SafeNet The Foundation of Information Security Zen and the Art of Data Protection Preparing for the Evolution Adel Hajrasuliha – Regional Account Manager ISSA Honolulu—October 2009

Sharing, Collaboration Threat Drivers Market Forces Cyber Crime Identity Theft Data Loss, Theft The Outsider Becomes the Insider Data Breaches Fear of Downstream Legal and Financial Liabilities Penalties & Fines Compliance Outsourcing Shared Service Centers SaaS Cloud Computing Globalization Boundaries? What's sensitive? Sharing without risk? Who’s good, who’s bad? Market Trends, Threat Drivers

Questions You Should Be Asking How do I protect salary information? Large Oil company oil at $160 barrel How do I allow my call center reps to support customers without having access to SSN/CC data? 10 records per hour or 8-5 access Launching a new product? How do I make sure that only authorized users see relevant data? SAS apps such as SalesForce.com How do I make sure that people accessing protected data are who they say they are? MLS website Can my firewall help me? My IPS? My Disk Encryption? Should I just encrypt all of my databases? (Good luck with that…..) If you don’t know where your data is, or what it is, you are Data Blind, Now it the time to be Conscious about it.

Data Breaches in the US Jan 10, 2000: Hacker steals 300,000 credit cards from CD Universe June 16, 2005: Cardsystems is hacked, exposing 40,000,000 records Jan 17, 2007: TJ MAX is hacked, exposing 45,000,000 records Jan 20, 2009: Heartland Payment Systems is hacked, exposing 130,000,000 records See the Trend, GOING UP!!! For full reports see:

The Market is Changing—Customers Demand Intelligent Data Protection Data Protection 2.0 Perimeter-level security All-or-nothing encryption Keep bad guys out, authorized users get full access Multiple products to meet business and security needs Limited to no visibility Data-centric data protection—intelligent to protect the data itself at the point of creation Granular protection—protect specific data elements (files, fields, columns), data types (structured or unstructured) Granular protection for authorized users—who can access what, when Solution that addresses many business, compliance & security issues Greater data control and visibility with centralized key/policy mgmt, logging & auditing Data Protection 1.0

Today’s Trends Create the Need for Enlightenment Disk Encryption, Network Encryption, Firewalls, NAP/IDS/IPS/ACLs, Storage Encryption Network-centric: Protect the Network Protect Devices Network-centric: Protect the Network Protect Devices Reactive, Blind to Data & Its Whereabouts, Fear-based, Compliance and Penalty- driven File Protection, Database/Application Protection, Encryption, Authentication, Content Security Data-centric: Protect the Data Itself Centralize Keys, Attach Policies Secure Access Control Data-centric: Protect the Data Itself Centralize Keys, Attach Policies Secure Access Control Comprehensive/Data Agnostic, Intelligent, Persistent Protection, Selective/Portable Encryption Content Awareness, Security Information Management, Granular Control & Reporting Proactively Monitor Data Flow, Discover, and Protect. Align Policies to Processes Proactive, Self Aware, Pre-emptive, Data Protection Data Consciousness Gaining Data Consciousness Data Consciousness Gaining Data Consciousness Data Awareness Become Data Aware Data Awareness Become Data Aware Data Blindness Understand Your Security Blindness Technologies Policies Characteristic Stages of Data Consciousness Preparing for the Evolution

Full disk encryption, NAP/IDS/IPS/ACL’s, network encryption, perimeter-level security Blind to what data is in use, at rest, and unaware of where and how data travels, and whom is accessing it Binary, all-or-nothing approach to data protection Reactive to data breaches Blind to what data is in use, at rest, and unaware of where and how data travels, and whom is accessing it Binary, all-or-nothing approach to data protection Reactive to data breaches Protect transmissions between networks Secure access to devices and infrastructure Protect transmissions between networks Secure access to devices and infrastructure Technologies Policies Characteristic Step 1: Understand Your Security Blindness Data Consciousness Gaining Data Consciousness Data Consciousness Gaining Data Consciousness Data Awareness Become Data Aware Data Awareness Become Data Aware Data Blindness Understand Your Security Blindness Secure settlements and transactions between merchants, payment processors, and acquiring banks Secure laptop access using user credentials Use Case Scenarios Limited to No Visibility to Data Whereabouts All-or-Nothing Encryption Restricts Business Process and Provides Unrestricted Access to Authorized Users Limited to No Visibility to Data Whereabouts All-or-Nothing Encryption Restricts Business Process and Provides Unrestricted Access to Authorized Users Risks

Step 2: Becoming Data Aware Data Consciousness Gaining Data Consciousness Data Consciousness Gaining Data Consciousness Data Awareness Become Data Aware Data Awareness Become Data Aware Data Blindness Understand Your Security Blindness Data-centric technologies that protect the data itself—database encryption, application encryption, file encryption, strong access control Intelligent, fine-grain encryption Comprehensive to protect all data types Persistent—policy is attached to data Selective, portable—user controlled Intelligent, fine-grain encryption Comprehensive to protect all data types Persistent—policy is attached to data Selective, portable—user controlled Protect structured data: CCs, SSNs, PII Protect unstructured data: spreadsheets, medical records in shared file servers Intelligent policies defined by users, data type (.doc,.xls), folder and directory, time, and # of encryption/decryption operations Protect structured data: CCs, SSNs, PII Protect unstructured data: spreadsheets, medical records in shared file servers Intelligent policies defined by users, data type (.doc,.xls), folder and directory, time, and # of encryption/decryption operations Technologies Policies Characteristic A controller needs to update a revenue report for the CEO before an earnings call—he selectively encrypts that specific file and sends it to the CEO (user controlled encryption) A Call Center encrypts only SSNs in patient records to allow service reps to support clients without gaining accessing to sensitive data An HR dept protects salary files ending in.doc in the Employee HR folder in the file server. To augment access control, HR admins require authen- tication to access encrypted HR files Use Case Scenarios

Content awareness, security information management, reporting Proactive, self-aware, pre-emptive Data-aware + proactive Proactive, self-aware, pre-emptive Data-aware + proactive Proactively monitor data flow, discover, and protect Align policies to business processes so sensitive data can move freely and is efficiently accessible to authorized users Proactively monitor data flow, discover, and protect Align policies to business processes so sensitive data can move freely and is efficiently accessible to authorized users Technologies Policies Characteristic Step 3: Gaining Data Consciousness Data Consciousness Gaining Data Consciousness Data Consciousness Gaining Data Consciousness Data Awareness Become Data Aware Data Awareness Become Data Aware Data Blindness Understand Your Security Blindness A Healthcare provider applies policies to auto-detect SSNs from patient medical records and encrypt them, even as new ones are created A Bank classifies executive bonuses, stock options, and SSNs to monitor and enforce protection, and applies intelligent access policies based on different user profiles in Finance & Acct Use Case Scenarios A security architect unifies the mgmt of authentication keys and encryption keys, using a single centralized platform as the universal key manager to provision key creation and key changes

Invest in Your Growth Data Consciousness Gaining Data Consciousness Data Consciousness Gaining Data Consciousness Data Awareness Become Data Aware Data Awareness Become Data Aware Data Blindness Understand Your Security Blindness Stages of Data Consciousness Get on the Path of Enlightenment

Intelligent Data Protection

Data Protection Evolution Architecture Authentication and Access Management Data Access Control and Management Data Protection Management Data Protection Infrastructure Structured and Unstructured Data From Creation, and While in Use/ Motion Across Applications, Mainframes, Databases, and Endpoints Key Life Cycle Management Policy Life Cycle Management Logging, Auditing, Reporting First, know your users and apply strong access control to secure access to sensitive data. Second, the design goal of a well designed data protection program = Secure centralized key management and policy life cycle management that provides visibility into who is logging into systems, creating & changing keys, automatic rotation of keys. The idea is greater visibility gives you more control over your data. Finally, apply enforcement points to where protection needs to happen—across databases, file servers, etc. and out to endpoints for both structured and unstructured data.

Data Protection Evolution Secure, Centralized Key Management Data-centric Policy Management Identity & Access Management Visibility via Logging, Auditing, Reporting Secure, Centralized Key Management Data-centric Policy Management Identity & Access Management Visibility via Logging, Auditing, Reporting Authentication and access management

Authentication Evolution Secure, Centralized Key Management Data-centric Policy Management Identity & Access Management Visibility via Logging, Auditing, Reporting Secure, Centralized Key Management Data-centric Policy Management Identity & Access Management Visibility via Logging, Auditing, Reporting

Thank You Zen and the Art of Data Protection Preparing for the Evolution Adel Hajrasuliha – Regional Account Manager ISSA Honolulu—October 2009