Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Data Strategy

Published byAudra Wiggins Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise Data Strategy"— Presentation transcript:

1 Enterprise Data Strategy
Identify Security Drivers Define Policy & Classify Discover Data Assess Risk Control Gaps Strategy The process begins with developing an overall data security strategy. That begins with looking at the business itself and identifying the various security drivers. That provides the context for developing policy. That leads to a process of discovering where, in our infrastructure, we have sensitive data referred to in those policies. We then need to assess our risks at those points in the infrastructure. The combination of policy, where sensitive resides in the infrastructure, and the risks at those points, informs decisions about controls – and where we have gaps in our current controls. Next we have think about implementation – and that means more than simply installing equipment, but thinking about an ongoing process – a closed loop system. We view that in terms of a 3 stage system; monitoring; enforcement and auditing -- all centered around policy

2 Enterprise Discover Data
End Point Network Application DB/FS Storage Identify Security Drivers Data stored on disks 3 Tape Backups 4 Bulk Analysis Replicated Database Disk Storage WAN Other Campuses & Data Centers Data in transit across WANs 12 Replicated DB for DR, bulk analysis 2 Disk Storage Define Policy & Classify Enterprise App Database Backup Disk Tape LAN Transformed Data on End Points 7 Application Data 6 Disk Storage Custom App Database Armed with a definition of policy we now have context to start defining our control strategy; what kind of control mechanisms and processes do we need to adequately secure our sensitive data in accordance with our policies. Where do we begin? We begin by finding out where our sensitive data resides. Many people assume their most sensitive data is sitting in databases. This has some truth. Our financials, our customer data, etc. are all in databases. But… . [click] if it’s sitting on databases it’s also sitting on disks [click] And if it’s sitting on disks it’s also being backed up onto other discs over a network, or transported on tape [click] And of course if it’s on that database it’s being accessed by applications [click] And those databases are being replicated for things like bulk analysis. It’s very difficult to perform bulk analysis on a production database and not affect the performance of applications. [click] And organizations can have hundreds, sometimes thousands of enterprise and custom applications. [click] and most organizations have 100’s if not thousands of enterprise and custom applications across their organization [click] And those applications and databases are being accessed by other campuses across wide-area networks [click] And of course our applications are being accessed by laptops and desktops [click] [click] And if its sitting on those laptops, it’s on their disks, being printed or copied onto various forms of removable media, like USB keys. And of course those laptops are being backed up [click] And those desktops are transforming that data and distributing it via , file servers and collaborative portals. First thing I do end of quarter (before results are announced) is download the financial results, analyze them on spreadsheets, and draft recommended actions on PowerPoint decks. I then distribute them to my team via and file servers to get their feedback [click] And of course my personal favorite, I’m running out to Europe for a series of business planning meetings, and out of fear of losing my laptop or disk failure, I my presentation to my GMail account – enabling me to get it from just about anywhere In truth, this is not an easy problem. This is an incredibly complex picture. The data is mobile. The data is transformed. The data is at the center of collaborative processes. This is not simply a data security problem; it is a data management problem. Backup Discover Data Disk Storage Database instances 1 Internet Exchange Server File Server Portals Data sent/stored on public infrastructure 13 Transformed data ed & on exchange srv 10 Assess Risk Disk Backups 5 Removable and Printed media 8 Transformed data on file shares 9 Identify Control Gaps Collaboration on Portals 11 Restricted Data Internal Data Public Data

