The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security...

The Information-Centric Security

LifecycleRich Mogull

Securosis, L.L.C.

ecurosis.com

Mainframe Internet I Internet II

Jail Fortress ZoneNETWORK

ecurosis.com

But what about the information?

ecurosis.com

Network

Application

Network

ecurosis.com

InformationInformation

Application

Network

ecurosis.com

The Information-Centric Security

Lifecycle

ecurosis.com

Create

Destroy

Share Archive

ClassifyAssign Rights

Access ControlsEncryptionRights ManagementContent Discovery

Activity Monitoring and EnforcementRights ManagementLogical ControlsApplication Security

CMP (DLP)EncryptionLogical ControlsApplication Security

EncryptionAsset Management

Crypto-ShreddingSecure DeletionContent Discovery

ecurosis.com

ILM and Security

Create

Destroy

Share Archive

Creation and Receipt

Distribution

UseMaintenance

DispositionUse

ecurosis.com

• Content is classified as it’s created through content analysis or based on labeling of data elements.

• Rights are assigned, based on central policies.

• Mandatory and discretionary policies.

Create

ecurosis.com

Control Structured UnstructuredClassify None* None*

Assign Rights Label Security Enterprise DRM

Create

Create Technologies

Note- Classification is expected to emerge from DLP/CMP

ecurosis.com

Label Security

ID Last First SSN

1111 Mogull Richard 555-12-5555

1112 Smith John 324-86-3456

ID Last First Region Label

1111 Mogull Richard US Public

1112 Smith John EMEA Sensitive

Column

ecurosis.com

Partial Document Matching

Exact File Matching

StatisticalDatabase Fingerprinting

CategoriesConceptual

^(?:(?<Visa>4\d{3})|(?<Mastercard>5[1-5]\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\d{2})|(?:30[0-5]\d))|(?

<AmericanExpress>3[47]\d{2}))([ -]?)(?(DinersClub)(?:\d{6}\1\d{4})|(?(AmericanExpress)(?:\d{6}\1\d{5})|(?:\d{4}\1\d{4}\1\d{4})))$

Content Analysis

ecurosis.com

• We use access controls, encryption, and rights management to protect data in storage.

• Content Discovery helps find unprotected sensitive data that slipped through the gaps.

ecurosis.com

Store TechnologiesControl Structured Unstructured

Access ControlsDBMS Access Controls

Administrator Separation of Duties

File System Access ControlsDocument Management System Access Controls

EncryptionField Level Encryption

Application Level EncryptionFile/Media Encryption*

Media EncryptionFile Encryption

Distributed Encryption

Rights Management Label/Row Level Security Enterprise DRM

Content DiscoveryDatabase-Specific Discovery

DLP/CMF Content DiscoveryStorage/Data Classification

ecurosis.com

AccessControls

Encryption DRM

ecurosis.com

Application/Database

File/Folder Media

Encryption Options

rmogull Phoenix asdfasdfasdfasdf

ecurosis.com

Content Discovery

Remote ScanningRemote Scanning

ecurosis.com

• Monitor and protect information during use.

• Includes business applications and productivity applications.

• Heavy use of content-aware technologies.

ecurosis.com

Use Technologies

Control Structured Unstructured

Activity Monitoring and Enforcement

Database Activity MonitoringApplication Activity

Monitoring

Endpoint Activity MonitoringFile Activity Monitoring

Portable Device ControlEndpoint DLP

Rights Management Label Security Enterprise DRM

Logical ControlsObject (Row) Level Security

Structural ControlsApplication Logic

Application Security Implemented At Application LayerImplemented At Application Layer

ecurosis.com

Two Sides Of Information-Centric Security

Data Center Productivity

ecurosis.com

Advanced Content Analysis

Real-Time DRM

CMP to ADMP Bridges

Managed and Unmanaged Systems

ecurosis.com

Adaptive AuthenticationApplication NACActivity MonitoringAnti-ExploitationTransaction AuthenticationSession SecurityApplication Virtualization

ecurosis.com

Cross-Domain Information Protection

ID Last First SSN

1112 Smith John 324-86-3456

ID Last First SSN

1112 Smith John 324-86-3456

100150200

2007 2008 2009 2010

Customer Report

Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...

11 Last First SSN

asdf asd asd ads

ads ads asd asd

Customer Report

Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...

11 Last First SSN

asdf asd asd ads

ads ads asd asd

ecurosis.com

• Securely exchange information, inside and outside of the enterprise.

• A mixture of content-aware technologies and encryption for secure exchange.

ecurosis.com

Share Technologies

CMP/DLP Database Activity Monitoring(With DLP Feature)

Network/Endpoint CMP/DLP

Encryption*Only When Data Elements Not Otherwise

Encrypted

Network EncryptionApplication Level Encryption

Email EncryptionFile Encryption

Network Encryption

Logical ControlsObject (Row) Level Security

Structural Controls

Application Security Implemented At Application LayerImplemented At Application Layer

ecurosis.com

Inter-Organization Encryption vs. DRM

ecurosis.com

• Protect information in archival storage.

• Encryption and asset management

The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security...

Documents

The Information- Centric Security Lifecycle · •Content is classiﬁed as it’s created through content analysis or based on labeling of data elements. ... asdfasdf asdfasdf. ecurosis.com

Autodesk Fusion Lifecycle Security Whitepaper · Autodesk Fusion Lifecycle Security Whitepaper May 1, 2015 1 trust.autodesk.com Introduction Autodesk® Fusion Lifecycle brings powerful

Threat Modeling: Security Development Lifecycle

IBM Security Key Lifecycle Manager Version 2 on systems such as Linux and AIX . . 63 ... IBM Security Key Lifecycle Manager, version 2.5 provides new ... x IBM Security Key Lifecycle

Towards a Project Centric Metadata Model and Lifecycle for Ontology Mapping Governance

THE NETWORK SECURITY POLICY MANAGEMENT LIFECYCLE … · THE NETWORK SECURITY POLICY MANAGEMENT LIFECYCLE: How a lifecycle approach improves business agility, reduces risks, and lowers

A SECURITY ARCHITECTURE FOR NET-CENTRIC ENTERPRISE ...people.cs.vt.edu/.../WebServices/DISA-Security-Architecture.pdf · A SECURITY ARCHITECTURE FOR NET-CENTRIC ENTERPRISE SERVICES

Security Development Lifecycle for Agile · PDF fileSecurity Development Lifecycle for Agile Development 2 ... RSA, and SHA-256 or ... Security Development Lifecycle for Agile Development

Autodesk Fusion Lifecycle Security Whitepaper · Autodesk Fusion Lifecycle Security Whitepaper May 1, 2015 1 trust.autodesk.com Introduction Autodesk® Fusion Lifecycle brings …

Data-Centric Protection: Enabling Business Agility While Protecting Data … · 2017. 1. 6. · called data-centric security. To implement data-centric security, while simultaneously

Application Whitelisting - Complementing Threat centric with Trust centric security

Covertix Data Centric Security

Data Centric Security Strategy

People-Centric Security: Transforming Your Enterprise Security Culture

Application Centric Infrastructure (ACI) Software ...d2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/ATE-CL345.pdf · Application Centric Infrastructure (ACI) Software Development Lifecycle

Introduction to Data Centric Security (DCS)

Security Lifecycle Management

Data-Centric Security

Improving the Development Lifecycle with a Quality-Centric Approach

Architecture-centric Support for Integrating Security