Upload
puneet-kukreja
View
78
Download
0
Embed Size (px)
Citation preview
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 1
Of Crown Jewels and Data AssetsApril 2017
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 2
The threat landscape
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 3
It’s all in the news
You cannot hide
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 4
The changing threat landscapeAccording to Information Security Forum (ISF), Threat Horizon 2018 report information security threats are set to worsen. Organisations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, proliferation of data, increased regulation, and a debilitating skills shortage.
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 5
So what do we know
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 6
Industry 4.0The outcome of being “smart”
The rise of the extended kinetic enterprise
1st industrial revolutionThrough introduction of mechanical production facilities with the help of water and steam power
2nd industrial revolutionThrough introduction of mass production with the help of electrical energy
3rd industrial revolutionThrough application of electronics and IT to further automate production
4th industrial revolutionOn the basis of cyber-physical production systems (CPPS), merging of real and virtual worlds Industry 4.0
Industry 3.0
Industry 2.0
Industry 1.0
First mechanical weaving loom 1784
End of 18th century Beginning of 20th century Beginning of 1970s of 20th century
Today
Deg
ree
of c
ompl
exit
y
First assembly line 1870
First programmable logic control system 1969
Internet of things
Internet of services
Internet of data
Internet of people
Industry 4.0
Smart Buildings
Smart Mobility
Smart Homes
Smart Grid
Smart Logistics
Social Web
Business Web
CPPS
Smart Factory
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 7
What it means for you…
Given the breadth of the cyber ecosystem the attack surface or opportunity for malicious attack, it is imperative that there is acknowledgement that organisations need to move their focus to a data first approach.
MAGNITUDE
RISK
TIME
STAGESTECHNOLOGIESVALUE DRIVERS
Discernment of patterns among data that leads to action, descriptions or predictions
Gathering information created at different times or from different sources
Initiating, changing or maintaining an event or state
Use of sensors to generate data about a physical event or state
Transmission of information from generation to processing location
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 8
What it means for you…
Understand the lifecycle of your data and know the worth of risk in today’s connected enterprise
… focus on data
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 9
Cyber Risk ≠ Cyber Security
Cyber risk and cyber security are often used interchangeably however they are two different concepts. Often inadvertently the focus is on cyber security, neglecting broader cyber risk management.
Cyber security is a category of solutions that partially address cyber risk. Cyber security is based on the principles of confidentiality, integrity and availability
Cyber risk is a category of business risks that have strategic, operational and regulatory implications. Cyber risk management assesses threats, vulnerabilities and its potential impact to the broader organisation
Cyber Risk Cyber Security
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 10
Cyber Risk ≠ Cyber Security
The end game will be a bigger digital objective of which Cyber is just one of the many key ingredients.
Cyber Risk Cyber SecurityCyber
• Internet of Things• Big Data• Cloud• Social / Mobility• Blockchain• Augmented Reality• Digital Platforms• CX / UX• Open Data Networks• Process Automation• Right Speed IT• Information Management• Core Systems Reinvention
Digi
tal
Enab
lem
ent
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 11
So how do we protect our data assets
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 12
Data Protection
Fundamental changes to how organizations approach data protection need to occur in order for the risk landscape to improve. Organizations are not investing in the right areas to address the risks and threats which are most impactful and likely.
Recent attacks demonstrate that we need to change the game
3. Implementing solutions to protect data and monitor for data loss at the “data layer”
1. Risk mitigation versus compliance requirements
2. Building and maintaining a comprehensive inventory of sensitive assets and data
4. Consistently executing the security fundamentals
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 13
Data ProtectionWhy is protecting data so difficult?
Explosive data growth…Data is doubling in size every two years and by 2020, it will reach 44 zettabytes5.
…and data proliferationThe average organisation shares documents with
826 external domains / organisations6
Technology flawed by design6,488 new security vulnerabilities8 were added to the National Vulnerability Database (NVD) in 2015. This means an average of
Compliance focused mindsetCyber Risk standards, laws, and regulations have not and cannot keep up with both business and technological change and evolving adversaries.
Consistently failing to implement security fundamentalsMany companies lack the standard data protection capabilities (i.e., malware protection, data lifecycle management).
99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published2.
Business and technology innovationInnovations are creating additional cyber risk for organisations.Many organisations have started moving mission critical applications to the cloud. The average company uses
1
2020
4.4 ZB 44 ZB
This could fill up the library of congress more than 10
million times
2013
3
4
5
2
By 2020, there will be Internet of Things (IoT) devices2.
Although PCI compliance among organizations has increased from 20% to 29% from 2014 to 20152, the number of data breaches has also increased during that time period from 1300 to 2100.
20152,100
breaches
20141,300
breaches
This is more than 10x what IT expects.
