KuppingerCole Whitepaper by Dave Kearns February 2013
KuppingerCole Whitepaper Using Information Stewardship within by Dave Kearns dk@kuppingercole.com February 2013 Content 1. Summary... 3 2. Good information governance is fundamental to information stewardship... 5 3. Good information stewardship needs information centric, rather than technology centric security... 6 4. Information stewardship involves the business as well as the IT services group... 7 4.1 Understand the value and sensitivity of the information you hold... 7 4.2 Implement Strong Identity and Access Management... 7 4.3 Encrypt your data... 7 4.4 Train people to understand the value and sensitivity of information... 8 4.5 Adopt best practices to secure information, PII and your IT services... 8 4.6 Implement the technical controls to protect information... 8 4.7 Take steps to mitigate the effect of a loss ahead of time... 8 4.8 Create an information leakage resilience plan... 8 4.9 Coordinated attacks by outsiders are an increasing concern... 8 5. Conclusion... 9 Page 2 of 10
1. Summary Loss and theft of Personally Identifiable Information (PII) from government, military and defense organizations continues to be a significant problem. Given the amount of attention to this area and the wealth of standards and technology available why do these leaks still occur? This document considers the sources of leakage and describes how better information stewardship based on information centric security is essential to manage these risks. According to the National Institute for Standards and Technology (NIST), examples of PII include, but are not limited to: Name, such as full name, maiden name, mother s maiden name, or alias; Personal identification number, such as social security number (SSN), passport number, driver s license number, taxpayer identification number, or financial account or credit card number; Address information, such as street address or email address; Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry); Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information). Information stewardship uses good governance techniques to implement information centric security for all of your data, including PII. Information stewardship involves the business as well as the IT services group. Line of business managers, application owners and everyone who touches information are involved, as well as the IT service providers. It creates a culture where the people in the organization understand the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organization is resilient to loss of data by protecting information against that eventuality. And when the seemingly inevitable leakage/loss occurs, information stewardship provides the resilience necessary to mitigate the damage and restore both the information as well as the trust of users. Page 3 of 10
Figure 1: Information Leakage Risk Points Page 4 of 10
2. Good information governance is fundamental to information stewardship Information governance is a key component of IT governance, and IT governance ensures that the IT services however they are delivered - provide appropriate levels of security for that information. The continuing problem of data leakage, data loss and data theft show that information governance, in itself, has proven inadequate to prevent these issues. Since many of the large organizations that have suffered these problems are both technically sophisticated and well aware of the value of the information lost, it would seem that information governance as currently implemented by these organizations is not sufficient. Information governance consists of a set of policies, procedures, practices and organizational structures that, taken together, are aimed at ensuring the management of information according to defined strategies and controls. The objective of information governance is to meet business needs, manage risk and ensure compliance with laws and regulations. Information governance is also concerned with creating a culture within the organization and it is this aspect that has been lacking. In addition organizations need to implement stronger controls on access to their data and take measures to protect against external threats. Page 5 of 10
3. Good information stewardship needs information centric, rather than technology centric security Organizations can no longer rely on perimeter appliances to protect their proprietary or sensitive information. In today s world information can easily travel outside the physical boundaries of the organization via tablets, mobile phones, and remote access. In order to protect information today, we need to build security into the information itself, and data becomes the new perimeter. The elements of information centric security are shown in the following diagram: Figure 2: Information Centric Security Page 6 of 10
4. Information stewardship involves the business as well as the IT services group Line of business managers, application owners and everyone who touches information are involved along with the IT service providers. Good information stewardship creates a culture where the people in the organization understand the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organization is resilient to loss of data by protecting information against that eventuality. And when the seemingly inevitable leakage/loss occurs, information stewardship provides the resilience necessary to mitigate the damage and restore both the information as well as the trust of users. The following best practices are recommended to ensure proper information stewardship: 4.1 Understand the value and sensitivity of the information you hold You cannot protect what you don t know you have. All structured data, including PII, needs to be formally classified in terms of its business impact and regulatory requirements. However, much of the sensitive information within an organization is now held in unstructured form such as emails, word documents, spread sheets and presentation files. These are created in an ad hoc manner by employees and may contain information which needs to be controlled. This poses a significant problem because it is hard for an organization to protect what it does not know exists. While it is possible for structured application data to be classified by a single part of the organization, often a single person, it is not practical to centrally classify all this unstructured data. Worse still this unstructured data is often held on shared drives, SharePoint systems even cloud services - and is highly mobile. Use of tools designed for non-it personnel to help them to identify and classify unstructured PII data is critical to protecting your information. 4.2 Implement Strong Identity and Access Management Identity Management knowing who is accessing information. Access Management ensuring that access rights are appropriate. Privileged Access Management ensuring privileged users are controlled. Monitoring who has access to and who has accessed what. 4.3 Encrypt your data Valuable and sensitive information, especially PII, should be encrypted whenever possible. At the least, both portable and permanent storage devices should be encrypted but also any information on the wire or in the air needs the strongest encryption possible along with methods to monitor the data flow. Page 7 of 10
4.4 Train people to understand the value and sensitivity of information Mishandling of data by employees and associates is a significant cause of information loss. Everyone in the organization should be trained to understand the value and sensitivity of protected information, including PII, and to treat it in a way that is appropriate. This education requirement should be on-going especially when you expect and require these people to classify unstructured data. 4.5 Adopt best practices to secure information, PII and your IT services Best practices represent the combined knowledge of the best brains in the industry. However be selective not everything will apply to your organization. Require everyone, including outsourced IT services providers, to follow these standards. 4.6 Implement the technical controls to protect information Configure and patch systems and applications to remove well-known vulnerabilities such as SQL injection. Conduct penetration tests to confirm these controls. Make sure that these controls are in place if your IT service is outsourced or you use a cloud service. 4.7 Take steps to mitigate the effect of a loss ahead of time It is vital to formally classify structured and unstructured PII data in terms of its business impact and regulatory requirements. Encrypt valuable and sensitive information on storage devices especially on portable media like USB memory sticks. Encrypt information in motion and monitor information flows. Avoid copying sensitive data onto mobile devices. If this is not possible implement remote wipe technology that can be used when they are lost. Backup business critical information with a recovery plan that matches the business need for its availability. 4.8 Create an information leakage resilience plan This should cover what to do when data is lost or leaked, including: Statutory and legal obligations to inform regulators and individuals. How to manage the business impact of an information loss. This should be part of the business continuity plan. Handling the media when an incident occurs. 4.9 Coordinated attacks by outsiders are an increasing concern A high level of skill and technology is needed to intercept targeted attacks. If your organization holds information that is likely to be subject to this kind of attack and PII is always such a target - you should consider using managed security services. Page 8 of 10
5. Conclusion Information stewardship involves the business as well as the IT services group. Line of business managers, application owners and everyone who touches information are involved as well as the IT service providers. It creates a culture where the people in the organization can understand and identify the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organization is resilient to loss of data by protecting information against that eventuality. 2013 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. KuppingerCole disclaim all warranties as to the adequacy, accuracy or to the completeness of information contained in this document. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. Page 9 of 10
The Future of Information Security Today. KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. Kuppinger Cole Ltd. Headquarters Am Schloßpark 129 D-65203 Wiesbaden Germany Phone +49 (211) 23 70 77 0 Fax +49 (211) 23 70 77 11 www.kuppingercole.com KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Page 10 of 10