The document discusses evolving data protection and compliance challenges facing organizations. It outlines key threat drivers like cybercrime, cloud computing, and data loss that are pushing the need for improved security. The document provides lessons on developing an overarching security business model, mapping where sensitive data is located, understanding regulatory overlaps, and looking ahead to how security needs will continue to change. It advocates for centralized policy and key management to provide data tracking, control, and compliance.
2. Market Trends, Threat Drivers Cyber Crime Cloud Computing Identity Theft Virtualization Data Loss, Theft Mobile workforce removable media The Outsider becomes The Insider THREAT DRIVERS Compliance Loss of critical IP Penalties and Fines Breach Notification Laws Compliance and regulations Outside Breaches MARKET FORCES
3. Lesson #1: Develop an Overreaching Security Business Model Source: Information Systems Audit and Control Association (ISACA)
26. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope Source: Oasis
27. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope What’s the cost of unmanageable key management? Planning time: Some organizations spent up to a year planning for key management issues including breaches and notifications* Audit prep time Demonstrate which apps and networks are using the keys and where in the world they are Data Loss: Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations. Maintenance costs: Disparate systems means no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees. * Source: TrustCatalyst
Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data.More questions and concerns are introduced:The traditional boundaries of an enterprise have disappeared as data is hosted, outsourced, managed, or accessed by partners, third-party vendors, and a mobile workforceHow do you protect your information assets without restricting business processes?The outsider has become the insider, and even “authorized” users need secure access control. There is no clear delineation between bad guys and good guys.
Multiple and Varying compliance mandates
Data Centric Protection:Unified Compliance Framework
With the introduction of PCI version 2.0, it is a great opportunity for us to reassess our environment and see how we can develop a holistic approach to protect sensitive information within our organization, beyond cardholder data. This new mandate is an example of how the market is changing… Data Protection 1.0 technologies are no longer adequate for today’s enterprise organization.1.0 is where many organizations are at today, this is where many companies are stuck. 2.0 is where the data protection market is headed.Let’s take a look at each one of these…(go through each row)SafeNet’s Approach: Data-centric Protection What's ChangingData-conscious vs. perimeter/network-centric Proactive protection vs. passive protection Why Is It HappeningData was born to be free. Passive protection techniques of trying to constrain data movement based on ‘source/destination’ or ‘all or nothing’ protection are not enough anymoreWhat To DoData-conscious security infrastructure, providing persistent data protection as data is created, used, stored, movedWhat You GainProactive data protection: Protect once, comply manyProtected infrastructureWhat To Look AtScalable and extensible infrastructure with integrated policy, key and ID management platform
Data Centric Protection – Total TrustWith the loss of a traditional physical perimeter, a data-centric approach will protect each information item using a cryptographic perimeter that encases the data. Utilizing encryption as the data protection method enables a high-level of trust in allowing more free exchange of information – no need to worry about any type of data loss with each item being individually isolated. The key is central control – one place that has all the controls for all the data in every type of environment. For true life-cycle management and the control needed to “secure” the data, a consolidate location for control and management is key.The Solution – Data-centric Protection – Total TrustAssured user authentication (separate access from the data)Access control over the Data (application fields, files, etc.)Once and forever protection of the Data (cryptographic controls)Enable easy sharing with trusted parties (transparent technology)
Approaches to Data Centric SecurityMany customers will use one or more approaches to protecting their data
Key Management Solution:What’s the cost of unmanageable key management?
"Key management is one of those 'gotcha' categories," says Jon Oltsik, analyst at Enterprise Strategy Group (ESG). "Encryption gets cheaper, you encrypt more stuff and key management becomes more important."Key Management Solution: Reducing Enterprise Key Management ComplexityWith so many different data types and devices to manage, it is no wonder why organizations are baffled when it comes to key managementOne system that Generates, Backups, Activates, Deactivates, Rotates, Guards against Compromise, DestroysProviding Secure, Centralized Key ManagementWith Data-centric Policy ManagementAlong with Identity & Access Management Resulting in Control and Visibility via Logging, Auditing, Reporting
Benefits of Lifecycle Key ManagementReduce Admin Cost: reduce IT staff b/c there are not as many systems to manager. Or you can move resources on to the next project b/c there are less key managers controlling the multiple security points throughout the enterpriseEase of Proof of Compliance: one system to prepare for the audit means you can be more thorough and will expedite your auditing preparatory time. It also makes it simpler for your QSA to go in and access your files by looking to a reduced amount of key managers all with similar log files for data and reporting.
We believe one of the best things a top security officer can have is the flexibility to adapt to new situations without having to go to great efforts to acquire more technology. If they have a solid base that eases management, administration, and proof of compliance then they are well on their way to achieving compliance every time.