Upload
antonia-robinson
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
AGENDA
Mitigation Considerations Mitigation Considerations
4. Data Security – Examples and Application4. Data Security – Examples and Application
2. Data Security Life-Cycle 2. Data Security Life-Cycle
2
1. Data Management & Security - Situation1. Data Management & Security - Situation
5. Questions and Discussions5. Questions and Discussions
3. Shaping Tomorrow With You 3. Shaping Tomorrow With You
Copyright 2013 FUJITSU LIMITED
3
Data management is an overarching term that refers to all aspects of creating, housing, delivering, maintaining and retiring data with the goal of valuing data as a corporate asset.
Copyright 2013 FUJITSU LIMITED
TERMINOLOGY
A data breach is a security incident in which sensitive,
protected or confidential data is copied, transmitted,
viewed, stolen or used by an individual unauthorized to do so.
Data breaches may involve financial information
such as credit card or bank details and/or
personal information.
WHERE IS MY DATA
4
Your Data
Unstructured dataFile SystemsOffice documents,PDF, Vision, Audio & otherFax/Print ServersFile Servers
Business Application Systems (SAP, PeopleSoft, Oracle Financials, In-house, CRM, eComm/eBiz, etc.)Application Server
Structured dataDatabase Systems(SQL, Oracle, DB2, Informix, MySQL)Database Server
Security & Other Systems(Event logs, Error logsCache, Encryption keys, & other secrets)Security Systems
Data CommunicationsEg. VoIP SystemsFTP/Dropbox ServerEmail Servers
Storage & Backup SystemsEg. SAN/NASBackup Systems
!Data exists in different formats and in many repository.Knowing what, which, when and how to secure the “Data” is critical.
Copyright 2013 FUJITSU LIMITED
ENOUGH PROTECTION?
5
Have plenty of security implementation:Firewalls, IPS, IDS, Proxies, AntivirusSmartCards and authentication devicesAccess control on your routersVPN’s for secure communications….
Attackers are getting smarter, knowledgeable , resourceful and more bold.
Anyone, anywhere can be a potential attackers
Criminal activity becomes more profitable
Cyber-terrorism , cyber-security, etc are a real possibility ….
Copyright 2013 FUJITSU LIMITED
IMPACT AND CONSEQUENCES
7
Data Store
A
Data Store
B
Data Store C,D
!Data security breaches are harmful to any organization of any size.
The consequences can be serious.
Data breach/loss incur:
– legal fees– disclosure expenses– consulting fees– remediation expenses
– credit monitoring expenses
Consequences
– Legal/statutory/regulatory– Reputation/image impact– Loss of customers/business– Credibility
Copyright 2013 FUJITSU LIMITED
THOUGHT PROCESS
What data will be stored
Where will it be stored
What controls are in place
Who is responsible for security
Are there third party validations
Process for removing data
8 Copyright 2013 FUJITSU LIMITED
9
DATA SECURITY LIFECYCLE
Source: Security Guidance for Critical Areas of Focusin Cloud Computing V3.0, Information Management & Data Security
Copyright 2013 FUJITSU LIMITED
10
This may also be known as Create/Update because it applies to creating or changing a data/content element, not just a document or database. Creation is the generation of new digital content, or the alteration/updating of existing content.
Consideration (examples)
Ownership
Classification
Rights Management
DATA SECURITY LIFECYCLE
Copyright 2013 FUJITSU LIMITED
11
Storing is the act committing the digital data to some sort of storage repository, and typically occurs nearly simultaneously with creation.
Considerations (Examples)
Access Controls
Encryption
Rights Management
Isolation
DATA SECURITY LIFECYCLE
Copyright 2013 FUJITSU LIMITED
rmt/0- Utilization
0
5
10
15
20
25
30
35
40
45
27/03/01 - 28/03/01
Pe
rce
nta
ge
(%
)
%wait
%busy
12
Data is viewed, processed, or otherwise used in some sort of activity
Considerations (Example)
Internal/External
Third Parties
Appropriateness
Compliance
DATA SECURITY LIFECYCLE
Copyright 2013 FUJITSU LIMITED
13
Data is exchanged between users, organisations, groups and individual.
Considerations (Examples)
Internal/External
Third Parties
Purposes
Compliance
Locations
DATA SECURITY LIFECYCLE
Local Mirroring (RAID 1)
Remote(Offsite) Replication
(LAN,MAN,WAN)
Server Server
Primary Replica
Copyright 2013 FUJITSU LIMITED
14
Data leaves active use and enters long-term storage.
Considerations (Examples)
Legal/Law
Sites/Locations
Media type
Retention
Ownership
DATA SECURITY LIFECYCLE
Copyright 2013 FUJITSU LIMITED
15
Data is permanently destroyed using physical or digital means (e.g., cryptoshredding).
DATA SECURITY LIFECYCLE
Considerations (Examples)
Secure
Complete
Assurance
Proof
Content Discovery
Copyright 2013 FUJITSU LIMITED
16
Full Maintenance• Hardware• Network• Software
• Middleware• Operating System
Managed Services• Full System Backup &
Recovery• Disaster Recovery
• 24x7 Monitoring• Call Centre
• DC Facilitation• WAN connectivity
Enterprise Service Levels• 99.9% Availability• Dialog Response time <3 sec• RTO upto 3 hours*
OnDemand Resources• SAPS (1000SAPS/Daily)
• Storage (GB/Monthly)
Annual Subscription
SAPCloud
Certified
OnDemand, Elastic infrastructure consumption
@ Enterprise Class Service Levels
SAP IAAS
Recommended
Full
ZeroL
oad
Pro
file
“Baseline”
Copyright 2013 FUJITSU LIMITED
Contractor
Customer (Agency A)
Vendor (Authorised by A)
Customer of A
Central Services Portal
(Catalogue)
S3 Staff A access
Agency A
Staff A
S5 Vendor access
Resource pool
Servers, storage, networks, OS images
Virtual Resources
S6
R
eq
uest
S7
reso
urc
es
A
lloca
te
S7 Service Request
S8 Automatic
Provision
S9 resources Allocate
S10 Provisio
n
to Custo
mer A
S11 Notify
Customer A
S8 request
S12 Authentication
Authorisation
AuthenticationAuthorisation
Server
S2. Staff A authenticationAuthorisation
S4. Vendor authenticationAuthorisation
S13 Access , reviewaccept
LEVERAGING – DATA FLOW
17 Copyright 2013 FUJITSU LIMITED
18
APPLICATION (EXAMPLES)
These are the templates that would be use for the case study:
Data-Impact (useful for Data Classification)
Data Security Lifecycle (useful for RACI)
Copyright 2013 FUJITSU LIMITED