Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:

Advertisements

Similar presentations

Presentation by Priyanka Sawarkar

Advertisements

Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

© 2009 VMware Inc. All rights reserved VMware Horizon Mobile Intro - NetHope Deepak Puri Director Mobile Business Development +1 (415)

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

1 © Copyright 2013 EMC Corporation. All rights reserved. Online File Synchronization and Sharing for the Enterprise.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

11© 2011 Hitachi Data Systems. All rights reserved. HITACHI DATA DISCOVERY FOR MICROSOFT® SHAREPOINT ® SOLUTION SCALING YOUR SHAREPOINT ENVIRONMENT PRESENTER.

Security Controls – What Works

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.

Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Information Security Technological Security Implementation and Privacy Protection.

1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.

Cloud Computing Kwangyun Cho v=8AXk25TUSRQ.

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

Oracle Universal Content Management Standard Edition.

Module 9 Configuring Messaging Policy and Compliance.

Secure Data Sharing What is it Where is it What is the Risk – Strategic > What Policy should be enforced > How can the process be Audited > Ongoing Process.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Secure & Unified Identity for End Users & Privileged Users.

The Changing World of Endpoint Protection

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Cloud Computing Presented by Alicia Wallis and Kerri Warf.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.

Business Productivity Infrastructure Optimization Campaign 1 Agenda: BPIO Partner Sales Readiness Workshop Day 3: Topic: Enterprise Content management.

© Intapp, Inc. 1 Cloud Strategies for Law Firms: Enabling Lawyer Productivity, Maintaining Firm Control.

- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.

Building a Fully Trusted Authentication Environment

PARTNER CAMPAIGN PACK  2015 ObserveIT Campaign Roadmap  Introducing ObserveIT Partner Campaign Packs  Overview of Application User Campaign Pack.

PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Company Confidential - Internal Use Only 1 Rob MacIntosh West Coast Sales Director Utimaco Safeware, Inc Endpoint Encryption: Evolution and Trends in Data.

#SINET Connection Mike Fleck Co-founder Simple, transparent data security at the web tier.

OTech CalCloud Security General 1  Meets the operational and compliance requirements of the State  SAM/SIMM  NIST  FedRAMP v2  Other necessary regulatory.

Secure Services Shared Hosted MS Exchange 2010.

Vormetric Encryption Architecture Overview Protecting Enterprise Data at Rest with Encryption, Access Controls, and Auditing.

Tomaž Čebul Principal Consultant Microsoft Bring Your Own Device, kaj pa je to?

SafeNet The Foundation of Information Security Zen and the Art of Data Protection Preparing for the Evolution Adel Hajrasuliha – Regional Account Manager.

Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.

Your data, protected and under control wherever they go SealPath Enterprise – IRM

The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

White Paper: Enterprise Encryption and Key Management Strategy 1 Vormetric Contact: Name: Tina Stewart (send traffic.

ArcGIS for Server Security: Advanced

Power BI Security Best Practices

Extending classification ,labeling , and protection to 3rd party applications Kartik Microsoft Tony Digital Guardian Amit Cohen.

Secure & Unified Identity

Introduction to Soonr by ….

Skyhigh Enables Enterprises to Use Productivity Tools of Microsoft Office 365 While Meeting Their Security, Compliance & Governance Requirements Partner.

Searchable. Secure. Simple.

Encryption in Office 365 Shobhit Sahay Technical Product Manager

IS4680 Security Auditing for Compliance

IN THE PAST, THE FIREWALL WAS THE SECURITY PERIMETER devicesdata users apps On-premises.

