Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management

Copyright 2013 FUJITSU LIMITED

AGENDA

Mitigation Considerations Mitigation Considerations

4. Data Security – Examples and Application4. Data Security – Examples and Application

2. Data Security Life-Cycle 2. Data Security Life-Cycle

2

1. Data Management & Security - Situation1. Data Management & Security - Situation

5. Questions and Discussions5. Questions and Discussions

3. Shaping Tomorrow With You 3. Shaping Tomorrow With You


3

Data management is an overarching term that refers to all aspects of creating, housing, delivering, maintaining and retiring data with the goal of valuing data as a corporate asset.


TERMINOLOGY

A data breach is a security incident in which sensitive,

protected or confidential data is copied, transmitted,

viewed, stolen or used by an individual unauthorized to do so.

Data breaches may involve financial information

such as credit card or bank details and/or

personal information.

WHERE IS MY DATA

4

Your Data

Unstructured dataFile SystemsOffice documents,PDF, Vision, Audio & otherFax/Print ServersFile Servers

Business Application Systems (SAP, PeopleSoft, Oracle Financials, In-house, CRM, eComm/eBiz, etc.)Application Server

Structured dataDatabase Systems(SQL, Oracle, DB2, Informix, MySQL)Database Server

Security & Other Systems(Event logs, Error logsCache, Encryption keys, & other secrets)Security Systems

Data CommunicationsEg. VoIP SystemsFTP/Dropbox ServerEmail Servers

Storage & Backup SystemsEg. SAN/NASBackup Systems

!Data exists in different formats and in many repository.Knowing what, which, when and how to secure the “Data” is critical.


ENOUGH PROTECTION?

5

Have plenty of security implementation:Firewalls, IPS, IDS, Proxies, AntivirusSmartCards and authentication devicesAccess control on your routersVPN’s for secure communications….

Attackers are getting smarter, knowledgeable , resourceful and more bold.

Anyone, anywhere can be a potential attackers

Criminal activity becomes more profitable

Cyber-terrorism , cyber-security, etc are a real possibility ….


DATA BREACH AND LOSSES

6 Copyright 2013 FUJITSU LIMITED

IMPACT AND CONSEQUENCES

7

Data Store

A

Data Store

B

Data Store C,D

!Data security breaches are harmful to any organization of any size.

The consequences can be serious.

Data breach/loss incur:

– legal fees– disclosure expenses– consulting fees– remediation expenses

– credit monitoring expenses

Consequences

– Legal/statutory/regulatory– Reputation/image impact– Loss of customers/business– Credibility


THOUGHT PROCESS

What data will be stored

Where will it be stored

What controls are in place

Who is responsible for security

Are there third party validations

Process for removing data


9

DATA SECURITY LIFECYCLE

Source: Security Guidance for Critical Areas of Focusin Cloud Computing V3.0, Information Management & Data Security


10

This may also be known as Create/Update because it applies to creating or changing a data/content element, not just a document or database. Creation is the generation of new digital content, or the alteration/updating of existing content.

Consideration (examples)

Ownership

Classification

Rights Management



11

Storing is the act committing the digital data to some sort of storage repository, and typically occurs nearly simultaneously with creation.

Considerations (Examples)

Access Controls

Encryption

Rights Management

Isolation



rmt/0- Utilization

0

5

10

15

20

25

30

35

40

45

27/03/01 - 28/03/01

Pe

rce

nta

ge

(%

)

%wait

%busy

12

Data is viewed, processed, or otherwise used in some sort of activity

Considerations (Example)

Internal/External

Third Parties

Appropriateness

Compliance



13

Data is exchanged between users, organisations, groups and individual.


Internal/External

Third Parties

Purposes

Compliance

Locations


Local Mirroring (RAID 1)

Remote(Offsite) Replication

(LAN,MAN,WAN)

Server Server

Primary Replica


14

Data leaves active use and enters long-term storage.


Legal/Law

Sites/Locations

Media type

Retention

Ownership



15

Data is permanently destroyed using physical or digital means (e.g., cryptoshredding).



Secure

Complete

Assurance

Proof

Content Discovery


16

Full Maintenance• Hardware• Network• Software

• Middleware• Operating System

Managed Services• Full System Backup &

Recovery• Disaster Recovery

• 24x7 Monitoring• Call Centre

• DC Facilitation• WAN connectivity

Enterprise Service Levels• 99.9% Availability• Dialog Response time <3 sec• RTO upto 3 hours*

OnDemand Resources• SAPS (1000SAPS/Daily)

• Storage (GB/Monthly)

Annual Subscription

SAPCloud

Certified

OnDemand, Elastic infrastructure consumption

@ Enterprise Class Service Levels

SAP IAAS

Recommended

Full

ZeroL

oad

Pro

file

“Baseline”


Contractor

Customer (Agency A)

Vendor (Authorised by A)

Customer of A

Central Services Portal

(Catalogue)

S3 Staff A access

Agency A

Staff A

S5 Vendor access

Resource pool

Servers, storage, networks, OS images

Virtual Resources

S6

R

eq

uest

S7

reso

urc

es

A

lloca

te

S7 Service Request

S8 Automatic

Provision

S9 resources Allocate

S10 Provisio

n

to Custo

mer A

S11 Notify

Customer A

S8 request

S12 Authentication

Authorisation

AuthenticationAuthorisation

Server

S2. Staff A authenticationAuthorisation

S4. Vendor authenticationAuthorisation

S13 Access , reviewaccept

LEVERAGING – DATA FLOW


18

APPLICATION (EXAMPLES)

These are the templates that would be use for the case study:

Data-Impact (useful for Data Classification)

Data Security Lifecycle (useful for RACI)


19

CASE STUDY TEMPLATE (EXAMPLE)


20

CASE STUDY TEMPLATE (EXAMPLE)


QUESTIONS?

Documents

Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management