlewis Chad Skipper Senior Principal Engineer Dell / End User Computing @chadskipper

Agenda 1 The Data Journey 2 Powerful Disrupters: Data is More Connected 3 The Network Alone Can t Protect Your Data 4 Data Access Risk Models 5 Data Protection Reference Architecture

The Data Journey From mainframe to client server to distributed to risk everywhere 3

Powerful Disrupters: Data is More Connected Cloud 85% Use cloud tools Big Data 35 Zettabytes by 2020 Mobility Security & Risk 5X 79% Increase in personal owned devices Experienced significant security incident

Two Kinds of Protection Headquarters In the field 5

The Network Alone Can t Protect Your Data Headquarters In the field Corporate infrastructure DMZ In the wild Partners Supply chain Trusted customers BYOx clients Corporatemanaged clients Internet storage DropBox, PocketCloud, Skydrive, Google BYOx clients VPN SaaS cloud How does one prepare data for external protection? 6

Inherent risk of data loss Corp net External net Data Risk Models Managed Corporate asset Corp container External network Corporate asset Corp container Semi trusted (VPN/VDI/App) Corporate asset Corp image & container Corporate network Strong control Data access Unmanaged Personal asset Native (Raw) OS external network Personal asset container Semi trusted (VPN/VDI/App) Personal asset Corp Container Corp network Weak control Corp Net External net Managed BYOx SaaS Corporate network Strong control Data location Unmanaged In the wild Internet storage Corporate ecosystem Weak control Mitigation control weakness

Contextual Access Assessment Device, location and access method Identification processing Who should be allowed to start the assessment process? Endpoint platform assessment What kind of device are they on? What OS type? Managed/unmanaged? Connection allowance assessment What connectivity do they have? Corporate or public network? Wireless or wired?

Data Access Policy & Identity Verification Process Who, proof, authorization and RSOP Data classification access assessment Assessment proceed based on data classification? Identity verification If sensitive is 2F verification required? Policy selection Which policy best applies to access parameters? Resultant Set of Policy Resolution (RSOP) Which policy takes precedence? Policy conflict resolution Which policy should take effect in a conflict?

Enforcement Controls Location, what device, access method & data integrity Multiple enforcement mitigations from which to choose: Firewall DLP AV/AM Network segmentation Sandboxing Containerization VPN Virtualization Secure browser

Encryption Processing Encrypt, decrypt, key management Encryption state assessment Key management Platform assessment Decryption processing Encryption processing Key storage Process closure

Data Risk Assessment Process Identification processing Endpoint platform assessment Connection allowance assessment Data classification access assessment 2F Identity verification Policy selection Resultant Set of Policy Resolution (RSOP) Policy conflict resolution Firewall DLP AV/AM Network segmentation Sandboxing Containerization VPN Virtualization Secure browser Encryption processing Key management Platform assessment Decryption processing Encryption processing Key storage Process closure Intelligence management Audit/compliance Mitigation selection, activation & monitoring Ongoing monitoring & policy adherence Data integrity monitoring Session monitoring & closure control

Data Protection Reference Architecture Crowd sourcing Common threats Open source intelligence Government / private intelligence Security-as-a- Service providers Regulatory & compliance controls Risk Analysis Fabric External interfaces & intelligence Public APIs Data access request Contextual access Identity verification Data access policy Enforced controls Encryption processing Intelligence mgmt Access result Device Identity Access Enforcement Access result Managed laptop BYOD container Unmanaged BYOD Employee Contractor Customer Full access Read access View access Firewall VPN Virtual Data downloaded Container access Data streaming

14 Thank You