3 Assessing the Risk End Point Network Application DB/FS Storage
Threat X High Risk Medium Risk Low Risk Assessing the Risk End Point Network Application DB/FS Storage Identify Security Drivers Privileged User Breach 7 Privileged User Breach 7 Privileged User Breach DBA/FSA 4 Privileged User Breach DBA/FSA 4 Bulk Analysis Replicated Database Disk Storage Other Campuses & Data Centers Media lost or stolen 1 Media lost or stolen 1 Physical theft of media or lost media exploited 13 Physical theft of media or lost media exploited 13 Network Leak -IM-HTTP-FTP-etc. 11 Network Leak -IM-HTTP-FTP-etc. 11 Database/File Server Hack 5 Database/File Server Hack 5 Define Policy & Classify Enterprise App Database Disk Storage Backup Disk Tape LAN WAN End Point Leak print-copy-xform 14 End Point Leak print-copy-xform 14 Application Hack 8 Application Hack 8 Disk Storage Custom App Database Next we have to examine our risk model. Consider the range of threats at the various layers of the IT stack you can lose your tape your discarded media can be exploited packets can be sniffed as they’re transferred across the network A database administrator or file server administrator could compromise their systems we can have a hack into the database or fileserver Unintentional distribution, like the developers pulling down production data in order to install some new system in development a privileged user can breach through the application layer which is very concerning because we often secure things downstream at the application level rather than the user level. Database access might be restricted to a given application – but it likely has no idea which user is requested the data, so often hacking into the application provides the keys to the kingdom application hacks a trusted or semi trusted users (e.g. contractors) can abuse their privilege with applications they have legitimate access to un-intentional distribution at the application layer (e.g. social engineering) At the network layer we can communication leaks (through , instant messaging, FTP, HTTP, etc.). We can have packets sniffed as they traverse the network We can a hack of the public infrastructure level, such as my gmail At the end point layer we can have physical theft of a laptop We can have an end point leak such as copying the data to removable media, printing the data, or transforming it and leaking that data. keystroke loggers or Trojans deposited on the laptop When you consider the relative risk of these threats you end up with a risk model. The value of a model like this is to elevate our discussion from technology to the problems we’re trying to solve. For example, tape encryption may well be highly relevant, but we need to recognize that we are only solving risk #1 – lost or stolen tape. Nothing else. It will not help us for us for #4 (a rogue DBA), #7 (e.g. developers pulling production data), #9, etc. We dive too quickly into technology, get far down a path and suddenly realize we are not solving the problem we set out to solve. Backup Discover Data Disk Storage Internet Exchange Server File Server Portals Discarded media exploited 2 Discarded media exploited 2 Packets sniffed in transit 3 Packets sniffed in transit 3 (Semi) Trusted User Misuse 9 (Semi) Trusted User Misuse 9 Assess Risk Packets sniffed in transit 3 Packets sniffed in transit 3 Trojans / Key Loggers 15 Trojans / Key Loggers 15 Public Infrastructure Access Hack 12 Public Infrastructure Access Hack 12 Identify Control Gaps Unintentional Distribution 10 Unintentional Distribution 10 Unintentional Distribution 6 Unintentional Distribution 6

4 Secure Data Rights Management: Secure Document Sharing
Assigns Policy Bulk Analysis Replicated Database Disk Storage WAN Other Campuses & Data Centers Registers Policy & Locks Doc Other Campuses & Data Centers Enterprise App Database Disk Storage Backup Disk Tape WAN Distributes Doc Disk Storage Custom App Database The best way to understand DRM solutions is to consider the following use case example John creates a document containing sensitive M&A data. He assigns a set of access rights to the document (who can view, edit, print, etc.) and registers that policy with a centralized server, which in turn locks the document with an encryption key. John then distributes that document to Bill, a partner that John is considering acquiring. Bill then decides to distribute that document to another potential acquirer (shame on you Bill). When Bill tries to open the document, it passes Bill’s credentials to the DRM policy server, and the system provides Bill a key to unlock the document. By contrast, when Charlie tries to open the document, the DRM policy server denies his request, and he gets a flashing red x. Sorry Charlie. DRM is a wonderful control for the secure sharing of sensitive data, both within, and outside the enterprise. John Backup Disk Storage LAN Exchange Server File Server Portals DRM Policy Server X Inappropriate Distribution Requests Key Internet Bob Charlie

Download ppt "Enterprise Data Strategy"

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Section C Threats to Data.

Section C Threats to Data.
By Glenn Z.  A network is 2 or more computers connected to each other.

By Glenn Z.  A network is 2 or more computers connected to each other.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Privileged Identity Management Enterprise Password Vault

Privileged Identity Management Enterprise Password Vault
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Mohan Atreya Sr. Product Manager RSA Corporation SIA311 Marcio Mello Sr. Program Manager Lead Microsoft Corporation.

Mohan Atreya Sr. Product Manager RSA Corporation SIA311 Marcio Mello Sr. Program Manager Lead Microsoft Corporation.
QAD On Demand Operational Delivery Kory D. Johnson QAD Explore 2012.

QAD On Demand Operational Delivery Kory D. Johnson QAD Explore 2012.
Basic Data Safety Practices That Can Prevent Malpractice Claims & Ethics Violations Grant County Bar Association June 14, 2011 Kim J. Brand PresidentFounder.

Basic Data Safety Practices That Can Prevent Malpractice Claims & Ethics Violations Grant County Bar Association June 14, 2011 Kim J. Brand PresidentFounder.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
“An integrator view on storage consolidation & Information Lifecycle Management (ILM)” Ulrik Van Schepdael - Marketing Manager Belgacom Network & System.

“An integrator view on storage consolidation & Information Lifecycle Management (ILM)” Ulrik Van Schepdael - Marketing Manager Belgacom Network & System.
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
CHAPTER Introduction to LANs. MODULE Purpose and Use of a Network.

CHAPTER Introduction to LANs. MODULE Purpose and Use of a Network.

Similar presentations

Ads by Google