data protection: securing data in motion, in use, and in storage john merryman services director,...

Data Protection: Securing Data In Motion, In Use, and

In Storage

John MerrymanServices Director, GlassHouse Technologies

© 2001-2008 GlassHouse Technologies, Inc. This material may not be reprinted or redistributed without the express written consent of GlassHouse Technologies, Inc.

Introduction/Overview

Part 1: Enterprise Files & Data Leakage Risks

– Why the Risk is Real - Data Leakage Examples

– Critical Role of Data Files

– Emerging Technologies – Information Classification & Management

Part 2: Technology Trends for File Data & Risk Management

– Emerging Technologies – Data Loss Prevention

– Adapting Information Risk Management Frameworks

Conclusion

– Q & A


Part 1: Enterprise Files & Data Leakage Risks


About GlassHouse

GlassHouse Technologies is the leading independent consulting and services firm focused on transforming IT infrastructure.

Founded in 2001, Headquartered in Framingham, MA

Global Reach

– North America: Framingham, MA (Corporate HQ); Carlsbad, CA; Pleasanton, CA; Washington D.C.; Chicago, IL; Minneapolis, MN; Durham, N.C.; New York, NY; Dallas, TX

– EMEA: Weybridge, UK (EMEA HQ); Havant, UK; Raanana, Israel; Istanbul, Turkey

Over 450 people, worldwide

Over 1,000 clients in the financial services, insurance, healthcare, government, bio-pharmaceutical, life sciences and technology sectors

More than 50% of Fortune 100 companies

Recent acquisitions expanded our Data Center Services and introduced GlassHouse into the virtualization and database management space


Enterprise Files & Data Leakage Risks Why the Risk is Real

Government– U.S. Department of Veterans Affairs after the personal information of 26.5 million veterans was stolen from an

employee's home (DBA took copy of database home)

– November 20, 2007. The personal information of 25 million Britons, including names, addresses, dates of birth, and details of employment and bank accounts, was lost by Revenue & Customs officials when CD-ROMs containing the highly sensitive data were sent between government departments via internal mail.

– JULY 20, 2007. A former U.S. Marine and FBI analyst was sentenced to 10 years in federal prison for espionage charges in connection with stealing classified national defense documents from the White House, the FBI, the Department of Defense, and the U.S. Department of State. Text messages, Web-based e-mail accounts and database queries were used to pull off the espionage

Commercial– In 2005, just before leaving DuPont to work for a competitor, a senior research scientist downloaded $400M

worth of trade secrets from DuPont’s data library

– Deutsche Bank was pulled from the Hertz IPO after an inappropriate email was forwarded to around 175 institutional accounts - at an estimated cost of €10 million to the bank.

– September 22, 2007. After a business analyst at ABN Amro Mortgage in Florida signed up last year to use a popular peer-to-peer file-sharing network, she inadvertently exposed many documents from her work computer, including 5,200 unique Social Security numbers and mortgage information for thousands of people.

Black Market– From 1989 to 1997, a Senior Research Engineer for Avery Denison sold adhesive formulas to a Chinese

competitor. Avery’s losses were estimated at $30M-$50M

– Stolen credit card details (including verification codes) can be purchased for between $1 and $6, while a whole identity, including bank account details, credit card, date-of-birth, and government-issued identity number, can be bought for a modest $14 to $18


Enterprise Files & Data Leakage Risks Examples of Risk Distribution


Enterprise Files & Data Leakage Risks Common Gap Areas

Information is shared with partners and service providers

Conflict of interest between internal groups

(All or Nothing)

Limited Control over information once

accessed from the server

Inte

rnal C

on

flic

ts

Traditional Boundaries

Mobile users download sensitive data, use

portable media, or go on the road

Remote users access business and IT systems

w/ broad information access

Stress Point Exploitations


The Critical Role of Data FilesFile Server Data Management – Perfect World File management is organized

No capacity / availability issues

Appropriate groups / owners have access

Everything is compliant (information access, retention, security, etc.)

Document management is the final repository for critical files

Users can always find their data

Application data is segregated from user data


The Critical Role of Data FilesFile Server Data Management - Reality

Files, Files, Everywhere (Servers, Desktops, Laptops, Removable Media, etc.)

