View
216
Download
2
Tags:
Embed Size (px)
Citation preview
Securing Private Information:The New ThinkingJohn McDonald, CISSPRSA, The Security Division of EMC
Paul Laurent, CISSPOracle Corporation
What’s the Problem?
In the last 3 years, over 226,000,000 private records have been exposed in data breaches*
‘Traditional’ approaches to security don’t solve today’s problems Emphasis on protecting the perimeter
68% of data breaches occur inside the perimeter
Focused on infrastructure Not information
*Privacy Rights Clearinghouse, www.privacyrights.org
Today’s Security Challenges
Information Security is perceived as a organizational inhibitor,
not a organizational accelerator
Need a holistic approach that makes security more effective and aligns it with the organization
IT SecurityIT Security
Business InitiativesBusiness Initiatives
ineffectivenot protecting what’s importantresource-constrained
costlytoo many security productstoo many security procedures
inhibiting compliancetoo many controlsmanual, complicated, labor-intensive
increasing complexityinformation growthinfrastructure complexityregulatory landscapedistributed organizations
What Are the Drivers?
Increasing regulatory & internal requirements
Controlling costs Increasing volumes of (sensitive) data Increasing infrastructure complexity Increasing range and complexity of
threat environment Maintaining public trust Expanded sharing of information
Why is Information Security So Difficult?…because sensitive information is always moving and transforming
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork
Production Data
Data warehouse
DR
Staging
Campuses
Citizens
Partners
Remote Employees
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Citizen Portal
Why is Information Security So Difficult?…and every movement & transformation has unique risks
NetworkNetwork
Media TheftMedia TheftDevice TheftDevice Theft
TakeoverTakeover
FraudFraud
InterceptIntercept
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles
Production Data
Data warehouse
DR
Staging
Campuses
Citizens
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Citizens portal
Media LossMedia Loss
UnauthorizedAccess
UnauthorizedAccess
DOSDOS
CorruptionCorruption
UnavailabilityUnavailability
EavesdroppingEavesdropping
Data TheftData Theft
Remote Employees
Partners
Data LossData Loss
Device LossDevice Loss
Unintentional Distribution
Unintentional Distribution
UnauthorizedAccess
UnauthorizedAccess
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
New Challenges Require New Thinking "Amateurs study cryptography;
professionals study economics" Security needs to be about more than just
technology Your security approach needs to
Tie IT security tightly to organizational business objectives
Handle a wide range of requirements with a minimal resource investment
Be flexible and scalable
The New Thinking
Information Risk Management Understand and manage the risk
associated with information, not just perimeters and infrastructure
Utilize risk to tie security to organizational objectives
Standards-based control infrastructure Leverage the work done by others Provide a flexible & scalable set of
controls that address a wide range of requirements
Information Risk Managementa strategy for protecting your most critical assets
Information-centricClarifies business context and reveals potential vulnerabilities
Risk-basedEstablishes a clear priority for making security investments
RepeatableBased on foundation of broadly applicable best practices and standard frameworks
Endpoint Network Apps/DB FS/CMS Storage
RiskRisk
Reveals where to invest, why to invest, and how security investments map to critical business objectives
Understanding Risk“Risk is the combination of the probability of an event and
its consequences.” (ISO definition)
Assets (Information, infrastructure, etc.)
Threats (Sources, Objectives & Methods)
Vulnerabilities (People, Process & Technology)
Managing RiskAvoid – Eliminate the source of the riskControl – Implement controls to reduce risk
Accept – Be aware but take no action
Ignore – Refuse to acknowledge risk
Transfer – Assign risk to other agency
RiskComponents
RiskComponents
Risk Aligns Security Investments to the Organization
Revenue Growth ComplianceCost Reduction Business ContinuityCitizen Access
NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS
RiskRisk
Security IncidentsSecurity Incidents
Sensitive InformationSensitive InformationWhat
information is important to the Organization?
What bad things can happen?
Where does it go?
What risks are we willing to accept, what risks do we need to
protect against to enable the business?
Information Risk Management FrameworkThe Process
Define Policy
Describe how sensitive information should be protected
Data, People, Infrastructure
Discover and Classify
Discover all sources of sensitive information across the infrastructure
Implement & Enforce Controls
Establish a control framework and implement appropriate controls to enforce the policy
Monitor, Report & Audit
Audit the environment to ensure and document compliance with policy
PolicyPolicy
Information Risk Management FrameworkThe Payoff
“IT organizations that have taken a risk-oriented,
framework-based approach have been able to reduce their
number of controls by
30% to 70%*”
*Source: ‘How to Implement a Risk-Oriented Approach to Compliance’, Gartner, August 2006
Cost effective investments - Prioritization of controls according to risk
Streamlined compliance - Fewer, more repeatable controls
Clear business alignment - Shared assessment of risk
Improved Security – Cover gaps left by point solutions
Leveraging Risk
Identify the risk… Address it with the risk OWNER
Organizational Buy-In Promote to a Mandate? Escalate in the Budget
Leveraging Risk Compliance “Alphabet Soup” From The Field
FRCP – a.k.a. Federal Rules of Civil Procedure e-Discovery
NCLB No Child Left Behind – Schedule Qualifications
SB-1386 & Equivalents ID Theft Protection Act
Finding Value In Governance
Advocating Governance & Frameworks Frameworks Are Subsets of Best Practices
“The Collective Intelligence” “Open Source Warfare” Pick & Choose? Movements to Standardize (PCI, SOX, GLB)
“Organizational Inhibitor vs. Accelerator” Point Solutions vs. Solution Context
Operational Efficiencies
Planes (JPS)
“We have one person who does all the provisioning for the Port. She handles all the employees,
contractors and suppliers who all bombard her with emails, faxes
and calls”
Operational Efficiencies
Trains (DOT)
“We spend between $100,000 and $150,000 a year shipping
documents and project plans to ourselves.”
Process Orchestration Efficiencies Automobiles (DMV)
“The state has EIGHT FTE’s that do nothing but debug the millions of errors we get in our legacy title and registration system
annually.”
Create Opportunity
Identifying Risk Owners Elevate Priority With Decision Makers
Discover Value in Governance Cost Savings/ROI
Create Funding With Best Practices? Grants
“One-Off” Projects Very Hard to Justify Fitting Fed/Org Agendas Leaves Huge Gaps
Adhering to a Standard Increases % Chance Clear, Articulated Direction and Methodology
Summary Organizations are forced to contend with an
ever-increasing array of information security drivers With fixed or shrinking budgets
Information risk management allows you to tie security into organizational objectives And ensure ALL risk is appropriately addressed
Take pragmatic steps Identify risk owners, Find the value in
governance, and be creative in finding funding