Data Protection Strategies for an Evolving Compliance Landscape
•Télécharger en tant que PPTX, PDF•
0 j'aime•619 vues
The document discusses evolving data protection and compliance challenges facing organizations. It outlines key threat drivers like cybercrime, cloud computing, and data loss that are pushing the need for improved security. The document provides lessons on developing an overarching security business model, mapping where sensitive data is located, understanding regulatory overlaps, and looking ahead to how security needs will continue to change. It advocates for centralized policy and key management to provide data tracking, control, and compliance.
Recommandé
Contenu connexe
Tendances
Tendances (19)
En vedette
En vedette (20)
Similaire à Data Protection Strategies for an Evolving Compliance Landscape
Similaire à Data Protection Strategies for an Evolving Compliance Landscape (20)
Plus de SafeNet
Plus de SafeNet (20)
Dernier
Dernier (20)
Data Protection Strategies for an Evolving Compliance Landscape
- 1. Perpetual Information SecurityDriving Data Protection in an Evolving Compliance Landscape Trisha Paine
- 2. Market Trends, Threat Drivers Cyber Crime Cloud Computing Identity Theft Virtualization Data Loss, Theft Mobile workforce removable media The Outsider becomes The Insider THREAT DRIVERS Compliance Loss of critical IP Penalties and Fines Breach Notification Laws Compliance and regulations Outside Breaches MARKET FORCES
- 3. Lesson #1: Develop an Overreaching Security Business Model Source: Information Systems Audit and Control Association (ISACA)
- 4. Lesson #2: Know Where Sensitive Data is Located
- 5. Lesson #3: Map Regulations and Find Overlaps
- 6. Lesson #3: Map Regulations and Find Overlaps
- 8. Data-centric protection—intelligence to protect the data itself throughout its lifecycle
- 9. Granular, selective protection over subset of unstructured or structured data (files, fields, and columns)
- 11. Granular data protection for authorized users, assure compartmentalization
- 12. Keep bad guys out, authorized users get full access
- 13. Centrally managed solution that addresses business, compliance, data governance & security
- 14. Multiple products to meet business and security needs
- 15. High level or very specific policy only,
- 16. No proper central policy management
- 22. Application & DB Data
- 24. Removable Media containedRemote Replication
- 25. Lesson #4: Look Forward to How Security Needs are Evolving
- 26. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope Source: Oasis
- 27. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope What’s the cost of unmanageable key management? Planning time: Some organizations spent up to a year planning for key management issues including breaches and notifications* Audit prep time Demonstrate which apps and networks are using the keys and where in the world they are Data Loss: Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations. Maintenance costs: Disparate systems means no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees. * Source: TrustCatalyst
- 28. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope
- 29. Lesson #5: Tackle Requirement 3 and Reduce the Key Management ScopeBenefits of Lifecycle Key Management
- 31. Ease proof of compliance
- 32. Streamline administration and enforcement of protection policies
- 33. Strong lifecycle key managementTokenization Application Protection Application andWeb Servers Database Security Intellectual Property Protection Databases File Servers Mainframes Laptop Legacy Protection Endpoints Hardened Appliance SCALABLE FOR GROWTH 0000 000 00
Notes de l'éditeur
- Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data.More questions and concerns are introduced:The traditional boundaries of an enterprise have disappeared as data is hosted, outsourced, managed, or accessed by partners, third-party vendors, and a mobile workforceHow do you protect your information assets without restricting business processes?The outsider has become the insider, and even “authorized” users need secure access control. There is no clear delineation between bad guys and good guys.
- Multiple and Varying compliance mandates
- Data Centric Protection:Unified Compliance Framework
- With the introduction of PCI version 2.0, it is a great opportunity for us to reassess our environment and see how we can develop a holistic approach to protect sensitive information within our organization, beyond cardholder data. This new mandate is an example of how the market is changing… Data Protection 1.0 technologies are no longer adequate for today’s enterprise organization.1.0 is where many organizations are at today, this is where many companies are stuck. 2.0 is where the data protection market is headed.Let’s take a look at each one of these…(go through each row)SafeNet’s Approach: Data-centric Protection What's ChangingData-conscious vs. perimeter/network-centric Proactive protection vs. passive protection Why Is It HappeningData was born to be free. Passive protection techniques of trying to constrain data movement based on ‘source/destination’ or ‘all or nothing’ protection are not enough anymoreWhat To DoData-conscious security infrastructure, providing persistent data protection as data is created, used, stored, movedWhat You GainProactive data protection: Protect once, comply manyProtected infrastructureWhat To Look AtScalable and extensible infrastructure with integrated policy, key and ID management platform
- Data Centric Protection – Total TrustWith the loss of a traditional physical perimeter, a data-centric approach will protect each information item using a cryptographic perimeter that encases the data. Utilizing encryption as the data protection method enables a high-level of trust in allowing more free exchange of information – no need to worry about any type of data loss with each item being individually isolated. The key is central control – one place that has all the controls for all the data in every type of environment. For true life-cycle management and the control needed to “secure” the data, a consolidate location for control and management is key.The Solution – Data-centric Protection – Total TrustAssured user authentication (separate access from the data)Access control over the Data (application fields, files, etc.)Once and forever protection of the Data (cryptographic controls)Enable easy sharing with trusted parties (transparent technology)
- Approaches to Data Centric SecurityMany customers will use one or more approaches to protecting their data
- Key Management Solution:What’s the cost of unmanageable key management?
- "Key management is one of those 'gotcha' categories," says Jon Oltsik, analyst at Enterprise Strategy Group (ESG). "Encryption gets cheaper, you encrypt more stuff and key management becomes more important."Key Management Solution: Reducing Enterprise Key Management ComplexityWith so many different data types and devices to manage, it is no wonder why organizations are baffled when it comes to key managementOne system that Generates, Backups, Activates, Deactivates, Rotates, Guards against Compromise, DestroysProviding Secure, Centralized Key ManagementWith Data-centric Policy ManagementAlong with Identity & Access Management Resulting in Control and Visibility via Logging, Auditing, Reporting
- Benefits of Lifecycle Key ManagementReduce Admin Cost: reduce IT staff b/c there are not as many systems to manager. Or you can move resources on to the next project b/c there are less key managers controlling the multiple security points throughout the enterpriseEase of Proof of Compliance: one system to prepare for the audit means you can be more thorough and will expedite your auditing preparatory time. It also makes it simpler for your QSA to go in and access your files by looking to a reduced amount of key managers all with similar log files for data and reporting.
- We believe one of the best things a top security officer can have is the flexibility to adapt to new situations without having to go to great efforts to acquire more technology. If they have a solid base that eases management, administration, and proof of compliance then they are well on their way to achieving compliance every time.