File management is a mess

File Servers / NAS out of space

Too much access, but no idea how to reign it in

Document Management system is ignored

Explosive SharePoint growth

Web 2.0 an emerging alternative

Compliance, you’re kidding right?


The Critical Role of Data FilesCorporate File Landscape – What you get


Emerging Technologies Data At Rest


Information Classification and ManagementVendor Functionality Matrix

* Based on ongoing market research


Information Classification and Management Common Traits

Centralized Enterprise management model

Federated Search / Reporting (global, across all instances)

Adaptable and scalable taxonomies and indexing rules

LDAP / Active Directory Integration*

Minimal invasiveness of technology (NFS, CIFS mounts)

Metadata repository (for most solutions)


Information Classification and Management Solution Architectures – Typical Example


Information Classification and Management Common Applications

Data Management

– Information Lifecycle Management (archive, tiering, purge)

– Data Management / Cleanup (purging junk, identify + move data, etc.)

Security

– Content identification, risk analysis, remediation (PII, PCI, etc.)

– High-Risk File Identification, Ownership Analysis, Remediation

– Classification / Tagging

Search

– Advanced Search (owner, content, proximity, metadata, etc.)

– Secure Hold

– Audit Reporting


Vendor Lock-in issues

Limited technologies to accomplish automated data movement

File data is ideally on midrange storage

Price point b/w tiers is less and less compelling

Users expect fast retrievals

Cost Benefit vs. Level of Effort

What about purge?

Not advised for ‘the current hardware mess’

Information Classification and Management The Classic ILM Vision - Issues


Information Classification and Management Classic ILM Vision – Technology Enablers

Network Attached Storage

– Built to suit #files and data growth

– Optimized file systems for file data

– Advanced copy and replication feature for data recovery

File Server Virtualization

– Global Name Space (this is the real home-run)

– Support for Storage Tiers

– Basic (very basic) policies for data movement (file age)

Information Classification and Management

– Advanced reporting and actions (copy, move, purge, stubbing, etc.)


Information Classification and Management File Data Management & ILM – Realized Today


Information Classification and Management What about Purge?

Initial Cleanup Opportunities

– Duplicate Data*

– Non-Business Files

– Junk Files

Data Retention and Purge Challenges

– Operational Risk (of not having data)

– Regulatory Risk (of not keeping data long enough)

– Legal Risk (either having too much or too little)

Before Delete, Rationalize

– File servers are not the ideal place to retain official business records, but that won’t stop users

– But until document/content management (or other) systems are institutionally embraced, it’s good to error on the side of caution and retain data to ‘the outer limit’


Information Classification and Management Data Management / ILM – Getting Started

Standardize technology platform (FS, NAS, Virtualization, etc.)

Start with file level analysis (lay of the land)

Exercise Pilot or Proof of Concept, including people and process aspects

– Develop use-cases for various data management opportunities (archive, purge, move, copy, etc.)

– Document results, indicating benefits of high-value activities

– Develop and communicate policies to support high-value activities

Deploy policies via routine data management operations

Encourage end users to actively participate


Information Classification and Management Data Security – Risk Profiles

High-Risk Data

– Executables Files (traditional threats, etc.)

– Payment Card Industry (PCI) Data

Visa, MasterCard, American Express

– Personal Identifiable Information

Full name (if not common)

National identification number

Telephone number

Street address

E-mail address

IP address (in some cases)

Vehicle registration plate number

Driver's license number

Face, fingerprints, or handwriting

Credit card numbers

Digital identity

– Gramm-Leach-Bliley Act (GLBA)

– EU Data Protection / Privacy Laws

High-Risk Practices

– No profile of users creating/using high risk information

– No idea where high-risk data is stored

– Group shares w/ high-risk data

– Granting too much access to group shares

– Nested group shares, and inherited permissions

– Lack of auditing for group share access


Information Classification and Management Executable Files – Reporting Example


Information Classification and Management Executable Files – Reporting Example

4 .exe files are of “unknown” type

– Admin owner

1 text license key

– Admin owner

6 HTML format

– 4 Admin owner

– 2 User owner

15 direct executable format

– 7 Admin owner

– 8 User owner

28 are classed as “other” being linked to the following:

