From perimeter-based to data-centric security.

Why and How we walked that way!?

Christian Schmalisch, Business Development IMTF

# 2

From perimeter-based to data-centric security.

Why and How we walked that way!?

AGENDA

1 IMTF = information is king

2 Findings = the wall is cracking

3 Consequences = uncertainty

4 Our solution approach = data centric security

5 How our clients classify data…

# 3

AVAILABILITY

PRIVACY

IMTF`s basis for 27 years –

Secure Document Management solutions!

competencies: Compliance & Secure Document Management

(DMS, CMS, LMS, RMS, Archive)

promise: 1. avaiod reputational damage

2. prevent data leaksprotect client data

protect personal data

protect intellectual property

3. comply with regulations

dealing with: OR/GeBüV, HaREGV, ElDI-V, ITAR, DSG, EU DPD, etc.

Sarbanes Oxlex, SEC, MiFiD, Finma Annex 3, Basel II, ISchV etc.

ISO QM, HIPPA, SOX, GxP, etc.

# 4

How are we dealing with it? Our secret: within our DMS we

have everything in place to fully protect information:

Our EDOC format is the enterprise wide, object oriented and homogenous IMTF standard

container for all information = data-centric security approach

• a generalized and enterprise wide model allowing meta data: Digital Signature,

Encryption and Data Classification to fully protect information within our system

(aligned to directives and standards reg. PCI-DSS, PII, PHI, CID, HIPPA etc.)

+ Information Usage Policy enforcement: Directory Services & Metadata

= Authentication/Authorization, Access Control, Logging, Information Permission Management: Black Page, Print,

Share, View etc.

WHO can use the information

WHAT can each person/group/role do with/to the information

WHEN can the information be used

WHERE can the information be used

+ Security Layer / Connector to take over external and to

communicate our protection parameters …to a certain extent

# 5

# 6

How to replicate our data-centric /

container-concept for the “Outside” ???

…in which we believed for the last 27 years….

# 7

Analyses of our client needs: discussions and interviews within our network *

Question: Make or Buy // Answer: Buy, cooperate and integrate

High-level analysis of the market:

Study of IT security concepts

Study of IT security solutions

Cooperation e3 AG and PWC

Discussions with relevant stake holder / subject experts

Detailed studies on “IMTF compatibility” with

SB DLP, FINMA RS08/21, ISO27001 (ISMS), ISchV and ISG

Incorporate an GTM

… what have we done?

# 8

HYPERSUITE/5Secure Document Management

Within our DMS we could fully protect information.

Outside our DMS, it was just not our business and …

Within our DMS = synonym for confined and isolated,

perimeter-based IT environments!

# 9

… “outside” became chaotic! We saw the cracks in the wall and we saw

the established solutions failing to effectively protect information.

more & more

business applications

overstrained

security tools

changing commu-

nication processes

more & more

locations

more & more

access & exit points

# 10

All concepts have certain limits, but to effectively protect information assets,

we have to turn towards a data-centric security paradigm.

Perimeter-centric and Exit-point Information Security Tools

Encrypted Gateways & Locations

Information Right Management Platforms

last line of defense too technical

missing competencies in the information life cycle

unreasonable monitoring burden

media- and locations-based protection „only“

focus on enforcement by the author

but the right data-centriy approach:

WHO can use the information

WHAT can each person/group do with/to the information

WHEN can the information be used

WHERE can the information be used

# 11

Major issues in todays global, competitive and interconnected

world to secure the most valuable asset: information

Exchange of data incl. meta data compatibility with other systems

Distributed IT Foundation functional differentiation vs. accurate data

dispersed locations with the claim of data to be

integer / accurate / up-to-date / accessible / usable

/ searchable / traceable etc. on a need-to-know basis

Access / Exit Points have become chaotic controlling & awareness

Stop the bleeding of structured and unstructured data

Structured and unstructured data is growing exponentially

in volume, in velocity, in variety and in complexity

Tighter internal and external regulations compliance

with more and more complex directivesAverage

number ofemails

received daily

Averagenumber ofemails sent

daily

Emailsreceived withattachments

daily

72

33

14

100

40

24

2010

Daily mails, Source Radicati Group

# 12

Consequences and just some more informative facts…

Todays IT environments are borderless and as soon as information is created and exchanged it is

exposed Once data it is generated and out of control, it is just out of control

Increasing demanding responsibility for end-customers and suppliers

Need to protect information throughout the entire lifecycle: creation + processing + collaboration + storage + archive + search + controlled deletion

Businesses are slow and limited to self-detect breach activity

the average time from initial breach to detection is 210 days

(64% needed 90 days / 5% needed 3 years)

Increased appreciation of IT security and data governance to protect information

No or limited definition and enforcement of information security polices

definition: What to be protected? Who can When and Where do What?

enforcement: How to depict with which technology?

# 13

How to replicate our data-centric /

container-concept for the “Outside” ???

…our solution approach….

# 14

goal: avaiod data leakage

Source?

- Employees

- Business units

- Applications

- Locations

- etc.

Consideration to

End-User?

Processes/

Use Cases?

Final destination?

- eMail

- Repositories

- etc.

From perimeter-based to data-centric information protection

approach… its all about the first step: Classification!

– But how to classify data!?

IRM platforms

end-pointDLP tools

Classification

encryption

IAM

context

Parameter

context

B

labeling

What to be protected?

- Information types

- Assets

- etc.

Why to be protected?

- Regulations

- Intelectual Properties

- Defence

- Reputation

- etc.

Protective Mechanism?

Generic

context

A

Processes1

Classification2

structured approach

# 15

We truly believe that Data-Centric-Security is all about embedding security

and usage policy within the information itself – because then, the information

(metadata) itself can trigger suitable protection mechanisms!

Secure Creation

& Access PointsOpen Creation

& Access Points

Open Creation

& Access PointsSecure Creation

& Access PointsOpen Creation

& Access PointsSecure Creation

& Access Points

perimeter

100% accurate LifeCycle Classification flexible & dynamic

considering context

automatic to manual = protecting vs teaching

To derive suitable protection mechanism

technical

processes

RMS / IRM

≈ 100%

Information Protection

# 16

Summary and discussion points

Classification is the basis for a data-centric security approach and needs to be

taken in two steps:

1. Theory = knowledge of processes & methods *

2. Technology = Classification Technology needs to be integrated into IRM

platforms and Perimeter-based solutions

To effectively protect and govern information assets from a technology perspective,

we truly believe in the combination of:

IRM platforms + DLP systems + Classification solutions

Classification needs to be dynamic and flexible to adapt the life cycle of

information.

# 17

Q&A

# 18

Informatique-MTF SA

www.imtf.ch

Christian Schmalisch, Business Development