The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security...
Transcript of The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security...
![Page 1: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/1.jpg)
The Information-Centric Security
LifecycleRich Mogull
Securosis, L.L.C.
![Page 2: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/2.jpg)
ecurosis.com
Mainframe Internet I Internet II
Jail Fortress ZoneNETWORK
![Page 3: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/3.jpg)
ecurosis.com
But what about the information?
![Page 4: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/4.jpg)
ecurosis.com
Network
Host
Application
Data
Use
r
Data
Host
Application
Network
![Page 5: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/5.jpg)
ecurosis.com
InformationInformation
Host
Application
Network
Use
r
![Page 6: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/6.jpg)
ecurosis.com
The Information-Centric Security
Lifecycle
![Page 7: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/7.jpg)
ecurosis.com
Create
Destroy
Store
Share Archive
Use
ClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoring and EnforcementRights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
![Page 8: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/8.jpg)
ecurosis.com
ILM and Security
Create
Destroy
Store
Share Archive
Use
Creation and Receipt
Distribution
UseMaintenance
DispositionUse
![Page 9: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/9.jpg)
ecurosis.com
• Content is classified as it’s created through content analysis or based on labeling of data elements.
• Rights are assigned, based on central policies.
• Mandatory and discretionary policies.
Create
![Page 10: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/10.jpg)
ecurosis.com
Control Structured UnstructuredClassify None* None*
Assign Rights Label Security Enterprise DRM
Create
Create Technologies
Note- Classification is expected to emerge from DLP/CMP
![Page 11: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/11.jpg)
ecurosis.com
Label Security
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First Region Label
1111 Mogull Richard US Public
1112 Smith John EMEA Sensitive
Column
Row
![Page 12: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/12.jpg)
ecurosis.com
Partial Document Matching
Exact File Matching
StatisticalDatabase Fingerprinting
CategoriesConceptual
^(?:(?<Visa>4\d{3})|(?<Mastercard>5[1-5]\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\d{2})|(?:30[0-5]\d))|(?
<AmericanExpress>3[47]\d{2}))([ -]?)(?(DinersClub)(?:\d{6}\1\d{4})|(?(AmericanExpress)(?:\d{6}\1\d{5})|(?:\d{4}\1\d{4}\1\d{4})))$
Rules
Content Analysis
![Page 13: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/13.jpg)
ecurosis.com
• We use access controls, encryption, and rights management to protect data in storage.
• Content Discovery helps find unprotected sensitive data that slipped through the gaps.
Store
![Page 14: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/14.jpg)
ecurosis.com
Store TechnologiesControl Structured Unstructured
Access ControlsDBMS Access Controls
Administrator Separation of Duties
File System Access ControlsDocument Management System Access Controls
EncryptionField Level Encryption
Application Level EncryptionFile/Media Encryption*
Media EncryptionFile Encryption
Distributed Encryption
Rights Management Label/Row Level Security Enterprise DRM
Content DiscoveryDatabase-Specific Discovery
Tools
DLP/CMF Content DiscoveryStorage/Data Classification
Tools
Store
![Page 15: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/15.jpg)
ecurosis.com
AccessControls
Encryption DRM
![Page 16: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/16.jpg)
ecurosis.com
Application/Database
File/Folder Media
Encryption Options
rmogull Phoenix asdfasdfasdfasdf
![Page 17: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/17.jpg)
ecurosis.com
Content Discovery
Remote ScanningRemote Scanning
![Page 18: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/18.jpg)
ecurosis.com
• Monitor and protect information during use.
• Includes business applications and productivity applications.
• Heavy use of content-aware technologies.
Use
![Page 19: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/19.jpg)
ecurosis.com
Use Technologies
Control Structured Unstructured
Activity Monitoring and Enforcement
Database Activity MonitoringApplication Activity
Monitoring
Endpoint Activity MonitoringFile Activity Monitoring
Portable Device ControlEndpoint DLP
Rights Management Label Security Enterprise DRM
Logical ControlsObject (Row) Level Security
Structural ControlsApplication Logic
Application Security Implemented At Application LayerImplemented At Application Layer
Use
![Page 20: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/20.jpg)
ecurosis.com
Two Sides Of Information-Centric Security
Data Center Productivity
![Page 21: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/21.jpg)
ecurosis.com
CMP
CMP
Advanced Content Analysis
Real-Time DRM
CMP to ADMP Bridges
Managed and Unmanaged Systems
![Page 22: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/22.jpg)
ecurosis.com
ADMP
Adaptive AuthenticationApplication NACActivity MonitoringAnti-ExploitationTransaction AuthenticationSession SecurityApplication Virtualization
![Page 23: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/23.jpg)
ecurosis.com
Cross-Domain Information Protection
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
050
100150200
2007 2008 2009 2010
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
![Page 24: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/24.jpg)
ecurosis.com
• Securely exchange information, inside and outside of the enterprise.
• A mixture of content-aware technologies and encryption for secure exchange.
Share
![Page 25: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/25.jpg)
ecurosis.com
Share Technologies
Control Structured Unstructured
CMP/DLP Database Activity Monitoring(With DLP Feature)
Network/Endpoint CMP/DLP
Encryption*Only When Data Elements Not Otherwise
Encrypted
Network EncryptionApplication Level Encryption
Email EncryptionFile Encryption
Network Encryption
Logical ControlsObject (Row) Level Security
Structural Controls
Application Security Implemented At Application LayerImplemented At Application Layer
Share
![Page 26: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/26.jpg)
ecurosis.com
Inter-Organization Encryption vs. DRM
![Page 27: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/27.jpg)
ecurosis.com
• Protect information in archival storage.
• Encryption and asset management
Archive
![Page 28: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/28.jpg)
ecurosis.com
Archive Technologies
Control Structured Unstructured
Encryption Field-Level EncryptionTape Encryption
Storage Encryption(Multiple Options)
Asset Management Asset Management Asset Management
Archive
![Page 29: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/29.jpg)
ecurosis.com
Tape Encryption Options
In-line Drive Software
![Page 30: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/30.jpg)
ecurosis.com
• Ensure data is not recoverable at end of life
• Content discovery to ensure dangerous data isn’t hiding where it shouldn’t be.
Destroy
![Page 31: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/31.jpg)
ecurosis.com
Destroy Technologies
Control Structured UnstructuredCrypto-Shredding Enterprise Key Management Enterprise Key Management
Secure Deletion Disk/Free Space Wiping Disk/Free Space Wiping
Physical Destruction Physical Destruction Physical Destruction
Content DiscoveryDatabase-Specific Discovery
Tools
DLP/CMF Content DiscoveryStorage/Data Classification
ToolsEnterprise Search
E-Discovery
Destroy
![Page 32: The Information- Centric Security Lifecycle · 2015-09-18 · The Information-Centric Security Lifecycle. ecurosis.com Create Destroy Store Share Archive Use Classify Assign Rights](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a73e6839dd239e677f11f/html5/thumbnails/32.jpg)
ecurosis.com
Create
Destroy
Store
Share Archive
Use
ClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoring and EnforcementRights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery