data protection: securing data in motion, in use, and in storage john merryman services director,...
TRANSCRIPT
Data Protection: Securing Data In Motion, In Use, and
In Storage
John MerrymanServices Director, GlassHouse Technologies
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 2
Introduction/Overview
Part 1: Enterprise Files & Data Leakage Risks
– Why the Risk is Real - Data Leakage Examples
– Critical Role of Data Files
– Emerging Technologies – Information Classification & Management
Part 2: Technology Trends for File Data & Risk Management
– Emerging Technologies – Data Loss Prevention
– Adapting Information Risk Management Frameworks
Conclusion
– Q & A
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 3
Part 1: Enterprise Files & Data Leakage Risks
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 4
About GlassHouse
GlassHouse Technologies is the leading independent consulting and services firm focused on transforming IT infrastructure.
Founded in 2001, Headquartered in Framingham, MA
Global Reach
– North America: Framingham, MA (Corporate HQ); Carlsbad, CA; Pleasanton, CA; Washington D.C.; Chicago, IL; Minneapolis, MN; Durham, N.C.; New York, NY; Dallas, TX
– EMEA: Weybridge, UK (EMEA HQ); Havant, UK; Raanana, Israel; Istanbul, Turkey
Over 450 people, worldwide
Over 1,000 clients in the financial services, insurance, healthcare, government, bio-pharmaceutical, life sciences and technology sectors
More than 50% of Fortune 100 companies
Recent acquisitions expanded our Data Center Services and introduced GlassHouse into the virtualization and database management space
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 5
Enterprise Files & Data Leakage Risks Why the Risk is Real
Government– U.S. Department of Veterans Affairs after the personal information of 26.5 million veterans was stolen from an
employee's home (DBA took copy of database home)
– November 20, 2007. The personal information of 25 million Britons, including names, addresses, dates of birth, and details of employment and bank accounts, was lost by Revenue & Customs officials when CD-ROMs containing the highly sensitive data were sent between government departments via internal mail.
– JULY 20, 2007. A former U.S. Marine and FBI analyst was sentenced to 10 years in federal prison for espionage charges in connection with stealing classified national defense documents from the White House, the FBI, the Department of Defense, and the U.S. Department of State. Text messages, Web-based e-mail accounts and database queries were used to pull off the espionage
Commercial– In 2005, just before leaving DuPont to work for a competitor, a senior research scientist downloaded $400M
worth of trade secrets from DuPont’s data library
– Deutsche Bank was pulled from the Hertz IPO after an inappropriate email was forwarded to around 175 institutional accounts - at an estimated cost of €10 million to the bank.
– September 22, 2007. After a business analyst at ABN Amro Mortgage in Florida signed up last year to use a popular peer-to-peer file-sharing network, she inadvertently exposed many documents from her work computer, including 5,200 unique Social Security numbers and mortgage information for thousands of people.
Black Market– From 1989 to 1997, a Senior Research Engineer for Avery Denison sold adhesive formulas to a Chinese
competitor. Avery’s losses were estimated at $30M-$50M
– Stolen credit card details (including verification codes) can be purchased for between $1 and $6, while a whole identity, including bank account details, credit card, date-of-birth, and government-issued identity number, can be bought for a modest $14 to $18
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 6
Enterprise Files & Data Leakage Risks Examples of Risk Distribution
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 7
Enterprise Files & Data Leakage Risks Common Gap Areas
Information is shared with partners and service providers
Conflict of interest between internal groups
(All or Nothing)
Limited Control over information once
accessed from the server
Inte
rnal C
on
flic
ts
Traditional Boundaries
Mobile users download sensitive data, use
portable media, or go on the road
Remote users access business and IT systems
w/ broad information access
Stress Point Exploitations
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 8
The Critical Role of Data FilesFile Server Data Management – Perfect World File management is organized
No capacity / availability issues
Appropriate groups / owners have access
Everything is compliant (information access, retention, security, etc.)
Document management is the final repository for critical files
Users can always find their data
Application data is segregated from user data
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 9
The Critical Role of Data FilesFile Server Data Management - Reality
Files, Files, Everywhere (Servers, Desktops, Laptops, Removable Media, etc.)
File management is a mess
File Servers / NAS out of space
Too much access, but no idea how to reign it in
Document Management system is ignored
Explosive SharePoint growth
Web 2.0 an emerging alternative
Compliance, you’re kidding right?
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 10
The Critical Role of Data FilesCorporate File Landscape – What you get
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 11
Emerging Technologies Data At Rest
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 12
Information Classification and ManagementVendor Functionality Matrix
* Based on ongoing market research
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 13
Information Classification and Management Common Traits
Centralized Enterprise management model
Federated Search / Reporting (global, across all instances)
Adaptable and scalable taxonomies and indexing rules
LDAP / Active Directory Integration*
Minimal invasiveness of technology (NFS, CIFS mounts)
Metadata repository (for most solutions)
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 14
Information Classification and Management Solution Architectures – Typical Example
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 15
Information Classification and Management Common Applications
Data Management
– Information Lifecycle Management (archive, tiering, purge)
– Data Management / Cleanup (purging junk, identify + move data, etc.)
Security
– Content identification, risk analysis, remediation (PII, PCI, etc.)
– High-Risk File Identification, Ownership Analysis, Remediation
– Classification / Tagging
Search
– Advanced Search (owner, content, proximity, metadata, etc.)
– Secure Hold
– Audit Reporting
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 16
Vendor Lock-in issues
Limited technologies to accomplish automated data movement
File data is ideally on midrange storage
Price point b/w tiers is less and less compelling
Users expect fast retrievals
Cost Benefit vs. Level of Effort
What about purge?
Not advised for ‘the current hardware mess’
Information Classification and Management The Classic ILM Vision - Issues
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 17
Information Classification and Management Classic ILM Vision – Technology Enablers
Network Attached Storage
– Built to suit #files and data growth
– Optimized file systems for file data
– Advanced copy and replication feature for data recovery
File Server Virtualization
– Global Name Space (this is the real home-run)
– Support for Storage Tiers
– Basic (very basic) policies for data movement (file age)
Information Classification and Management
– Advanced reporting and actions (copy, move, purge, stubbing, etc.)
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 18
Information Classification and Management File Data Management & ILM – Realized Today
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 19
Information Classification and Management What about Purge?
Initial Cleanup Opportunities
– Duplicate Data*
– Non-Business Files
– Junk Files
Data Retention and Purge Challenges
– Operational Risk (of not having data)
– Regulatory Risk (of not keeping data long enough)
– Legal Risk (either having too much or too little)
Before Delete, Rationalize
– File servers are not the ideal place to retain official business records, but that won’t stop users
– But until document/content management (or other) systems are institutionally embraced, it’s good to error on the side of caution and retain data to ‘the outer limit’
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 20
Information Classification and Management Data Management / ILM – Getting Started
Standardize technology platform (FS, NAS, Virtualization, etc.)
Start with file level analysis (lay of the land)
Exercise Pilot or Proof of Concept, including people and process aspects
– Develop use-cases for various data management opportunities (archive, purge, move, copy, etc.)
– Document results, indicating benefits of high-value activities
– Develop and communicate policies to support high-value activities
Deploy policies via routine data management operations
Encourage end users to actively participate
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 21
Information Classification and Management Data Security – Risk Profiles
High-Risk Data
– Executables Files (traditional threats, etc.)
– Payment Card Industry (PCI) Data
Visa, MasterCard, American Express
– Personal Identifiable Information
Full name (if not common)
National identification number
Telephone number
Street address
E-mail address
IP address (in some cases)
Vehicle registration plate number
Driver's license number
Face, fingerprints, or handwriting
Credit card numbers
Digital identity
– Gramm-Leach-Bliley Act (GLBA)
– EU Data Protection / Privacy Laws
High-Risk Practices
– No profile of users creating/using high risk information
– No idea where high-risk data is stored
– Group shares w/ high-risk data
– Granting too much access to group shares
– Nested group shares, and inherited permissions
– Lack of auditing for group share access
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 22
Information Classification and Management Executable Files – Reporting Example
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 23
Information Classification and Management Executable Files – Reporting Example
4 .exe files are of “unknown” type
– Admin owner
1 text license key
– Admin owner
6 HTML format
– 4 Admin owner
– 2 User owner
15 direct executable format
– 7 Admin owner
– 8 User owner
28 are classed as “other” being linked to the following:
– MS Word
– MS Works
– MS PowerPoint
– MS Outlook
– MS Excel
– MS Cab
– JPEG Interchange
– Self extract LZH
3 Adobe
– Admin owner
295 are 7-bit text .exe files
– 206 Admin owner
– 89 User owner
611 self-extracting .zip/.exe files
– 466 Admin owner
– 145 user owner
46 Windows icon files
– Admin owner
36 Google toolbars
16 Yahoo installers (3 server related)
122 game .exe files (many duplicated)
46 iTune .exe files (music)
Type 0-30 days
31-60 days
61-1800 days
>180 days
.exe-.dll 4920 45615 64 61
Self-ext. .zip/.exe
24 587 0 0
.exe Direct 15 0 0 0
Unknown 4 0 0 0
Win icon 46 0 0 0
HTML 6 0 0 0
7-bit Text 2 294 0 0
Adobe 1 2 0 0
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 24
Information Classification and Management Data Security - Reporting Example
Source: Kazeon
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 25
Information Classification and Management Data Security - Reporting Example
Source: Kazeon
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 26
Information Classification and Management Data Security – Technical Challenges
Volume and cost of metadata storage (often 5% of total volume)
Time to ‘deep crawl’ and index all data
Canned vs. Custom Rules or Taxonomies
Signal : Noise Ratios
False Positives, False Negatives, etc
Creating Meaningful and Actionable Output
Creating process / workflow to support remediation
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 27
Information Classification and Management Data Security – Getting Started Profile Risks
Create focus (data location, organization, data types)
Exercise Pilot or Proof of Concept, including people and process aspects
Collect content/metadata information
Quantify Risk (Data Types, Location, Owner)
Outline Remediation Steps and Activities
Execute Remediation Activities
Use results to drive policies
Deploy policies via routine remediation operations
Encourage end users to actively participate
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 28
Information Classification and Management E-Discovery Situation
Legal
Application / Service Teams
Infrastructure Teams
E-Discovery needs are driven by adhoc processes and controls; External vendors are often leveraged to support discovery and analysis
Discovery!
Discovery Requests followReactive and via adhoc processes, and often require re-work
Discovery Requests are often labor intensive due to the lack of process, organizational, and technology readiness
Current State
Legal
Application / Service Teams
Infrastructure Teams
Discovery requests and releases are presented in consistent format, which is structured to bridge Legal and IT perspectives
Standard processes map Discovery Requests and Hold Releases to Structured Data, Unstructured Data, and Messaging Data
Organization, procedures, and technology base is oriented to support requests
Future State
Discovery!
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 29
Information Classification and Management E-Discovery- Why Should Infrastructure Care?
Outside Legal Counsel
In-House Legal Counsel
IT
•Supports Pre-Trial and Trial Proceedings•Typically ‘external face’ for litigation affairs•Typically subcontracts or delivers EDD services
1-3 Million / TB
•Works with IT teams on legal hold, discovery, search initiatives•Often has a dedicated ‘E-Discovery’ staff•Rarely seen in court•Budgets for legal costs and activities
•IT budgets rarely reflect time / effort associated with E-Discovery and Legal Hold•These are negative hits to cap/opex budgets•Requests ‘Roll Downhill’•Rarely seen in court…unless
Data and Cash
Data
Electronic Data Discovery Firms
•Use advanced search tools to do the heavy lifting•Specialized legal / technical skills
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 30
Information Classification and Management E-Discovery- Why Should Infrastructure Care?
Companies with gross revenues of $1 billion or more:
– Reported that their median number of pending cases was 86 (ca. 2004)
– By 2006, the number of lawsuits soared to 556 cases, with almost half facing 50 new suits annually
Recent updates to Federal Rules of Civil Procedure (FRCP) (12/2006)
Legal and compliance pressures to extend paper records retention practices to data retention and management are unprecedented
Source: www.fulbright.com/litigationfindings
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 31
Information Classification and Management Search – E-Discovery Example
Search Attributes
– Keyword Search
– Fielded Search
– Boolean Search
– Fuzzy Search
– Term Boosting
Give higher weight to certain terms.
– Proximity Search
Search for words within a specific distance.
– Range Searches.
Field values between the lower and upper bound
Source: Kazeon
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 32
Information Classification and Management Search – Technical Challenges
Identifying relevant users/data locations (enterprise, desktop, remote, etc.)
Volume and cost of metadata storage AND storing search results
Bridging legal expertise w/ technology search (interface, search language, output mgmt, etc.)
Securing search results (maintaining the “golden copy”)
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 33
Information Classification and Management Search – Getting Started
Talk to legal and compliance
Review existing legal hold / discovery practices
Identify gaps and inefficiencies
– Lack of tools, inefficient methods
– Emailing ‘hold notifications’
– Cost of data discovery services
– Lack of secure storage
Exercise Pilot or Proof of Concept
– Actively engage w/ legal staff
– Identify focus (Data Types, Location, Owner)
– Conduct search
– Document results (quantity of data, time to obtain, etc.)
Update routine search / discovery operations
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 34
Part 2: Technology Trends for File Data & Risk Management
– Emerging Technologies – Data Loss Prevention
– Adapting Information Risk Management Frameworks
– Trend Spotting
Conclusion
– Q & A
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 35
Data Loss Prevention Data in Motion
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 36
Data Loss PreventionSolution Architectures – Typical Network Layer Solution
Mobile Workers/Branch Offices
Datacenter
GatewayGateway
Corporate Network
ServersServers NetworkNetwork ClientClient
DMZ
Web farm, portals, mail
ServersServers
Unix Servers
Windows Servers
Linux Servers
Inte
rnet
BranchOffices
WirelessUsers
RemoteUsers
Mobile Clients
DLP
SGS
SGS
SGS
SGSDLP
DLP
DLP
Data at RestData at Rest
Data in MotionData in Motion
Data in UseData in Use
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 37
Data Loss PreventionSolution Architectures – Typical Integrated Solution
– Client-Server Software Architecture
– Client software modules for desktop, laptop, other end-point devices
– Integration w/ LDAP & Active Directory
– Policy Language / Console
– Reporting, auditing and, forensics
Information Use Policies
Audit Data
Enterprise Application
Server Active Directory / LDAP
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 38
Data Loss PreventionHost vs. Network Based
Host Based
– End-user is involved
– AD / LDAP integration and functions, identity based management
– Flexibility / customization capabilities
– Think Layer 7 and above
Network Based
– Commonly deployed, but not for enforcement
– Passive monitoring, rarely enforcement
– Easy to deploy, relatively static configurations
– Enforcement capability is often all or nothing
– Think Layer 7 and down
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 39
Data Loss PreventionA Look at Emerging Technologies
* Based on ongoing market research
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 40
Data Loss PreventionCommon Traits
Centralized Enterprise management model
Federated Monitoring and Reporting (global, across all instances)
Adaptable and scalable policies
LDAP / Active Directory Integration*****
Agent Based Software (Desktop, Laptop, Mobile Devices)
Auditing, Reporting, Logging
Workflow and automation*****
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 41
Data Loss Prevention Technology Scope
End Point Devices
– Thumb drives
– flash drives
– Pen drives
– Memory sticks
– USB drives
– Blackberry’s
– Digital cameras
– Ipods
Services
– File servers
– Instant messenger
– Web portals
– Blog / Wiki
– Printing
– SharePoint servers
– Custom dev.
Scenarios
– Enterprise systems
– LAN connected desktops
– WAN connected Laptops
– VPN
– Citrix
– Remote Desktops
– Mobile devices / users
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 42
Data Loss Prevention Common Applications
End Point Data Protection
– Limiting flow of information via externally facing services
– Limiting use / mis-use of removable media devices
Confidentiality & Segregation of Duties
– Limiting information flow between competing groups
– Segregating information access and use by group or role
– ‘Business Firewalls’
IP Protection
– Limiting risk of IP leakage via trading partners and service providers
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 43
Data Loss Prevention Policies – End Point Example
Source: NextLabs
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 44
Data Loss PreventionDocument Classification / Tagging Example
Source: NextLabs
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 45
Data Loss PreventionData Movement Controls - Example
Source: NextLabs
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 46
Data Loss PreventionEmail Content Inspection - Example
Source: Orchestria
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 47
Data Loss PreventionWeb Posting - Example
Source: Orchestria
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 48
Data Loss PreventionAudit / Reporting - Example
Source: Orchestria
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 49
Data Loss Prevention Overall Challenges
Identifying and deploying appropriate staff / resources
Reaching agreement on policies across disparate groups (risk, security, network, infrastructure, etc.)
Overly aggressive policies, resulting in ‘lock down’
Potential performance impact to end-users
– Open files / scanning content
– Agent bloat
– Deployment
Workflow management
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 50
Adapting Information Risk Management Traditional IRM vs. An Evolving Enterprise
Risk Management Demands
• Operational Integrity
• Regulatory Compliance
• Protect Critical Information
• Customer & Employee Privacy
Extended Enterprise Demands
Collaboration w/ Customers & Suppliers
Mobile and Telecommuting Employees
Contract, 3rd Party, & Outsource Staff
Multinational Organization Structures
Business Efficiency Information Control
Manual Policies & ProceduresTechnology Silos
Acceptance of Risk
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 51
Adapting Information Risk ManagementGetting Started – Remember the Fundamentals Profile Risks
– Are risks significant?
– Key groups / personnel
Super users, administrators, stand alone, etc
– High risk data types
Email, personal info (HR), etc.
– Create focus (data location, organization, data types)
Exercise Pilot or Proof of Concept, including people and process aspects
– Quantify Risk (Data Types, Location, Owner)
– Outline Remediation Steps and Activities
– Use results to drive policies
Measured / controlled deployment
– Phased deployment plan
– Execute simple policies first (e.g.. Lockdown USB ports)
– Develop exception management process (not a black/white world)
– Refine institutional knowledge and practices as you go
Encourage end users to actively participate
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 52
Adapting Information Risk Management Traditional Information Risk Management Risk & Security Policies
Governance Frameworks
– CobIT
– COSO
– ISO 17799, etc. Technology Controls
– Web Application (Hardening, Web Filtering, etc.)
– Content Filtering (Anti-Virus, Anti-Spam, Email Filtering, etc.)
– Access (Authentication, RSA, etc.)
– Barriers (Switch/Router hardening, Firewall, VPN, IDS, etc)
– OS Hardening (Patching, Monitoring, Standards, etc.)
Organization
– Structure, Process Controls, Training
– Adherence to policies and procedures
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 53
Adapting Information Risk Management Traditional Information Risk Management
Business Efficiency Information Control
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 54
Adapting Information Risk ManagementGetting Started – Program Approach
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 55
Adapting Information Risk ManagementGetting Started – High Level Planning
Q1 08 Q2 08 Q3 08 Q4 08
RFP Process
Ongoing Risk Management Operations
Design & Deployment Planning(4-5 wks)
Phase 1 Deployment (Pilot Groups)(4-6 wks)
A
B
C
D
HW/SW Procurement
(4 wks)
Expanded Risk Management Operations
Phase 2 Deployment (High Risk Client Groups)(8-12 wks)
Phase 3 Deployment (Enterprise)(8-12 wks)
Bill of Materials
Test Environment Build / POC / Knowledge Transfer(8-12 wks)
Pricing Negotiations
Risk Reporting & Monitoring(ongoing)
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 56
Trend Spotting Notable Industry Events
Email archiving relatively mature and widely deployed Kazeon partners with NetApp and Google Zantaz buys data classification partner Singlecast (12/06) Autonomy buys Zantaz (2007) Microsoft buys FAST (2007) EMC integrating Infoscape and Tablus as DLP solution (RSA group) Symantec acquires Vontu (DLP) IBM and Symantec both driving major Information Risk Management
Initiatives
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 57
Trend Spotting And coming soon…
Continued market momentum around DLP Continued ICM/DLP acquisitions by major vendors Emerging DLP vendors are partnering with ICM technology
vendors Network DLP players acquiring or building host/identity based
DLP Resulting in…
– Advanced analytical ‘data mining’ type capabilities
– Solutions to address data in flight and data at rest
– Powerful audit, monitoring, and reporting capabilities
– Integrated workflow management
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 58
Adapting Information Risk ManagementGetting Started – Know your End-Goals
Cost Issues
– Manual deployment of policies and procedures to control data are extremely expensive
– Audits are expensive and time consuming
Risk Issues
– Regulatory risks associated with data loss and confidentiality are mounting
– Operational and Reputation risks are significant
Quality of Service Issues
– Users are unaware of policies and risks
– Access controls (i.e. ALL-OR-NOTHING) hampering employee productivity
Cost Goals
– Quickly and efficiently respond to audits
– Replace manual procedures with cost-efficient technology automation
Risk Goals
– Eliminate regulatory and operational risks
– Real-time risk identification through monitoring and reporting
Quality of Service Goals
– Automated policy management controls
– Real-time notification and education
– ‘User Friendly’ standards associated with data placement, data transfer, and data access control
© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc. Page 59
Thank You!
Additional Questions?