presentation topic for philippines sap user group forum

Copyright 2013 FUJITSU LIMITED

Data Management & Security

“The Highly Overlooked

yet

Critical Part of your IT Operation”

William HoBCCE, BCCLA, CBCP, CCSK, CISA, CISM, CRISC, CITPM, MBCI, ITIL, VCP, TOGAF

Regional Senior Consultant

For Philippines uSAP forum – 22Feb

��

Mitigation ConsiderationsMitigation ConsiderationsMitigation ConsiderationsMitigation Considerations

4444. Data Security . Data Security . Data Security . Data Security –––– Examples and ApplicationExamples and ApplicationExamples and ApplicationExamples and Application

2. Data Security Life2. Data Security Life2. Data Security Life2. Data Security Life----Cycle Cycle Cycle Cycle

1

1. Data Management & Security 1. Data Management & Security 1. Data Management & Security 1. Data Management & Security ---- SituationSituationSituationSituation

5555. Questions and Discussions. Questions and Discussions. Questions and Discussions. Questions and Discussions

3333. Shaping Tomorrow With You . Shaping Tomorrow With You . Shaping Tomorrow With You . Shaping Tomorrow With You


Data Management & Security

Introduction & Situation


3

Data management is an overarching term that

refers to all aspects of creating, housing,

delivering, maintaining and retiring data with the

goal of valuing data as a corporate asset.


��ABA�C

A data breach is a security incident in which

sensitive,

protected or confidential data is copied, transmitted,

viewed, stolen or used by an individual unauthorized

to do so.

Data breaches may involve financial information

such as credit card or bank details and/or

personal information.

DE��F�F�CF��

4

Your Data

Unstructured dataFile SystemsOffice documents,PDF, Vision, Audio & other

Fax/Print ServersFile Servers

Business Application Systems (SAP, PeopleSoft, Oracle Financials, In-house, CRM, eComm/eBiz, etc.)

Application Server

Structured data

Database Systems(SQL, Oracle, DB2,

Informix, MySQL)Database Server

Security & Other Systems(Event logs, Error logs

Cache, Encryption keys, & other secrets)Security Systems

Data CommunicationsEg. VoIP SystemsFTP/Dropbox ServerEmail Servers

Storage & Backup Systems

Eg. SAN/NASBackup Systems

��A�B�CC�D�A��CEDF��AB��A�F�A��D��E��ED��AE��A��A��AB��E��E��D��D��


��A��EF��A��A��

5

Have plenty of security implementation:

Firewalls, IPS, IDS, Proxies, Antivirus

SmartCards and authentication devices

Access control on your routers

VPN’s for secure communications….

Attackers are getting smarter, knowledgeable ,

resourceful and more bold.

Anyone, anywhere can be a potential attackers

Criminal activity becomes more profitable

Cyber-terrorism , cyber-security, etc are a real possibility ….


��F��EF��FBA��

6 Copyright 2013 FUJITSU LIMITED

��F��F�A��

7

Data

Store

A

Data

Store

B

Data

Store

C,D

��D��D��

�D��DFC�� E��A��

ED��A��EA�EC��A��

The consequences can be serious.

Data breach/loss incur:

– legal fees

– disclosure expenses

– consulting fees

– remediation expenses

– credit monitoring expenses

Consequences

– Legal/statutory/regulatory

– Reputation/image impact

– Loss of customers/business

– Credibility


�EA��E�F��A��

� What data will be stored

� Where will it be stored

� What controls are in place

� Who is responsible for security

� Are there third party validations

� Process for removing data


Understanding

Data Security Life-Cycle


10

��F��CFB��C�B�

Source: Security Guidance for Critical Areas of Focusin Cloud Computing V3.0, Information Management & Data Security


11

This may also be known as Create/Update because it applies to

creating or changing a data/content element, not just a document

or database. Creation is the generation of new digital content, or

the alteration/updating of existing content.

Consideration (examples)

Ownership

Classification

Rights Management



12

Storing is the act committing the digital data to some sort of

storage repository, and typically occurs nearly simultaneously with

creation.

