Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data protection life cycle and goals 1. Understand the data held by the organization and its value. Answer the question: What is the information that needs to be protected the most? 2. Classify data as it is created, using labels that are clear and meaningful. 3. Protect data based on its classification, with the highest protections afforded to the most sensitive data. 4. Monitor the environment to identify data that is not appropriately classified or protected. 5. Continuously improve the program and remediate identified errors and processes. Page 3 1
Common data loss channels Loss or theft of laptops and mobile devices Unauthorized transfer of data to portable media Sensitive data stored in unprotected locations File sharing/p2p Instant messaging, social media, personal web mail Copying/printing of sensitive data Corporate email Page 4 Global Information Security Survey (GISS) insights Data protection control implementation Which of the following actions has the company taken? 72% 68% 57% 43% 41% 39% 38% 38% 31% 23% 16% Defined a specific policy regarding the classification and handling of sensitive information Employee awareness programs Implemented additional security mechanisms for protecting information (e.g. encryption) Locked down/restricted use of certain hardware components (e.g., USB drives, firewire ports) Utilized internal audit for testing of controls Defined specific requirements regarding protection of information taken outside office Implemented log review tools Implemented data loss prevention tools Restricted or prohibited use of instant messaging or email for sensitive data transmission Prohibited use of camera devices within sensitive or restricted areas Restricted access to sensitive information to specific time periods Source: Ernst & Young s 2012 Global Information Security Survey: Fighting to close the gap Page 5 The rise in digital information further challenges effective data protection Rising reliance on IT is expected to stimulate digital storage demand at a projected annual growth rate of over 60% through 2020 Worldwide, the prevalence of digital information is expected to escalate to be 44 times bigger in 2020 than it was in 2009 Over the next decade: Number of servers (virtual and physical) worldwide will grow by a factor of 10 Amount of information managed by enterprise data centers will grow by a factor of 50 Number of files the data center will have to deal with will grow by a factor of 75 However, the number of IT professionals in the world will grow by less than a factor of 1.5 Source: IDC, The Digital Universe Decade Are You Ready?, May 2010 IDC, Extracting Value from Chaos, June 2011 Page 6 2
Perpetual storage of all data can be a risky and costly strategy Many companies have retained information years beyond their useful retention dates or its business value due to: Confusing retention schedules Embracing the false concept that storage is cheap Mitigating a defense for potential litigation Data preservation due to litigation holds BT survey: A quarter of decision-makers surveyed predict that data volumes in their companies will rise by more than 60% by the end of 2014, with the average of all respondents anticipating a growth of no less than 42%. Avanade survey: 55% of respondents reporting a slowdown of IT systems and 47% citing data security problems. Data should be archived for historical reference and litigation protection, but it should not have infinite copies stored in unknown locations Page 7 Understanding the cloud Page 8 Understanding the cloud Page 9 3
Cloud Security Alliance Not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. https://www.cloudsecurityalliance.org Source: https://cloudsecurityalliance.org/about/ Page 10 Cloud computing top threats in 2013 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Source: https://cloudsecurityalliance.org/download/the-notorious-nine-cloud-computing-top-threats-in-2013/ Page 11 Where do I start? Page 12 4
Data protection control model Data protection controls Data in motion Perimeter security Structured data Data in use Privileged user monitoring Data at rest Encryption Focus areas Network traffic monitoring/blocking Web content filtering Data collection and exchange Workstation restrictions Application controls Data labeling/tagging Obfuscation/tokenization Mobile device protection Network/server repository control Messaging (email, IM) Removable/external media control Physical media control Remote access Export/clipboard/print control Archive, disposal and destruction Unstructured data Supporting information security processes Identity/access management Security information management Configuration management Vulnerability management Digital rights management Incident response Physical security Training and awareness Asset management Data privacy Employee screening and vetting Third-party management BCP/DR Records management Risk management and reporting Change management/sdlc Page 13 What s important? Corporate data Price/cost lists Target customer lists New designs Source code Formulas Pending patents Intellectual property Customer data Customer list Spending habits Contact details User preference Product customer profile Payment status Contact history Transaction data Bank payments B2B orders Vendor data Sales volumes Purchase power Revenue potential Sales projections Personally identifiable data Full name Birthday, birthplace Biometric data Genetic information Credit card numbers SSN, passport numbers Driver s license numbers Page 14 Risk assessment Each type of sensitive data held by the company should be assessed to determine the relative value, dollar value, if possible, and relative risk Again, this should be led by the business and facilitated by Information Security (or whoever owns data protection within the organization) The result should be clear guidance to the data protection team of what types of data require the most protection High value data from the risk assessment should be mapped to use cases Page 15 5
Architecture A core component of a data protection program is understanding data flows and identifying applications, databases and unstructured repositories that contain sensitive data. Key questions to understand include: Where is my data flowing, both inside and outside the organization? What structured repositories hold sensitive data? What unstructured repositories are available to users for sharing and collaboration? Where is data archived? Are users local drives stored on the network? Page 16 Risk and audit Data handling: Loss of control over data Lack of information isolation Data recovery Data privacy Encryption methods Areas for heightened risk awareness and audit focus: IT operations Third party evaluations System integration/ Services transaction flow These may be addressed by a combination of: Continuous monitoring for availability statistics Validating data concerns by assessing vendor Legal/vendor: data management Compliance: methods Legal support capability Physical: Validating vendor SOX longevity and capability Vendor support Natural disasters using contractual HIPAA methods with Service measurement Unauthorized access contingencies in place PCI Reviewing the vendor Vendor viability Theft compliance policies and FISMA third-party certification Certified personnel Reviewing access and identity management methods and controls Defining and validating integration points both internally and externally Page 17 Cloud Security Alliance resources Cloud Controls Matrix (CCM) Controls framework for 13 domains Mapped to ISO 27001/27002, ISACA COBIT, PCI DSS, HIPAA, NIST and NERC CIP Consensus Assessments Initiative (CAI) Set of questions a cloud consumer and cloud auditor may ask of a cloud provider Aligns to the CCM Security, Trust & Assurance Registry (STAR) Registry that documents the security controls provided by various cloud computing offering Helps users assess the security of cloud providers Source: https://cloudsecurityalliance.org/research/ccm/ https://cloudsecurityalliance.org/research/cai https://cloudsecurityalliance.org/star/ Page 18 6
We have covered a lot of topics today! Let s recap The ever evolving risk landscape is becoming more challenging to manage. With data loss, prevention is always better then recovering after a breach. Consider the following next steps: Understand your data program Risk assessment Gain an understanding of current data protection processes, stakeholders and technology Understand legal requirements, regulatory requirements and business drivers for DLP Understand existing data protection improvement plans Undertake a risk assessment to identify potential exposure and uncontrolled data loss channels Determine whether sensitive data has been identified, inventoried and risk ranked Consider using a DLP network monitoring tool to aid in the risk assessment process Control assessment Determine data protection program maturity by assessing data protection controls Consider all relevant controls that contribute to data protection Program improvement Identify gaps in the current program and controls Identify additional technology and processes required to achieve desired maturity Develop specific recommendations for improvement and remediation Develop road map for improvement Page 19 Thank you Fighting to close the gap: Ernst & Young s 2012 Global Information Security Survey http://www.ey.com/giss2012 EY s 2013 Global Information Security Survey coming soon! http://www.ey.com/informationsecurity Eric Brothers Manager, Advisory Services Atlanta, GA Phone: +1 404 817 4419 Email: eric.brothers@ey.com Page 20 7