– MS Word

– MS Works

– MS PowerPoint

– MS Outlook

– MS Excel

– MS Cab

– JPEG Interchange

– Self extract LZH

3 Adobe

– Admin owner

295 are 7-bit text .exe files

– 206 Admin owner

– 89 User owner

611 self-extracting .zip/.exe files

– 466 Admin owner

– 145 user owner

46 Windows icon files

– Admin owner

36 Google toolbars

16 Yahoo installers (3 server related)

122 game .exe files (many duplicated)

46 iTune .exe files (music)

Type 0-30 days

31-60 days

61-1800 days

>180 days

.exe-.dll 4920 45615 64 61

Self-ext. .zip/.exe

24 587 0 0

.exe Direct 15 0 0 0

Unknown 4 0 0 0

Win icon 46 0 0 0

HTML 6 0 0 0

7-bit Text 2 294 0 0

Adobe 1 2 0 0


Information Classification and Management Data Security - Reporting Example

Source: Kazeon


Information Classification and Management Data Security – Technical Challenges

Volume and cost of metadata storage (often 5% of total volume)

Time to ‘deep crawl’ and index all data

Canned vs. Custom Rules or Taxonomies

Signal : Noise Ratios

False Positives, False Negatives, etc

Creating Meaningful and Actionable Output

Creating process / workflow to support remediation


Information Classification and Management Data Security – Getting Started Profile Risks

Create focus (data location, organization, data types)


Collect content/metadata information

Quantify Risk (Data Types, Location, Owner)

Outline Remediation Steps and Activities

Execute Remediation Activities

Use results to drive policies

Deploy policies via routine remediation operations



Information Classification and Management E-Discovery Situation

Legal

Application / Service Teams

Infrastructure Teams

E-Discovery needs are driven by adhoc processes and controls; External vendors are often leveraged to support discovery and analysis

Discovery!

Discovery Requests followReactive and via adhoc processes, and often require re-work

Discovery Requests are often labor intensive due to the lack of process, organizational, and technology readiness

Current State

Legal

Application / Service Teams

Infrastructure Teams

Discovery requests and releases are presented in consistent format, which is structured to bridge Legal and IT perspectives

Standard processes map Discovery Requests and Hold Releases to Structured Data, Unstructured Data, and Messaging Data

Organization, procedures, and technology base is oriented to support requests

Future State

Discovery!


Information Classification and Management E-Discovery- Why Should Infrastructure Care?

Outside Legal Counsel

In-House Legal Counsel

IT

•Supports Pre-Trial and Trial Proceedings•Typically ‘external face’ for litigation affairs•Typically subcontracts or delivers EDD services

1-3 Million / TB

•Works with IT teams on legal hold, discovery, search initiatives•Often has a dedicated ‘E-Discovery’ staff•Rarely seen in court•Budgets for legal costs and activities

•IT budgets rarely reflect time / effort associated with E-Discovery and Legal Hold•These are negative hits to cap/opex budgets•Requests ‘Roll Downhill’•Rarely seen in court…unless

Data and Cash

Data

Electronic Data Discovery Firms

•Use advanced search tools to do the heavy lifting•Specialized legal / technical skills


Information Classification and Management E-Discovery- Why Should Infrastructure Care?

Companies with gross revenues of $1 billion or more:

– Reported that their median number of pending cases was 86 (ca. 2004)

– By 2006, the number of lawsuits soared to 556 cases, with almost half facing 50 new suits annually

Recent updates to Federal Rules of Civil Procedure (FRCP) (12/2006)

Legal and compliance pressures to extend paper records retention practices to data retention and management are unprecedented

Source: www.fulbright.com/litigationfindings


Information Classification and Management Search – E-Discovery Example

Search Attributes

– Keyword Search

– Fielded Search

– Boolean Search

– Fuzzy Search

– Term Boosting

Give higher weight to certain terms.

– Proximity Search

Search for words within a specific distance.

– Range Searches.

Field values between the lower and upper bound

Source: Kazeon


Information Classification and Management Search – Technical Challenges

Identifying relevant users/data locations (enterprise, desktop, remote, etc.)

Volume and cost of metadata storage AND storing search results

Bridging legal expertise w/ technology search (interface, search language, output mgmt, etc.)

