Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
The Information-Centric Security Lifecycle
Adrian LaneSecurosis, L.L.C.
MainframeMainframe Internet I Internet I Internet II Internet II
JailJail FortressFortress ZoneZone
But what about the information?
NetworkNetwork
HostHost
ApplicationApplication
DataData
Use
rU
ser
DataDataInformationInformation
HostHost
ApplicationApplication
NetworkNetwork
InformationInformationInformationInformation
HostHost
ApplicationApplication
NetworkNetwork
Use
rU
ser
The Information-Centric Security Lifecycle
CreateCreateCreate
DestroyDestroyDestroy
StoreStoreStore
ShareShareShare ArchiveArchiveArchive
UseUseUseClassifyAssign RightsClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoringand Enforcement
Rights ManagementLogical ControlsApplication Security
Activity Monitoringand Enforcement
Rights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset ManagementEncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
Crypto-ShreddingSecure DeletionContent Discovery
ILM and Security
CreateCreate
DestroyDestroy
StoreStore
ShareShare ArchiveArchive
UseUseCreation Creation
and and ReceiptReceipt
DistributionDistribution
UseUseMaintenanMaintenancece
DispositionDispositionUseUse
• Content is classified as it’s created through content analysis or based on labeling of data elements.
• Rights are assigned, based on central policies.
• Mandatory and discretionary policies.
CreateCreateCreate
Control Structured Unstructured
Classify None* None*
Assign Rights Label Security Enterprise DRM
Create
Create
Create
Create Technologies
Note- Classification is expected to emerge from DLP/CMP
Label Security
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First Region Label
1111 Mogull Richard US Public
1112 Smith John EMEA Sensitive
Column
Row
Partial Document MatchingPartial Document Matching
Exact File MatchingExact File Matching
StatisticalStatisticalDatabase FingerprintingDatabase Fingerprinting
CategoriesCategories ConceptualConceptual
^(?:(?<Visa>4\d{3})|(?<Mastercard>5[1-5]\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\d{2})|(?:30[0-
5]\d))|(?<AmericanExpress>3[47]\d{2}))([ -]?)(?(DinersClub)(?:\d{6}\1\d{4})|(?(AmericanExpress)(?:\d{6}\1\d{5})|
(?:\d{4}\1\d{4}\1\d{4})))$
RulesRules
Content Analysis
• We use access controls, encryption, and rights management to protect data in storage.
• Content Discovery helps find unprotected sensitive data that slipped through the gaps.
StoreStoreStore
Store Technologies
Control Structured Unstructured
Access ControlsDBMS Access Controls
Administrator Separation of Duties
File System Access ControlsDocument Management System Access Controls
EncryptionField Level Encryption
Application Level EncryptionFile/Media Encryption*
Media EncryptionFile Encryption
Distributed Encryption
Rights Management Label/Row Level Security Enterprise DRM
Content DiscoveryDatabase-Specific Discovery
Tools
DLP/CMF Content DiscoveryStorage/Data Classification
Tools
Store
Store
Store
AccessControlsAccessAccessControlsControls EncryptionEncryptionEncryption DRMDRMDRM
Application/DatabaseFile/Folder Media
Encryption Options
rmogull Phoenix asdfasdfasdfasdf
Content Discovery
• Monitor and protect information during use.
• Includes business applications and productivity applications.
• Heavy use of content-aware technologies.
UseUseUse
Use Technologies
Control Structured Unstructured
Activity Monitoring and Enforcement
Database Activity Monitoring
Application Activity Monitoring
Endpoint Activity Monitoring
File Activity MonitoringPortable Device Control
Endpoint DLP
Rights Management Label Security Enterprise DRM
Logical ControlsObject (Row) Level Security
Structural ControlsApplication Logic
Application Security Implemented At Application Layer
Use
Use
Use
Two Sides Of Information-Centric Security
Data Center Productivity
CMP
CMP
ADMP
Adaptive AuthenticationApplication NACActivity MonitoringAnti-ExploitationTransaction AuthenticationSession SecurityApplication Virtualization
Cross-Domain Information Protection
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
• Securely exchange information, inside and outside of the enterprise.
• A mixture of content-aware technologies and encryption for secure exchange.
ShareShareShare
Share Technologies
Control Structured Unstructured
CMP/DLPDatabase Activity
Monitoring(With DLP Feature)
Network/Endpoint CMP/DLP
Encryption*Only When Data Elements Not Otherwise
Encrypted
Network EncryptionApplication Level Encryption
Email EncryptionFile Encryption
Network Encryption
Logical ControlsObject (Row) Level Security
Structural Controls
Application Security Implemented At Application Layer
Share
Share
Share
Inter-Organization Encryption vs. DRM
• Protect information in archival storage.• Encryption and asset management
ArchiveArchiveArchive
Archive Technologies
Control Structured Unstructured
Encryption Field-Level EncryptionTape Encryption
Storage Encryption(Multiple Options)
Asset Management Asset Management Asset Management
Archiv e
Archiv e
Archiv e
Tape Encryption Options
In-line Drive Software
• Ensure data is not recoverable at end of life
• Content discovery to ensure dangerous data isn’t hiding where it shouldn’t be.
DestroyDestroyDestroy
Destroy Technologies
Control Structured Unstructured
Crypto-Shredding Enterprise Key Management Enterprise Key Management
Secure Deletion Disk/Free Space Wiping Disk/Free Space Wiping
Physical Destruction Physical Destruction Physical Destruction
Content Discovery Database-Specific Discovery Tools
DLP/CMF Content DiscoveryStorage/Data Classification
ToolsEnterprise Search
E-Discovery
Destr oy
Destr oy
Destr oy
CreateCreateCreate
DestroyDestroyDestroy
StoreStoreStore
ShareShareShare ArchiveArchiveArchive
UseUseUseClassifyAssign RightsClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoringand Enforcement
Rights ManagementLogical ControlsApplication Security
Activity Monitoringand Enforcement
Rights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset ManagementEncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
Crypto-ShreddingSecure DeletionContent Discovery
Adrian Lane
• [email protected]• http://securosis.com• AIM: whoisadrianlane• Skype: whoisadrianlane
Securosis, L.L.C.