Identity Awareness and Data Loss Prevention Effective DLP David Miller Sr. Director, Security Products October 15, 2009

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. >DLP is the ability to dynamically identify and prevent the loss and misuse of data across the enterprise  DLP protects against the “insider threat”  Many companies have implemented solutions to protect against the “external threat” but not the “insider threat” What is DLP (data loss prevention)? 2

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. Personally Identifiable Information (PII) Personal Health Information (PHI) Sensitive data 3 IndustryPrimary Data Type(s)Other Financial ServicesNPI, PIIIP HealthcarePHI, PIINPI Life SciencesIP, NPIPII High TechnologyIP, NPIPII RetailPII, IPNPI Professional ServicesIP, NPIPII Public SectorPII, NPIPHI Intellectual Property (IP) Non-Public Information (NPI) Structured vs. Unstructured

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved.  3:5 firms experience a data loss or theft event 1  9:10 data loss or theft events go unreported 1  1:5 employees have ed confidential data from their corporate account to a personal one 2  1:2 business travelers carry sensitive corporate data on their laptops 3  1:2 workers have lost portable devices containing work-related data 4 And there’s a lot of it.  58% Annual growth of electronically stored and shared data  100M Licensed copies of SharePoint in the world Your sensitive data is at risk 4 1 – 2 – 3 – Dell + Ponemon SurveyDell + Ponemon Survey 4 –

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. 1.Intellectual property sent to external parties 2.Unprotected employee 401k information sent to unauthorized parties 3.Payroll data sent to personal addresses 4.Draft press releases sent to outside counsel 5.SSNs, credit card numbers, and account numbers exposed across the enterprise 6.Financial and M&A plans posted to message boards 7.Source code and resumes sent to competitors 8.Internal memos leaked to non-corporate parties 9.Significant amounts of inappropriate employee behavior (HR-related) 10.Medical and patient information copied to removable media Common violations 5 Unauthorized copies of customer credit cards were ed to an outside account Date: Organization: Sony Corporation of America Lost thumb drive contained medical and financial records for 1,200 patients Date: Organization: Harris County Hospital District

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. Data loss events can (will) lead to… 6 Regulatory Sanctions Reputational or Brand Damage Customer Attrition Significant Fines Loss of Competitive Advantage(s) Business Disruption Clean-up and Damage- Control Costs

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. 3 key customer challenges Where is my sensitive data going? And… Who is using data – and why? How do I educate users on data use policies? How do I control data with minimal IT burden? Where is my sensitive data stored? And … How do I recognize corporate secrets? How do I discover data required by regulations? How do I take action? How do I effectively remediate data loss? And… How do I reduce unauthorized data access and propagation? How do I improve compliance attestation?

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. Data Protection Done Right ENDPOINTNETWORK MESSAGE SERVER STORED DATA 8 Control at all locations Configurable policy Complete review Common platform

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. How DLP works: real-time 9 1.User sends an with sensitive information 2.CA DLP analyzes the content and context dynamically 3.CA DLP warns the user that the violates security policy Demo adding Classification that will cause an alert

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. How DLP works : data at rest 10 1.A process is initiated to scan SharePoint repositories 2.CA DLP dynamically analyzes the location and data 3.CA DLP moves the sensitive files to a secure location and replaces the original with a message

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. DLP and Accuracy Message contains address, DOB and SSN. A definite case of PII Violation. Recipients are external to firm. Violation Non-Violation Message contains the phrase ‘Social Security’ not related to an SSN, and a number which looks a lot like an SSN but is not. >False Positive: activity that was incorrectly flagged >True Positive: activity that was correctly flagged

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. Woefully InaccurateAccurateBest-In-Class False-Positives>90%20%<2% For every 100 events or actions flagged… Up to 10 are relevant Up to 80 are relevant are relevant The Implication of Accuracy 12 >Considerations >How many events will be flagged by DLP? >How many resources will you use to review those events? >Can you enforce policy in real-time? >Best-In-Class: How to get there?

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. >Identity is one of the keys! Understanding Identity 13 >“Identity” can be a role, a user attribute, or some other property that distinguishes one end-user from another Administrator Executive Customer / Partner IT Administration Compliance Contractor / Temp End User Benefit Specialist

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. DLP can use Identity 14 Policy Management Review & Reports Policy Administrators Incident Reviewers DLP Central Server Console Endpoints Servers & Stored Data Message Servers Network Devices Users >Identity-Aware DLP User Role/ Identity Information Identity/ Role Management System

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. Case Study: Global Financial Services Firm Customer Need –Insider risks –Fraud detection –Other compliance Initiatives Highly unstructured content 15 Other SolutionCA DLP 1,000,0005,000,000 s, IMs, and other comm’s analyzed each day 7,44735,000Employees generating the above activity 98%<1%False-positives (flagged activity that were not violations) 6317Staff-equivalents to review the violations ? ? ? ? The Advantage –Accuracy –Identity –Detection techniques –Delegated incident review

Integrated Demonstration > CA Role & Compliance Manager > CA DLP

EMPLOYEE Current Role: Payroll Administrator Application access Use of sensitive data

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved.

MANAGER CA Role & Compliance Manager

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved.

EMPLOYEE Current Role: Sales Application Access Data Loss Prevention

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved.

Summary

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. DLP affects more organizational disciplines >Various services and other parts of the organization will introduce new requirements for identity-centric DLP 44 The Expanding Requirements of DLP Featuring Forrester’s Andrew Jaquith

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. CA's Vision for DLP and Security Combining identity and data intelligence improves the function and value of the organization’s security posture. 45

Data Loss Prevention and Identity – CA © CA, Inc. All rights reserved. >DLP addresses the “insider threat” >DLP dynamically identifies and prevents the loss and misuse of data across the enterprise >Effective DLP involves:  Understanding identity, and also  Real-time protection  Fostering employee collaboration  End-user self-remediation and education …and doing all of this while consuming minimal resources Identity and DLP is a Powerful Combination 46

Thank you! CA DLP: Data Protection Done Right