Securing search results (maintaining the “golden copy”)


Information Classification and Management Search – Getting Started

Talk to legal and compliance

Review existing legal hold / discovery practices

Identify gaps and inefficiencies

– Lack of tools, inefficient methods

– Emailing ‘hold notifications’

– Cost of data discovery services

– Lack of secure storage

Exercise Pilot or Proof of Concept

– Actively engage w/ legal staff

– Identify focus (Data Types, Location, Owner)

– Conduct search

– Document results (quantity of data, time to obtain, etc.)

Update routine search / discovery operations


Part 2: Technology Trends for File Data & Risk Management

– Emerging Technologies – Data Loss Prevention

– Adapting Information Risk Management Frameworks

– Trend Spotting

Conclusion

– Q & A


Data Loss Prevention Data in Motion


Data Loss PreventionSolution Architectures – Typical Network Layer Solution

Mobile Workers/Branch Offices

Datacenter

GatewayGateway

Corporate Network

ServersServers NetworkNetwork ClientClient

DMZ

Web farm, portals, mail

ServersServers

Unix Servers

Windows Servers

Linux Servers

Inte

rnet

BranchOffices

WirelessUsers

RemoteUsers

Mobile Clients

DLP

SGS

SGS

SGS

SGSDLP

DLP

DLP

Data at RestData at Rest

Data in MotionData in Motion

Data in UseData in Use


Data Loss PreventionSolution Architectures – Typical Integrated Solution

– Client-Server Software Architecture

– Client software modules for desktop, laptop, other end-point devices

– Integration w/ LDAP & Active Directory

– Policy Language / Console

– Reporting, auditing and, forensics

Information Use Policies

Audit Data

Enterprise Application

Server Active Directory / LDAP


Data Loss PreventionHost vs. Network Based

Host Based

– End-user is involved

– AD / LDAP integration and functions, identity based management

– Flexibility / customization capabilities

– Think Layer 7 and above

Network Based

– Commonly deployed, but not for enforcement

– Passive monitoring, rarely enforcement

– Easy to deploy, relatively static configurations

– Enforcement capability is often all or nothing

– Think Layer 7 and down


Data Loss PreventionA Look at Emerging Technologies

* Based on ongoing market research


Data Loss PreventionCommon Traits

Centralized Enterprise management model

Federated Monitoring and Reporting (global, across all instances)

Adaptable and scalable policies

LDAP / Active Directory Integration*****

Agent Based Software (Desktop, Laptop, Mobile Devices)

Auditing, Reporting, Logging

Workflow and automation*****


Data Loss Prevention Technology Scope

End Point Devices

– Thumb drives

– flash drives

– Pen drives

– Memory sticks

– USB drives

– Blackberry’s

– Digital cameras

– Ipods

Services

– File servers

– Email

– Instant messenger

– Web portals

– Blog / Wiki

– Printing

– SharePoint servers

– Custom dev.

Scenarios

– Enterprise systems

– LAN connected desktops

– WAN connected Laptops

– VPN

– Citrix

– Remote Desktops

– Mobile devices / users


Data Loss Prevention Common Applications

End Point Data Protection

– Limiting flow of information via externally facing services

– Limiting use / mis-use of removable media devices

Confidentiality & Segregation of Duties

– Limiting information flow between competing groups

– Segregating information access and use by group or role

– ‘Business Firewalls’

IP Protection

– Limiting risk of IP leakage via trading partners and service providers


Data Loss Prevention Policies – End Point Example

Source: NextLabs


Data Loss PreventionDocument Classification / Tagging Example

Source: NextLabs


Data Loss PreventionData Movement Controls - Example

Source: NextLabs


Data Loss PreventionEmail Content Inspection - Example

Source: Orchestria


Data Loss PreventionWeb Posting - Example

Source: Orchestria


Data Loss PreventionAudit / Reporting - Example

Source: Orchestria


Data Loss Prevention Overall Challenges

Identifying and deploying appropriate staff / resources

Reaching agreement on policies across disparate groups (risk, security, network, infrastructure, etc.)

Overly aggressive policies, resulting in ‘lock down’

Potential performance impact to end-users

– Open files / scanning content

– Agent bloat

– Deployment

Workflow management


Adapting Information Risk Management Traditional IRM vs. An Evolving Enterprise

Risk Management Demands

• Operational Integrity

• Regulatory Compliance

• Protect Critical Information

• Customer & Employee Privacy

Extended Enterprise Demands

Collaboration w/ Customers & Suppliers

Mobile and Telecommuting Employees

Contract, 3rd Party, & Outsource Staff

Multinational Organization Structures

Business Efficiency Information Control

Manual Policies & ProceduresTechnology Silos

Acceptance of Risk


Adapting Information Risk ManagementGetting Started – Remember the Fundamentals Profile Risks

– Are risks significant?

– Key groups / personnel

Super users, administrators, stand alone, etc

– High risk data types

Email, personal info (HR), etc.

– Create focus (data location, organization, data types)


– Quantify Risk (Data Types, Location, Owner)

– Outline Remediation Steps and Activities

– Use results to drive policies

Measured / controlled deployment

– Phased deployment plan

– Execute simple policies first (e.g.. Lockdown USB ports)

– Develop exception management process (not a black/white world)

– Refine institutional knowledge and practices as you go



Adapting Information Risk Management Traditional Information Risk Management Risk & Security Policies

Governance Frameworks

– CobIT

– COSO

– ISO 17799, etc. Technology Controls

– Web Application (Hardening, Web Filtering, etc.)

– Content Filtering (Anti-Virus, Anti-Spam, Email Filtering, etc.)

– Access (Authentication, RSA, etc.)

– Barriers (Switch/Router hardening, Firewall, VPN, IDS, etc)

– OS Hardening (Patching, Monitoring, Standards, etc.)

Organization

– Structure, Process Controls, Training

– Adherence to policies and procedures


Adapting Information Risk Management Traditional Information Risk Management

Business Efficiency Information Control


Adapting Information Risk ManagementGetting Started – Program Approach


Adapting Information Risk ManagementGetting Started – High Level Planning

Q1 08 Q2 08 Q3 08 Q4 08

RFP Process

Ongoing Risk Management Operations

Design & Deployment Planning(4-5 wks)

Phase 1 Deployment (Pilot Groups)(4-6 wks)

A

B

C

D

HW/SW Procurement

(4 wks)

Expanded Risk Management Operations

Phase 2 Deployment (High Risk Client Groups)(8-12 wks)

Phase 3 Deployment (Enterprise)(8-12 wks)

Bill of Materials

Test Environment Build / POC / Knowledge Transfer(8-12 wks)

Pricing Negotiations

Risk Reporting & Monitoring(ongoing)


Trend Spotting Notable Industry Events

Email archiving relatively mature and widely deployed Kazeon partners with NetApp and Google Zantaz buys data classification partner Singlecast (12/06) Autonomy buys Zantaz (2007) Microsoft buys FAST (2007) EMC integrating Infoscape and Tablus as DLP solution (RSA group) Symantec acquires Vontu (DLP) IBM and Symantec both driving major Information Risk Management

Initiatives


Trend Spotting And coming soon…

Continued market momentum around DLP Continued ICM/DLP acquisitions by major vendors Emerging DLP vendors are partnering with ICM technology

vendors Network DLP players acquiring or building host/identity based

DLP Resulting in…

– Advanced analytical ‘data mining’ type capabilities

– Solutions to address data in flight and data at rest

– Powerful audit, monitoring, and reporting capabilities

– Integrated workflow management


Adapting Information Risk ManagementGetting Started – Know your End-Goals

Cost Issues

– Manual deployment of policies and procedures to control data are extremely expensive

– Audits are expensive and time consuming

Risk Issues

– Regulatory risks associated with data loss and confidentiality are mounting

– Operational and Reputation risks are significant

Quality of Service Issues

– Users are unaware of policies and risks

– Access controls (i.e. ALL-OR-NOTHING) hampering employee productivity

Cost Goals

– Quickly and efficiently respond to audits

– Replace manual procedures with cost-efficient technology automation

Risk Goals

– Eliminate regulatory and operational risks

– Real-time risk identification through monitoring and reporting

Quality of Service Goals

– Automated policy management controls

– Real-time notification and education

– ‘User Friendly’ standards associated with data placement, data transfer, and data access control


Thank You!

Additional Questions?

[email protected]

data protection: securing data in motion, in use, and in storage john merryman services director,...

Documents

sensitive data

securing data

data protection

data center services

personal information

bank accounts

department of defense

services firm