Upload
intel-security
View
2.157
Download
3
Embed Size (px)
Citation preview
Data Security in the Age of the Road Warrior
Heidi Shey | Forrester Research, Senior Analyst
Dave Bull | Intel Security, Director, Content Security Products
Our Speakers
2
Heidi SheySenior Analyst
Forrester
Dave BullDirector, Content Security Products
Intel Security
Data Security in the Age of the Road WarriorHeidi Shey, Senior Analyst
December, 2015
© 2015 Forrester Research, Inc. Reproduction Prohibited 4
Your extended enterprise spans across three dimensions
© 2015 Forrester Research, Inc. Reproduction Prohibited 5
Your extended enterprise spans across three dimensions
© 2015 Forrester Research, Inc. Reproduction Prohibited 6
Your extended enterprise spans across three dimensions
© 2015 Forrester Research, Inc. Reproduction Prohibited 7
Data is at the core
© 2015 Forrester Research, Inc. Reproduction Prohibited 8
Employees are on the go
© 2015 Forrester Research, Inc. Reproduction Prohibited 9
Base: 7.267 global information workersSource: Forrester’s Business Technographics Device & Security Workforce Survey, 2015
Employees have access to variety of sensitive data…whether they need it or not
24%
27%
32%
34%
41%
45%
52%
Non-public corporate marketing/strategy plans relatingto the company (e.g., pricing changes,
merger/acquisition plans)
Non-public corporate financial information relating to thecompany (e.g., sales forecasts, earnings estimates)
Employee data (e.g., HR data, payroll data)
Intellectual property belonging to the company(blueprints, designs, formulas, recipes)
Customer service data, account numbers
Contracts, invoices, customer orders
Customer data (e.g., names, contact information, creditcard data)
“What types of information do you have access to at work, regardless of whether you need to use it for your job or not?”
© 2015 Forrester Research, Inc. Reproduction Prohibited 10
Base: 7,267 global information workers (US, Canada, UK, France, Germany, Brazil, Australia/NZ, China, India)Source: Forrester’s Business Technographics Device & Security Workforce Survey, 2015
Most aren’t looking to break the rules
53%
11%
5%
"I follow the policies that are in placefor data use and handling"
"Security restrictions and policiesmake me less productive"
"I sometimes ignore or go around oursecurity policies"
“Which of the following statements about security do you agree with?”
© 2015 Forrester Research, Inc. Reproduction Prohibited 11
“Which of the following statements about security do you agree with?”
Base: 7,267 global information workers (US, Canada, UK, France, Germany, Brazil, Australia/NZ, China, India)Source: Forrester’s Business Technographics Device & Security Workforce Survey, 2015
Employees are trying to do their jobs
“It’s the most efficient way of doing what I need to get done”
“The security policies are too strict or unreasonable”
“I don’t have time to wait to get an exception granted from IT to do what I need to do”
42%
27%
22%
53%
11%
5%
"I follow the policies that are in placefor data use and handling"
"Security restrictions and policiesmake me less productive"
"I sometimes ignore or go around oursecurity policies"
© 2015 Forrester Research, Inc. Reproduction Prohibited 12
Data loss and exposure happens in different ways…
© 2015 Forrester Research, Inc. Reproduction Prohibited 13
Data loss and exposure happens in different ways…
• Secretary of State Brian KempFulton County, Georgia (Oct/Nov 2015)
• 6 million individuals affectedClerical error/ data misuse
Clerical error/ data misuse
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
Data loss and exposure happens in different ways…
• Secretary of State Brian KempFulton County, Georgia (Oct/Nov 2015)
• 6 million individuals affectedClerical error/ data misuse
Clerical error/ data misuse
• Department of Health and Human ServicesGranville, North Carolina (Oct 2015)
• 1,615 individuals affectedEmail errorEmail error
© 2015 Forrester Research, Inc. Reproduction Prohibited 15
Data loss and exposure happens in different ways…
• Secretary of State Brian KempFulton County, Georgia (Oct/Nov 2015)
• 6 million individuals affectedClerical error/ data misuse
Clerical error/ data misuse
• Department of Health and Human ServicesGranville, North Carolina (Oct 2015)
• 1,615 individuals affectedEmail errorEmail error
• T-Bird Restaurant Group, Inc. (Outback Steakhouse), Northridge, California (September 2015)
• Unknown number of individuals affected
Physical theftPhysical theft
© 2015 Forrester Research, Inc. Reproduction Prohibited 16
…and cost consequences vary widely
• Fines
• Lawsuits
• Exec departure • Negative press
• Customer churn
• Brand, reputational damage
• Operational changes
• Recruiting issues
• Layoffs
• Added audit reqs
• Lost business partners
© 2015 Forrester Research, Inc. Reproduction Prohibited 17
There’s plenty beneath the surface that is difficult to estimate
• Fines for noncompliance
• X years’ worth of audits
• Hiring a privacy officer
• Implementing training
• Other costs related to meeting compliance
© 2015 Forrester Research, Inc. Reproduction Prohibited 18
No accident; employees are targets too
- Wired, November 10, 2014
- CSO Online, October 15, 2015
© 2015 Forrester Research, Inc. Reproduction Prohibited 19
No accident; employees are targets too
- Wired, November 10, 2014
- CSO Online, October 15, 2015
- SC Magazine November 9, 2010
© 2015 Forrester Research, Inc. Reproduction Prohibited 20
- CRN, June 25, 2015
“
”
© 2015 Forrester Research, Inc. Reproduction Prohibited 21