4/9/ :42 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Microsoft Data Insights Summit

Implementing Separation of Duties (SoD) in SQL Server

Protect data in core business applications

Cloud Computing for Wireless Networks

Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Protecting Data From The Web Tier Mike Fleck CEO CipherPoint Software,

OWASP 2 Agenda  Why does this matter?  Drivers for data protection  Shifting application architectures  Common data encryption challenges  Why Infosec struggles to keep up  Why protect data from the web tier  A web tier data protection architecture  Questions

OWASP Why Does This Matter?  Shift in thinking about security control effectiveness from network > application > data  Auditors recognize value of encrypting data “higher in the stack”  Applications moving to 3-tier web architecture  Cloud data protection = web tier  Web tier affords a unique place from which to apply data encryption and access controls to application data and unstructured content 3

OWASP Data Protection Drivers  Compliance: PCI DSS, HIPAA/HITECH, GLBA, state breach laws  Native platform controls are generally inadequate to secure against insider threats, including IT admins  Given current threat climate w/ APTs and determined attackers, need that last line of defense for stored data 4 “69% said that complying with data protection and privacy regulations was the main driver behind use of encryption” Ponemon 2010 Enterprise Encryption Study

OWASP Enforcing “Need to Know”, “Least Privileges”  PCI DSS  Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities, Audit procedure = Confirm that access rights for privileged user IDs are restricted to least privileges necessary to perform job responsibilities.  HIPAA/HITECH  HIPAA requires access control to limit access to those with valid need to know, encryption is an addressable requirement  GLBA  Access control required to limit access to authorized individuals, encryption for NPI required 5

OWASP PCI Assessment Failings 6

OWASP Most Challenging Compliance Requirements 7

OWASP Sources of Compliance & Security Pain 8

OWASP Sea Change in Security Control Placement 9

OWASP App Architecture, Delivery Models Changing 10 Client- server 3 Tier, web based apps On premise IT Cloud

OWASP Today’s Data Encryption Challenges  Effective threat protection = higher level insertion point  Low level insertion (FDE, Bitlocker) only protect media loss/theft  Application insertion = best threat protection, not common from app vendors, hard to DIY & get right  Key management  “it’s 2am, on a Saturday, we have to restore an encrypted file from 2008, where is the encryption key”  Silo’ed or centralized  Making it easy: operationalizing compliance requirements for key rotation, key lifecycle, information lifecycle 11

OWASP More Key Management 12

OWASP Data Encryption & Access Control Challenges for Web Apps, & SaaS Delivery  Where can/should we insert?  How do we afford protection for data stored in cloud/SaaS?  How can enterprises retain control of keys for data stored in cloud/SaaS services?  How to keep IT admins at cloud service providers from viewing sensitive data? 13

OWASP Policy Web Front End 14 Front-end Servers Application Servers Database Server End users Web Server Admin Shared Services Admin Database Admin Need to manage Need to know PEPPEP PEPPEP WFE Policy Enforcement Point

OWASP WFE for Security Decisions 15 What: Where: Who: Cipherpoint\csmith

OWASP Security Control Possibilities  Selectively encrypt information for specific users, or URI destinations  Unstructured files  Fields in web forms  Apply access controls for user groups  Enforce need to know for IT admins  Apply sophisticated access controls for authorized users  Time of day, excessive file downloads, strange download locations, etc. 16

OWASP WFE Encryption & Access Control  Previously had to either convince your app vendor to add this capability, or DIY  In either case, odds are poor for:  getting key management right, and  making the encryption easy to use, easy to manage  Ubiquitous web application architectures opens up encryption & access control platform possibilities at the WFE 17

OWASP Use Cases  Web-based collaboration portals, on premise, e.g. SharePoint, ECM systems  Sensitive information protection such as HR data, IP, business plans  Compliance regulated data, e.g. PII, NPI, ePHI  Where outsiders are the new insider threat:  Cloud collaboration platforms, Google Docs, Box.net, et al  Any SaaS application… 18

OWASP About CipherPoint  Incorporated 2010  1 st provider of transparent content encryption for Microsoft SharePoint  Insider threat protection  Separation of duties  Mass market pricing  Building a cloud collaboration security platform 19

OWASP Questions? 20