17 new vulnerabilities each day
5 Billion
738 cloud services7
Top Trends
Autonomic Platforms
Internet of Things
Cloud Enablement
Digital Enablement
Extended Enterprise& Third Party Risk
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 14
Data breach root causesLet’s keep it simple
It’s not due to lack of funding
It’s because most organisations do not use a data-centric
approach to protection
1. Organizations do not have enough experienced Cyber Security resources to appropriately protect all IT infrastructure and sensitive data
2. The end user continues to be targeted and exploited via spear-phishing, drive-by-exploits, and social engineering attacks
3. Many companies often release insecure software before sufficient testing can be performed due to the need for quick release into the market
4. Attackers are profiting and succeeding so they are not going away and not giving up
5. The level of sophistication in hacker goals and hacker tools continues to rise.
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 15
What is Data-centric protection?
Data protection is one of the key focus areas for leading regulations and standards. Rules around data security are becoming more prevalent, stringent and mandatory increasing with the assumption that adversaries are in. This assumption means organisations needs to focus on the what is important to them. Their Most Valuable Information. Rather than data than just keeping the attackers out.
Principle Description
Data Securit
y
Know what Data is important and where it is
Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection.
Apply Data-level protection capabilities
Implementing Data-layer protection capabilities can help to both prevent and detect Data breaches at an organisation’s “last line of defence”.
Know what Data is important Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection.
Core
Prin
cipal
s
Data Gov.
Data agenda Set a data agenda to manage the explosive growth in data.
Define the data Ensure that requirements and definitions must be driven by the business and not IT.
Data-centric processes Established data centric processes with data at the heart of the conversation to drive the standardisation of shared concepts.
Privacy Understand obligations Understand your privacy requirements, risks and personal information
assets you hold.
Monitor and manage Continuously monitor, measure and improve privacy risk management processes.
Ready to respond Be resilient to respond to privacy risk.
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 16
How to change the game
Data protection capabilities should occur from the “inside out”, in addition to the “outside in”. Assume your adversaries are “in”, and limit what they can do, and the impact they can cause.
Data protection from the inside out
Focus on scopeInvest in areas that maximize return on investment
Focusing at the data layer makes it harder for attackers to get hold of sensitive information
Top GoalsDiscourage Attackers:Make attacks harder, more time consuming and costly
Engineer for Control Failure:Protect data assuming other traditional controls will fail
Minimise Breach Impact:Any data loss should result in the least possible impact
Play the Percentages:Invest in areas that maximise return on investment
Business Centric Capabilities– Third-party access– Business impact to data– Operational risk profiling of
data– Data ownership– Data lifecycle ownership– Data lifecycle management
Data Centric CapabilitiesFocus on the sensitive data itself– Identify and maintain an inventory of the most critical
assets through enterprise data discovery, classification and management programs
– Render compromised data useless through tokenisation, encryption and obfuscation
– Zero in on the most likely targets for attacks– Monitor for data access or exfiltration at database layer
and endpoints
Illustrative Supplemental CapabilitiesClose access paths through fundamental security controls– Strong Authentication– Malware Detection– Privileged User Management
– Vulnerability and Patch Management
– Configuration Management
Data
Application
Platform
Network
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 17
Data protection framework
Growth / Innovation Privacy Risk management Regulatory compliance
Business ValueBusiness
objectives
• Policies and standards covering each of the Data Protection capabilities
• Operational procedures and supporting guides
• Data protection reference architecture
• Risk Reporting framework and dashboards
• KRIs and KPIs• Embedding data protection culture
across the business (IT, HR, etc.)• Data protection training and awareness
• Data risk management lifecycle including identification, testing, response, and treatment
• Threat modeling and data risk identification
• Data Protection strategy and roadmap• Data Protection organization structure
and accountability• Regulatory compliance and exam
management
Strategy and operating model Policies, standards, and architecture Risk reporting and culture
Governance
Data Protection
Technology Capabilities
Data Security Governance (Operational Capabilities)
Data discovery and inventory Data classification
Data encryption, tokenization, and obfuscation Key and certificate management
Information rights management Payments security
Data retention and destruction Data loss prevention
Data access governance Database security
• Business Impact & Readiness
• IT Operations & Readiness
• Stakeholder Management & Communication
• Collaboration & Information Life Cycle Tools
• Master Data Management and Sharing
• Data Security & Architecture
• Data Workflow• Metadata
Repository• Progress
Tracking• Issue
monitoring• Continuous
improvement• Score carding• Data analytics
Controls set (e.g. ISF, NIST, Privacy regulation, NAB SKCA)Assessment
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 18
It’s not all about frameworks and policies
INTEGRATED FRAMEWORK FOR DATA PROTECION
Data Collection / Creation
Data Storage Data Usage and Sharing Data Retention and Destruction
Data Classification
Data Security Architecture
Security Metrics and Reporting, Board Reporting
Awareness and Culture, Secure Data Lifecycle, Data Management, Third Party Security
Encryption and Tokenisation, Privacy Assessment Platform, Third Party Security Platform
Discovery and Classification
Data Loss Prevention
User Behavior Analytics
CASB
Analytics and Reporting
Dat
a Pr
otec
tion
Cap
abili
ties
Data Classification
Discovery and Classification
Data Loss Prevention
CASB
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 19
Protection across the data lifecycleData Collection Data Storage Data Usage and Sharing Data Retention and
Destruction Sensitive data is collected by an organization as part of its day-to-day operations via point of sale devices, application forms, data from credit bureaus, etc.
Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc., for further use by applications and users
Data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices, and other devices within and outside the network
Data is retained or destroyed by organization per regulatory, internal compliance or business requirements, using electronic or physical media for retention
Dat
a Ta
rget
s
- MITM attack - Malicious insider
- POS Malware
- Stolen Device- Eavesdropping
- Data Exfiltration
- Remnant data
- Backup Failure
Dat
a Pr
otec
tion
Ca
pabi
litie
s
Data
Web application
s
Databases and storage devices
Cloud data transfers Retain data on
storage devices
Data encryption, tokenization, and obfuscation / Key and certificate management / Payment security
Data loss prevention
Data discovery, inventory, and classification
Data access governance Data retention and destructionInformation rights management
Database security
End user reporting
Application data transfers
Scanning and
printing devices
Physical documents
Destroy electronic data and physical documents after
use
Thre
ats
- Data Exfiltration- Corrupt backup
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 20
How would it work – its all about options
There are many ways to get started, depending on the needs, priorities and maturity of an individual organization’s data protection program.
Data Discovery Exercise
Perform a data discovery exercise to understand where structured and structured sensitive data exists across the organization. Provide recommendations on how to protect and manage sensitive data identified.
Conduct a risk assessment to identify areas in the organization that is most at risk for data being exfiltrated. Provide recommendations on remediation activities to strengthen those areas.
Data Exfiltration Risk Assessment
Assist with the implementation and deployment of data protection technology solutions and capabilities. We can provide full scale technology implementation support.
Data Protection Technology and Capability Implementation
Develop supporting capabilities (eg: governance, operating model, key risk indicators, key performance indicators, etc) to enhance and strengthen the data protection program
Data Protection Program Foundation Development
Conduct a data protection assessment of the opportunity to understand key risks the organization is facing as well as capability maturity and any gaps that exist. Develop a data protection strategy and roadmap to define the components and capabilities needed to build a Data Protection program.
Data Protection Assessment and Strategy
Perform service level agreement (SLA) based for Data Loss Prevention (DLP) tools, including event analysis, system maintenance, reporting and other operational tasks.
Managed Services
1
2
3
4
5
6
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 21
Manage it as a program
Identify PU Stakeholders
Strategy Operations
Planning and Design Discover and Classify Monitor and RespondDeploy Protection Mechanisms
Identify Senior Management
and Stakeholders
Identify Applicable Data Protection Laws and Regulations
Develop Assessment
Project Plan & Team
Develop Program Vision and Objectives
Define Requirements and Controls
Management Processes
Data Protection Governance
Strategy
Develop Strategy and
Roadmap
Training & Awareness Plan and Materials
Procure and Deploy Data Discovery, Classification and
Inventory Tools
Data Types Most Valuable to the Business
Data Flow Mapping of Valuable Data
Assessment of Risk & Controls
Remediation and Action Plan
Prioritise Data Protection Implementation based upon Data
Classification Scheme
Design and Implement Data Protection Solution across the Data
Lifecycle Stages
Integrate Applications, Business Processes, Platform and Systems with the Data Protection Solutions
Deploy Fundamental Security Controls to Enhance Broader Data
Protection Posture
Deploy Data Monitoring Tools Processes
Define and Implement Incident Response Processes
Implement Metrics, Monitoring Reporting (including Board)
Report on Outcomes
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 22
Of Crown Jewels and Data Assets
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 23
This document and the information contained in it is confidential and should not be used or disclosed in any way without our prior consent.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.The entity named herein is a legally separate and independent entity. In providing this document, the author only acts in the named capacity and does not act in any other capacity. Nothing in this document, nor any related attachments or communications or services, have any capacity to bind any other entity under the ‘Deloitte’ network of member firms (including those operating in Australia).Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.
About Deloitte AustraliaIn Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit our web site at www.deloitte.com.au.Liability limited by a scheme approved under Professional Standards Legislation.Member of Deloitte Touche Tohmatsu Limited
© 2017 Deloitte Risk Advisory Pty Ltd
Puneet KukrejaNational Lead Partner – Data Protection GroupNational Cyber Leader – Banking and Financial ServicesCyber Risk AdvisoryT: +61403037010E: [email protected]
Thank you.