Considerations (Examples)

Access Controls

Encryption

Rights Management

Isolation



rmt/0- Utilization

0

5

10

15

20

25

30

35

40

45

2:00

2:03

2:10

2:25

2:40

2:55

3:10

3:25

3:40

3:55

4:10

4:25

4:40

4:55

5:10

5:25

5:40

5:55

6:10

6:25

6:40

6:55

7:10

7:25

7:40

7:55

8:10

8:25

8:40

8:55

9:10

9:25

9:40

9:55

27/03/01 - 28/03/01

Pe

rce

nta

ge

(%

)

%wait

%busy

13

Data is viewed, processed, or otherwise used in some

sort of activity

Considerations (Example)

Internal/External

Third Parties

Appropriateness

Compliance



14

Data is exchanged between users, organisations, groups and

individual.


Internal/External

Third Parties

Purposes

Compliance

Locations


Local Mirroring (RAID 1)

Remote(Offsite) Replication

��

Server Server

Primary Replica


15

Data leaves active use and enters long-term storage.


Legal/Law

Sites/Locations

Media type

Retention

Ownership



16

Data is permanently destroyed using physical or digital means

(e.g., cryptoshredding).



Secure

Complete

Assurance

Proof

Content Discovery



Shaping Tomorrow With You

18

SAPCloud

Certified

OnDemandOnDemandOnDemandOnDemand, Elastic infrastructure consumption, Elastic infrastructure consumption, Elastic infrastructure consumption, Elastic infrastructure consumption

@ Enterprise Class Service Levels@ Enterprise Class Service Levels@ Enterprise Class Service Levels@ Enterprise Class Service Levels

��F��F


��F��F�� F��!F�"#$��$

19

Network

Solutions

Storage & Backup

Database & Oracle System

Cloud & Virtualisation

Cloud ConsultingServices

Private Cloud Solutions

Virtual Client Computing

Messaging & Collaboration

UNIX SPARC Servers

Oracle Exadata

Database (Oracle/MSSQL)

Database Security

Infrastructure Consolidation

Services

Relocation & Migration Services

Unified Storage

Efficient Data Protection

Network Consulting & Integration

Unified Communications & Collaboration

ApplicationPrioritization

Network Audit & Health Check

Infrastructure Services & Solutions

Industry Solutions

Bed Management

Operating Theatre Management

Outpatient Management

Telco Solutions

RFID Solutions

IT IT IT IT

ManagementManagementManagementManagement

System/Network Management

IT Service Management

Security Analytic Platform

BCDR &

Risk Vulnerability Assessment

Cloud Infrastructure

Management Software

PRIMERGY/PRIMEQUEST Servers

Hadoop(HDFS) & SAP HANA Servers

ETERNUS

Storage Systems

Biometric

Solutions

Scanners

Printers

Zero Clients &

Thin Clients

IT Consuting Services & Project Managment

Infrastructure & Industry SolutionsInfrastructure & Industry SolutionsInfrastructure & Industry SolutionsInfrastructure & Industry Solutions

Consulting and Strategic Planning, Architect and Design, Assessment, Project Management

Fujitsu Fujitsu Fujitsu Fujitsu ProductsProductsProductsProducts


Application Data Security

Examples


Contractor

Customer

(Agency A)

Vendor

(Authorised by A)

Customer of A

Central Services Portal(Catalogue)S3 Staff A accessAgency A

Staff A

Resource poolServers, storage, networks, OS imagesVirtual ResourcesS6 Request S7 resources Allocate

S9 resources Allocate S8 requestAuthenticationAuthorisationServer

S4. Vendor authenticationAuthorisation

B�%��F& ��F�BADF


22

��B��A� '�(��B��)

These are the templates that would be use for the case study:

Data-Impact (useful for Data Classification)

Data Security Lifecycle (useful for RACI)


23

��F��CF��B��F'�(��B�)


24

��F��CF��B��F'�(��B�)


��A��

presentation topic for philippines sap user group forum

Technology

fujitsu limited10fcfbcbsource

fujitsu limited12storing

fujitsu limitedaefaa5have

fujitsu limited11this

fujitsu limitedeaefa

digital data

data breachloss

data breaches