Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
From perimeter-based to data-centric security.
Why and How we walked that way!?
Christian Schmalisch, Business Development IMTF
# 2
From perimeter-based to data-centric security.
Why and How we walked that way!?
AGENDA
1 IMTF = information is king
2 Findings = the wall is cracking
3 Consequences = uncertainty
4 Our solution approach = data centric security
5 How our clients classify data…
# 3
AVAILABILITY
PRIVACY
IMTF`s basis for 27 years –
Secure Document Management solutions!
competencies: Compliance & Secure Document Management
(DMS, CMS, LMS, RMS, Archive)
promise: 1. avaiod reputational damage
2. prevent data leaksprotect client data
protect personal data
protect intellectual property
3. comply with regulations
dealing with: OR/GeBüV, HaREGV, ElDI-V, ITAR, DSG, EU DPD, etc.
Sarbanes Oxlex, SEC, MiFiD, Finma Annex 3, Basel II, ISchV etc.
ISO QM, HIPPA, SOX, GxP, etc.
# 4
How are we dealing with it? Our secret: within our DMS we
have everything in place to fully protect information:
Our EDOC format is the enterprise wide, object oriented and homogenous IMTF standard
container for all information = data-centric security approach
• a generalized and enterprise wide model allowing meta data: Digital Signature,
Encryption and Data Classification to fully protect information within our system
(aligned to directives and standards reg. PCI-DSS, PII, PHI, CID, HIPPA etc.)
+ Information Usage Policy enforcement: Directory Services & Metadata
= Authentication/Authorization, Access Control, Logging, Information Permission Management: Black Page, Print,
Share, View etc.
WHO can use the information
WHAT can each person/group/role do with/to the information
WHEN can the information be used
WHERE can the information be used
+ Security Layer / Connector to take over external and to
communicate our protection parameters …to a certain extent
# 5
# 6
How to replicate our data-centric /
container-concept for the “Outside” ???
…in which we believed for the last 27 years….
# 7
Analyses of our client needs: discussions and interviews within our network *
Question: Make or Buy // Answer: Buy, cooperate and integrate
High-level analysis of the market:
Study of IT security concepts
Study of IT security solutions
Cooperation e3 AG and PWC
Discussions with relevant stake holder / subject experts
Detailed studies on “IMTF compatibility” with
SB DLP, FINMA RS08/21, ISO27001 (ISMS), ISchV and ISG
Incorporate an GTM
… what have we done?
# 8
HYPERSUITE/5Secure Document Management
Within our DMS we could fully protect information.
Outside our DMS, it was just not our business and …
Within our DMS = synonym for confined and isolated,
perimeter-based IT environments!
# 9
… “outside” became chaotic! We saw the cracks in the wall and we saw
the established solutions failing to effectively protect information.
more & more
business applications
overstrained
security tools
changing commu-
nication processes
more & more
locations
more & more
access & exit points
# 10
All concepts have certain limits, but to effectively protect information assets,
we have to turn towards a data-centric security paradigm.
Perimeter-centric and Exit-point Information Security Tools
Encrypted Gateways & Locations
Information Right Management Platforms
last line of defense too technical
missing competencies in the information life cycle
unreasonable monitoring burden
media- and locations-based protection „only“
focus on enforcement by the author
but the right data-centriy approach:
WHO can use the information
WHAT can each person/group do with/to the information
WHEN can the information be used
WHERE can the information be used
# 11
Major issues in todays global, competitive and interconnected
world to secure the most valuable asset: information
Exchange of data incl. meta data compatibility with other systems
Distributed IT Foundation functional differentiation vs. accurate data
dispersed locations with the claim of data to be
integer / accurate / up-to-date / accessible / usable
/ searchable / traceable etc. on a need-to-know basis
Access / Exit Points have become chaotic controlling & awareness
Stop the bleeding of structured and unstructured data
Structured and unstructured data is growing exponentially
in volume, in velocity, in variety and in complexity
Tighter internal and external regulations compliance
with more and more complex directivesAverage
number ofemails
received daily
Averagenumber ofemails sent
daily
Emailsreceived withattachments
daily
72
33
14
100
40
24
2010
Daily mails, Source Radicati Group
# 12
Consequences and just some more informative facts…
Todays IT environments are borderless and as soon as information is created and exchanged it is
exposed Once data it is generated and out of control, it is just out of control
Increasing demanding responsibility for end-customers and suppliers
Need to protect information throughout the entire lifecycle: creation + processing + collaboration + storage + archive + search + controlled deletion
Businesses are slow and limited to self-detect breach activity
the average time from initial breach to detection is 210 days
(64% needed 90 days / 5% needed 3 years)
Increased appreciation of IT security and data governance to protect information
No or limited definition and enforcement of information security polices
definition: What to be protected? Who can When and Where do What?
enforcement: How to depict with which technology?
# 13
How to replicate our data-centric /
container-concept for the “Outside” ???
…our solution approach….
# 14
goal: avaiod data leakage
Source?
- Employees
- Business units
- Applications
- Locations
- etc.
Consideration to
End-User?
Processes/
Use Cases?
Final destination?
- Repositories
- etc.
From perimeter-based to data-centric information protection
approach… its all about the first step: Classification!
– But how to classify data!?
IRM platforms
end-pointDLP tools
Classification
encryption
IAM
context
Parameter
context
B
labeling
What to be protected?
- Information types
- Assets
- etc.
Why to be protected?
- Regulations
- Intelectual Properties
- Defence
- Reputation
- etc.
Protective Mechanism?
Generic
context
A
Processes1
Classification2
structured approach
# 15
We truly believe that Data-Centric-Security is all about embedding security
and usage policy within the information itself – because then, the information
(metadata) itself can trigger suitable protection mechanisms!
Secure Creation
& Access PointsOpen Creation
& Access Points
Open Creation
& Access PointsSecure Creation
& Access PointsOpen Creation
& Access PointsSecure Creation
& Access Points
perimeter
100% accurate LifeCycle Classification flexible & dynamic
considering context
automatic to manual = protecting vs teaching
To derive suitable protection mechanism
technical
processes
RMS / IRM
≈ 100%
Information Protection
# 16
Summary and discussion points
Classification is the basis for a data-centric security approach and needs to be
taken in two steps:
1. Theory = knowledge of processes & methods *
2. Technology = Classification Technology needs to be integrated into IRM
platforms and Perimeter-based solutions
To effectively protect and govern information assets from a technology perspective,
we truly believe in the combination of:
IRM platforms + DLP systems + Classification solutions
Classification needs to be dynamic and flexible to adapt the life cycle of
information.
# 17
Q&A
# 18
Informatique-MTF SA
www.imtf.ch
Christian Schmalisch, Business Development