Transcription
Il governo dei dati: rischi e possibilistrategie per la loro protezioneAntonio RicciIdentity and Information Protection Technical Specialist
Agenda1Data Security Landscape2Strong Authentication3Data Loss Prevention4Encryption5Summary2
Data Security Landscape3
IT Must Evolve to Meet New DemandsInformationCentricSystemCentric Collaborative Apps and SocialMedia Transactional Apps Unstructured data Structured Data Distributed information Centralized information People are the new perimeter Perimeter-based security Virtual Infrastructure and Cloud On-premise infrastructure4
Information is everywhere5
ThreatsWell Meaning InsiderMalicious InsiderExternal ThreatSource: Norton Cybercrime Index6
Lost businessEx-post ResponseNotificationDetectionCost of Data Breach7
Cost of Data BreachPonemon Study sponsored by Symantec: 2012 cost of data breach8
How to protect InformationEncryptionData losspreventionStrongauthentication9
Strong AuthenticationSecure data access10
User Authentication is Often a Weak Security Link Vulnerabilities– User carelessness or ignorance Shoulder surfing Social Engineering Guessing weak passwords– Hacking and cracking Brute force dictionary Man in the middle Malware Vulnerability work-arounds– Password Rules except when it’s not Mandatory length and special characters Force frequent change and limit allowed failures– Password encryption techniques Kerberos in Windows Unix/Linux password hashing An interesting story: npassword-hacker/all/11
Strong Authentication Is Critical to TrustEnhanced credentials assure people are really the right oneFirst factorA user’sexisting username andpassword.Somethingyou haveSomethingyou knowSecond factorAn additionallayer ofauthenticationbeyond username andpassword.Security codeA one timepassword codeSomethingyou are12
User Authentication porateEmployee3GNetworksWi-FiWeb AppKioskVPNWiMAXThin evicesLaptop13
Token-based Authentication14
Risk-based Authentication15
Certificate-based AuthenticationA Digital Identity File conforming to a standard(PEM, X.509, etc) Strength comes from Public-key Crypto– Keys commonly 1024 bit, increasingly 2048 bit– Managed by a Public Key Infrastructure (PKI)such as Symantec Managed PKI– Approved by a Certificate Authority (CA) Stored on a device (or a smart card) Contains some required information––––User or device namePublic keyHash of itselfSignature of issuing authority Customizable through meta-data– Extension fields– Customer specific information16
Data Loss PreventionMonitor data usage17
Data Loss StatisticsTrends, News & What’s at Stake88%experienceddata loss59% ofemployeesleave withdata 5.5millionaverage costof a breachLegal &compliancepenaltiesA corporateblack eye18
A Non-Transparent SolutionYou need more than a technology solution.Where is yourconfidential data?DISCOVERHow is itbeing used?MONITORHow best toprevent its loss?PROTECT19
Protect what’s ImportantCustomer InformationCompany InformationCredit Card InfoIntellectual PropertyMedical RecordsM&A and StrategySSNs andGovernment IDsInternal AuditingFinancialsHR Records20
DLP Content based ApproachDATA LOSS ationCredit nd it.Fix it.21
DLP Classification based approachPublic UseInternalOnlyConfidentialTop Secret22
Content based and classification comparisonContent BasedClassification BasedRequires definition of sensitivecontentEasy to implementPrevents well meaning insider andmalicious insider attacksVulnerable to data misclassificationand malicious insidersCan leverage on data classificationCan be part of a data loss preventionapproachEasy control of historical dataHistorical data classification can be along job23
Data Loss Prevention ScopeSTORAGEENDPOINTNETWORKDiscoverConfidential DataDiscoverConfidential DataMonitor Data intransitProtectConfidential DataProtectConfidential DataPrevent DataLeakageManagement Platform24
Data Loss Prevention Process90% of DLP is Incident ResponseRight Automation Resolution, Enforcement, NotificationRight Person Route Incidents to Right ResponderRight Order High Severity of Incidents FirstRight Information 5 Second TestRight Action 1 Click ResponseRight Metrics Prove Results to Execs and Auditors25
EncryptionKeep data secure26
Data Protection strategyAt RestIn MotionIn UseEncryption2727
Endpoint EncryptionDevice ControlRemovable Storage EncryptionEndpointEncryptionFull Disk EncryptionMobile Encryption28
Where Is Sensitive Data At Risk?Email Resides at Multiple PointsClientSystemsEmail atCorporateMailServerEmailatRiskRiskIn MotionEmail ystemsEmail atRiskRiskInternetEmail is Vulnerable at Multiple Points—SSL/TLS SecurityAlone is Not Sufficient29
It is about the dataTHEME: Lost LaptopSituationSolutionResultBusy executive is runningbehind. Runs throughairport and forgets hislaptop at the TSAcheckpoint trying to catcha flight. The executivedoes not realize he’sforgotten his laptop untilhe lands 6-hours later andis at his hotel.Drive Encryption: Encryptall laptops and desktops.The laptop wasencrypted and the datawas inaccessible byunauthorized users.Because the data wasencrypted, the companydid not have to reportthe breach. The companydid not suffer a publicblackeye.30
It is about the dataTHEME: Information sharingSituationSolutionResultEmployees are storingconfidential documents onshared repositories(sometimes on the cloud).They are doing this forcollaboration purposes.Encrypt data on internalfile shares and data oncloud storage lockers.All data being stored inthe cloud and internalrepositories is encryptedData is secure from 3rdparty cloud companies aswell as from compromiseof account information tothe cloud. Data is alsoprotected from internalthreats while it is onpremise31
It is about the dataTHEME: EmailSituationSolutionResultEmail administrators arereading the email of theexecutive staff. Emails canbe stolen from the mailserver or interceptedwhile in transit.Encrypt and decryptemails at the desktoplevel before leaving thedesktop to the mailservers.Emails are secured onthe desktop. Emailadmins can still accessthe emails on the mailserver, but cannot readthem because they areencrypted. Backups ofthe emails remainencrypted and secured.Only the recipient canread the email.32
Summary33
Integrated approach to Information ProtectionGatewayDLP: FINDRemovableStorageENCRYPTION: FIXENCRYPTION:PROTECTFile-Based34
Continuous Risk Reduction1000VisibilityIncidents Per Risk Reduction Over TimeCompetitiveTrap35
Estimate your risk esposurehttps://databreachcalculator.com/36
Q&A37
Thank you!Antonio RicciIIP Technical Specialistantonio ricci@symantec.com 39 348 8546143Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.38
Email administrators are reading the email of the executive staff. Emails can be stolen from the mail server or intercepted while in transit. Emails are secured on the desktop. Email admins can still access the emails on the mail server, but cannot read them because they are encrypted. Backups of the emails remain encrypted and secured.
