Securing Private Information:The New ThinkingJohn McDonald, CISSPRSA, The Security Division of EMC

Paul Laurent, CISSPOracle Corporation

What’s the Problem?

In the last 3 years, over 226,000,000 private records have been exposed in data breaches*

‘Traditional’ approaches to security don’t solve today’s problems Emphasis on protecting the perimeter

68% of data breaches occur inside the perimeter

Focused on infrastructure Not information

*Privacy Rights Clearinghouse, www.privacyrights.org

Today’s Security Challenges

Information Security is perceived as a organizational inhibitor,

not a organizational accelerator

Need a holistic approach that makes security more effective and aligns it with the organization

IT SecurityIT Security

Business InitiativesBusiness Initiatives

ineffectivenot protecting what’s importantresource-constrained

costlytoo many security productstoo many security procedures

inhibiting compliancetoo many controlsmanual, complicated, labor-intensive

increasing complexityinformation growthinfrastructure complexityregulatory landscapedistributed organizations

What Are the Drivers?

Increasing regulatory & internal requirements

Controlling costs Increasing volumes of (sensitive) data Increasing infrastructure complexity Increasing range and complexity of

threat environment Maintaining public trust Expanded sharing of information

Why is Information Security So Difficult?…because sensitive information is always moving and transforming

File Server

EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork

Production Data

Data warehouse

DR

Staging

Campuses

Citizens

Partners

Remote Employees

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Citizen Portal

Why is Information Security So Difficult?…and every movement & transformation has unique risks

NetworkNetwork

Media TheftMedia TheftDevice TheftDevice Theft

TakeoverTakeover

FraudFraud

InterceptIntercept

File Server

EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles

Production Data

Data warehouse

DR

Staging

Campuses

Citizens

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Citizens portal

Media LossMedia Loss

UnauthorizedAccess

UnauthorizedAccess

DOSDOS

CorruptionCorruption

UnavailabilityUnavailability

EavesdroppingEavesdropping

Data TheftData Theft

Remote Employees

Partners

Data LossData Loss

Device LossDevice Loss

Unintentional Distribution

Unintentional Distribution

UnauthorizedAccess

UnauthorizedAccess

UnauthorizedActivity

UnauthorizedActivity

UnauthorizedActivity

UnauthorizedActivity

New Challenges Require New Thinking "Amateurs study cryptography;

professionals study economics" Security needs to be about more than just

technology Your security approach needs to

Tie IT security tightly to organizational business objectives

Handle a wide range of requirements with a minimal resource investment

Be flexible and scalable

The New Thinking

Information Risk Management Understand and manage the risk

associated with information, not just perimeters and infrastructure

Utilize risk to tie security to organizational objectives

Standards-based control infrastructure Leverage the work done by others Provide a flexible & scalable set of

controls that address a wide range of requirements

Information Risk Managementa strategy for protecting your most critical assets

Information-centricClarifies business context and reveals potential vulnerabilities

Risk-basedEstablishes a clear priority for making security investments

RepeatableBased on foundation of broadly applicable best practices and standard frameworks

Endpoint Network Apps/DB FS/CMS Storage

RiskRisk

Reveals where to invest, why to invest, and how security investments map to critical business objectives

Understanding Risk“Risk is the combination of the probability of an event and

its consequences.” (ISO definition)

Assets (Information, infrastructure, etc.)

Threats (Sources, Objectives & Methods)

Vulnerabilities (People, Process & Technology)

Managing RiskAvoid – Eliminate the source of the riskControl – Implement controls to reduce risk

Accept – Be aware but take no action

Ignore – Refuse to acknowledge risk

Transfer – Assign risk to other agency

RiskComponents

RiskComponents

Risk Aligns Security Investments to the Organization

Revenue Growth ComplianceCost Reduction Business ContinuityCitizen Access

NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS

RiskRisk

Security IncidentsSecurity Incidents

Sensitive InformationSensitive InformationWhat

information is important to the Organization?

What bad things can happen?

Where does it go?

What risks are we willing to accept, what risks do we need to

protect against to enable the business?

Information Risk Management FrameworkThe Process

Define Policy

Describe how sensitive information should be protected

Data, People, Infrastructure

Discover and Classify

Discover all sources of sensitive information across the infrastructure

Implement & Enforce Controls

Establish a control framework and implement appropriate controls to enforce the policy

Monitor, Report & Audit

Audit the environment to ensure and document compliance with policy

PolicyPolicy

Information Risk Management FrameworkThe Payoff

“IT organizations that have taken a risk-oriented,

framework-based approach have been able to reduce their

number of controls by

30% to 70%*”

*Source: ‘How to Implement a Risk-Oriented Approach to Compliance’, Gartner, August 2006

Cost effective investments - Prioritization of controls according to risk

Streamlined compliance - Fewer, more repeatable controls

Clear business alignment - Shared assessment of risk

Improved Security – Cover gaps left by point solutions

Pragmatism

A top-down, balanced approach

Leveraging Risk

Identify the risk… Address it with the risk OWNER

Organizational Buy-In Promote to a Mandate? Escalate in the Budget

Leveraging Risk Compliance “Alphabet Soup” From The Field

FRCP – a.k.a. Federal Rules of Civil Procedure e-Discovery

NCLB No Child Left Behind – Schedule Qualifications

SB-1386 & Equivalents ID Theft Protection Act

Finding Value In Governance

Advocating Governance & Frameworks Frameworks Are Subsets of Best Practices

“The Collective Intelligence” “Open Source Warfare” Pick & Choose? Movements to Standardize (PCI, SOX, GLB)

“Organizational Inhibitor vs. Accelerator” Point Solutions vs. Solution Context

Finding Value In Governance Reduce Costs with Operational Efficiencies

©Paramount Pictures, 1987

Operational Efficiencies

Planes (JPS)

“We have one person who does all the provisioning for the Port. She handles all the employees,

contractors and suppliers who all bombard her with emails, faxes

and calls”

Provisioning Efficiencies

Operational Efficiencies

Trains (DOT)

“We spend between $100,000 and $150,000 a year shipping

documents and project plans to ourselves.”

Reducing Process Inefficiencies

Reducing Process Inefficiencies

Process Orchestration Efficiencies Automobiles (DMV)

“The state has EIGHT FTE’s that do nothing but debug the millions of errors we get in our legacy title and registration system

annually.”

Process Orchestration Efficiencies

Process Efficiencies

The “Before” Process

The “After” Process

Create Opportunity

Identifying Risk Owners Elevate Priority With Decision Makers

Discover Value in Governance Cost Savings/ROI

Create Funding With Best Practices? Grants

“One-Off” Projects Very Hard to Justify Fitting Fed/Org Agendas Leaves Huge Gaps

Adhering to a Standard Increases % Chance Clear, Articulated Direction and Methodology

Summary Organizations are forced to contend with an

ever-increasing array of information security drivers With fixed or shrinking budgets

Information risk management allows you to tie security into organizational objectives And ensure ALL risk is appropriately addressed

Take pragmatic steps Identify risk owners, Find the value in

governance, and be creative in finding funding