move cyber threats on to another target encrypt everything ...isc)2_esymposium_s… · hackers...

Move Cyber Threats On To Another Target

Encrypt Everything, Everywhere

Imam Sheikh Director, Product Management Vormetric

State of the Market

Evolving Threats

Today’s spectrum of Insider Threats

TRADITIONAL INSIDERS

POROUS PERIMETERS

HACKERS ACTIVELY TARGETING INSIDER ACCOUNTS

BIG DATA

CLOUD/SAAS

NATION STATES

CRIMINAL HACKERS

PRIVILEGED USERS

IN THE PAST COMPANY EMPLOYEES WITH KNOWLEDGE-REQUIRED ACCESS

TODAY WE MUST ADD

IT PERSONNEL, CONTRACTORS SERVICE PROVIDER EMPLOYEES COMPROMISE OF INSIDER ACCOUNTS BY OUTSIDERS

(ISC)2 e-Symposium 3

Failing to Secure Their Data

X ARE PROTECTING DATA BECAUSE OF A PARTNER OR COMPETITOR’S BREACH

EXPERIENCED A DATA BREACH OR FAILED A COMPLIANCE AUDIT

48% 44% 40% 29% 26%

United States UK Japan ASEAN Germany

38% 33% 27% 25% 7%

GLOBAL- 40%

United States UK Japan ASEAN Germany

GLOBAL- 29%

Japan

(ISC)2 e-Symposium 4

Targets of Sensitive Data Acquisition Hackers target where the data resides

49%

DATABASES

39%

FILE SERVERS

36%

CLOUD

(ISC)2 e-Symposium 5

Industry and Security Experts Alike: “Encrypt Everything”

(ISC)2 e-Symposium 6

Sensitive Data Protection Technologies

• SSL, SSH,

HTTPS, IPSEC

(ISC)2 e-Symposium

Data in Motion Data at Rest

• ENCRYPTION,

TOKENIZATION, MASKING

7

Practical Encrypt Everything

Where is Sensitive Data? If you’re not sure… You are at risk

Enterprise / Hosted / Outsourced Data Centers

Big Data Environments

Users

Remote Servers

SaaS, PaaS, IaaS

Clouds

App Servers

Database Servers

Storage Servers

Web Servers

Remote? On Servers?

On Different Environments?

Windows Linux Unix

On Varying Storage?

SAN

NAS

Cloud Storage

(ISC)2 e-Symposium 9

Feb 2014

Good News Widening adoption of encryption

15%

35%

(ISC)2 e-Symposium 10

Bad News A disjointed, expensive collection of point products

Each use case requires individual infrastructure,

management consoles and training.

Complex – Inefficient - Expensive

Expense Reports

File Encryption

+ + + + + +

Customer Records

Database Encryption

PII Compliance

App Encryption

Cloud Migration

Cloud Encryption

Physical Security

Full Disk Encryption

Tape Archives

Key Management

Privileged User Control

Access Policies

…

(ISC)2 e-Symposium 11

No Magic Bullet

(ISC)2 e-Symposium 12

The Encrypt Everything Three Step Program

1. Set Vision Statement

2. Develop Policy

3. Develop Implementation Strategy

(ISC)2 e-Symposium 13

Set Vision Statement

• Protect all sensitive data to keep my

organization out of the data breach

news section.

(ISC)2 e-Symposium 14

Develop Policy

Analyze & State your corporate, organizational and security requirements/needs

Analyze & State the drivers for your strategy

Understand the security and compliance requirements from business units

Classify sensitive data further

(ISC)2 e-Symposium 15

Develop Implementation Strategy Recommended by Ovum

Concentrate on protecting data at the source

Make encryption with access controls the default

Monitor and analyze data access patterns

Replace point solutions with data security platforms

(ISC)2 e-Symposium 16

Realizing the Vision Within Budget

Types Of Encryption

(ISC)2 e-Symposium

App Level Encryption, Tokenization, TDE, Data Masking

File Encryption with access control

Disk Encryption (FDE)

18

Databases & Big Data Considerations

(ISC)2 e-Symposium 19

• Data sources/Nodes, Configuration, Logs, Reports, Targets

File Servers Considerations

Data

Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any

HR ERP Directory User: AccountsPayable App: ERP What: Read File Time: 2PM 11/14/2013 Where: ERP Directory

User: SystemAdmin-Group Process: Cat command What: Read File Time: 2PM 11/14/2013 Where: HR ERP Directory Block access and log attempt

File Level Encryption Accounts Payable Directory

• Auditing

• Separation of duties

(ISC)2 e-Symposium 20

Secure VPN

Key Manager (virtual or hosted physical appliances)

Deployed in cloud

Key Manager (virtual or physical appliances)

Deployed on premise

Key management:

• Appliance on premise

• Virtual appliance on premise

• Virtual appliance in cloud

• Appliance hosted by provider

Cloud Considerations

• Key Management

• Auditing

• Hybrid Cloud

(ISC)2 e-Symposium 21

Vormetric Data Security Platform Ready for the next use case

(ISC)2 e-Symposium 22

Vormetric Data Security Platform Enabling an “Encrypt Everything” strategy

(ISC)2 e-Symposium 23

Example Use Cases

McKesson Healthcare Company

(ISC)2 e-Symposium 25

Challenge

• Had to meet many compliance requirements

• Business Groups deploying many encryption solutions

• Level of solution “quality” varied

• Very expensive

Action

• Vormetric Data Security Platform

• Leveraged multi-domain management

• Available enterprise-wide

Result

• Higher availability

• Consistency

• Significant TCO reduction

Fortune 100 Finance Company

(ISC)2 e-Symposium 26

Challenge

• Faced with a customer mandate, traditional encryption approaches were sized at a 24 month engineering effort

Action

• Vendor bake-off

• Deployed Vormetric Transparent Encryption

Result

• Protected 160 servers in less than 3 months

• Have easily expanded solution to meet many more use cases

www.vormetric.com

Questions