Understand how data protection requirements are changing
© 2015 Forrester Research, Inc. Reproduction Prohibited 22
Security
© 2015 Forrester Research, Inc. Reproduction Prohibited 23
Security faces a mutating threat landscape
© 2015 Forrester Research, Inc. Reproduction Prohibited 24
Security Privacy
© 2015 Forrester Research, Inc. Reproduction Prohibited 25
›EU General Data Protection Regulation
›Safe Harbor
›Varying US state privacy laws
›Varying country privacy laws from Latin America to Asia Pacific
Privacy faces an evolving regulatory landscape
Implications for where data must stay, or how it must be processed and handled
© 2015 Forrester Research, Inc. Reproduction Prohibited 26
Privacy brings more stakeholders to the your table
© 2015 Forrester Research, Inc. Reproduction Prohibited 27
Security Privacy
© 2015 Forrester Research, Inc. Reproduction Prohibited 28
Security Privacy
• Consumer/customer concerns and expectations
• Third party relationships (and risk)
© 2015 Forrester Research, Inc. Reproduction Prohibited 29
Business concern over customer privacy concerns vary widely by country
© 2015 Forrester Research, Inc. Reproduction Prohibited 30
Business concern over customer privacy concerns vary widely by country
Understand the level of concern, and reasons for concern in your organization
© 2015 Forrester Research, Inc. Reproduction Prohibited 31
Architect a data protection strategy to defend against today's threats
© 2015 Forrester Research, Inc. Reproduction Prohibited 32
Take a holistic, data-centric approach
Forrester’s data security and control framework
© 2015 Forrester Research, Inc. Reproduction Prohibited 33
Take a holistic, data-centric approach
Forrester’s data security and control framework
Define
Data discovery Data classification
© 2015 Forrester Research, Inc. Reproduction Prohibited 34
›What it is and where it is
Define
Data discovery Data classification
© 2015 Forrester Research, Inc. Reproduction Prohibited 35
›What it is and where it is
›Understanding and mapping how it flows today vs how it needs to flow
Define
Data discovery Data classification
© 2015 Forrester Research, Inc. Reproduction Prohibited 36
›What it is and where it is
›Understanding and mapping how it flows today vs how it needs to flow
› Context matters for use and access, especially for third party access, mobile employees, and travelers
Define
Data discovery Data classification
© 2015 Forrester Research, Inc. Reproduction Prohibited 37
Take a holistic, data-centric approach
Forrester’s data security and control framework
Define
Data discovery Data classification
Dissect
Data intelligence Data analytics
© 2015 Forrester Research, Inc. Reproduction Prohibited 38
›Two sides: data and policy
• Security data
Dissect
Data intelligence Data analytics
© 2015 Forrester Research, Inc. Reproduction Prohibited 39
›Two sides: data and policy
• Security data
• Implications for data handling
› State, country, industry specific requirements
› Business partner requirements
› Customer perceptions
Dissect
Data intelligence Data analytics
© 2015 Forrester Research, Inc. Reproduction Prohibited 40
Take a holistic, data-centric approach
Forrester’s data security and control framework
Define
Data discovery Data classification
Dissect
Data intelligence Data analytics
Defend
Access Inspect Dispose Kill
© 2015 Forrester Research, Inc. Reproduction Prohibited 41
›Platform, suite, standalone
Defend
Access Inspect Dispose Kill
© 2015 Forrester Research, Inc. Reproduction Prohibited 42
›Platform, suite, standalone
›Embedded feature
Defend
Access Inspect Dispose Kill
© 2015 Forrester Research, Inc. Reproduction Prohibited 43
›Platform, suite, standalone
›Embedded feature
›Audit mechanisms to prove policy enforcement
Defend
Access Inspect Dispose Kill
© 2015 Forrester Research, Inc. Reproduction Prohibited 44
Ensure that policies and controls are aligned
How McAfee DLP Can Help
Dave Bull | Intel Security, Director, Content Security Products
McAfee Can Help!
Data-in-Motion
Data-at-Rest
Data-in-Use
Data Types Data Loss Vectors Solution
DLP PreventDLP Monitor
DLP Discover
DLP Endpoint
Email Web Post Network Traffic IM Chat
Desktop/LaptopDatabase
Removable/Devices
CloudEmail/IM
File Share
Clipboard
47
48
43%
57%
½ are intentional½ are accidental
Internal ActorsExternalActors
Hackers36%
Malware Authors
23%
Organized Crime 14%
Activists15%
Nation-State 13%
Others 1%
Who’s stealing the data?
Actors Involved in BreachesExternal Actors
Internal and External Actors
49
Customer/Employee PII Are Primary Targets
Data Types
Source: Grand Theft Data, Intel Security, 2015
20%
18%
14%
13%
12%
12%
11%
0%
22%
19%
14%
14%
11%
11%
10%
1%
Customer PII
Employee PII
PCI Information
Customer PHI
Intellectual property
Other financial information
Employee PHI
Others
Cloud
Traditional
50
How are the thieves getting data out?
Data Exfiltration
Source: Grand Theft Data, Intel Security, 2015
Physical Media used
Physical media data breaches
Physical
Means
40%
Electronic
Means
60%
26%
22%
15%
12%
11%
10%
9%
Laptops/Tablets
USB Flash Drives
Mobile Phones
Printed Hardcopies
CDs/DVDs
Microphones/Web Cams
Faxes
Resources
51
Go to the Resources Area of this webcast console to access:
• McAfee Total Protection for DLP Solution Brief
• Data Exfiltration Research Report
• Data Exfiltration Infographic
• Data Exfiltration Webcast
• Best Practices for Implementing Data Loss Prevention Webcast
• Today’s Presentation Slides
.
Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc.