Data-centric security What is new? from perimeter/infrastructure to data-centric security

Transcription

1 Data-centric security What is new? from perimeter/infrastructure to data-centric security Dr. Olaf Riebe, Head Business Unit ECM Bern, 23th of June 2015

2 Status quo and challenges changing environments and threat vectors Page 2

3 In a confined and isolated, perimeter-based world its easy to protect information Page 3

4 But, how secure are sensitive information today really? Page 4 Proprietary & Confidential

5 And the reality is also Businesses are slow and limited to self-detect breach activity the average time from initial breach to detection is 210 days (64% needed 90 days / 5% needed 3 years) 83 % of IT Professionals don't know where their company s sensitive data is located 88 % are NOT confident in their ability to detect a data breach involving unstructured data Source: Ponemon Institute (2014) Page 5

6 Main threat vectors are: The Insider Threat Applications Storage Cyber Attacks Privileged Users & Cloud Providers Users & Devices Partners / Offshore Page 6

7 Threat vectors and breaking perimeters: The Insider Threat Applications Storage Cyber Attacks Privileged Users & Cloud Providers Users & Devices The Perimeter is Gone and No Longer Provides comprehensive Protection Partners / Offshore Page 7

8 As soon as a document is created, its exposed We saw cracks in the wall, we saw established solutions failing to protect information. more & more business applications more & more locations more & more access & exit points changing communication processes overstrained security tools Page 8

9 The approach: Data-centric security and Active Data Immunization Page 9

10 Make Information secure when they are created with Active Data Immunization The Insider Threat Data Immunization Applications Storage At The Point of Creation Makes the Threat Irrelevant Cyber Attacks Privileged Users & Cloud Providers Users & Devices Partners / Offshore The Perimeter is Gone and & No Can Longer No Longer Provides Be Protection Protected Page 10

11 There are infinite ways to create & access information with any business application: Line of Business Applications Reports Generation from ERP Data derives from DB Applications Reports Generation from Applications CAD/CAM Page 11

12 and there are infinite ways to create & access information: beyond defined perimeters Beyond the Perimeter Page 12

13 The approach has to guarantee: Immunize files active upon creation from any source! Data used on devices in Office & mail apps Data generated by Apps & web Data stored & shared on/off premise Data used & at rest on repositories Page 13

14 with special challenges: Secure Collaboration and BYOD Collaborate securely using encrypted data Collaborate securely using encrypted communications Fully audited & controlled data decryption, if required Page 14 14

15 What are the main elements for a Active Data Immunization? Secure Data At The Point of Creation Policy Encryption Classification & Tagging Permission Usage Tracking Page 15

16 Active Data Immunization should support different modes: FULLY automated Semi-automated System recommendation Manual / User driven Page 16

17 Protection of and permissions for unstructured data stored in File systems and servers is one of today s hot topics Typical security requirements in a Bank environment: 1. Classification of unstructured data stored on file system and server 2. Enforce Bank security policies (protection & permission) to classified data 3. Integration into Bank applications and security tools Page 17

18 Therefore Data Security Classes and permissions were defined: Level Classification Can be unencrypted Must be encrypted Can be printed Can be sent internally via normal Must be sent internally via encrypted Can be exposed to externals? DL1 Public Y N Y Y N Y DL2 Internal use Y N Y Y N Y DL3 Confidential N Y Y N Y N DL4 Secret N Y N N Y N Customer Example of a Swiss Bank Page 18

19 Data Classification in combination with defined permission rules guarantee protection of sensitive information in the Bank Fully automatic, till user based classification and protection User Automatic Recommended User Page 19

20 Summary and advantages of a Data-centric security: Protection is embedded within the information itself Overcome the limitations of a perimeter based solution Protection of all formats, all applications (incl. Cloud) and all devices (BYOD) Without affecting IT or business processes Is able to enforce usage rights of all data Through classification, encryption and permission management Immunize your data from the point of creation, throughout its entire lifecycle. Page 20

21 for your attention and for visiting us at our booth. Page 21 Informatique-MTF SA