27
Move Cyber Threats On To Another Target Encrypt Everything, Everywhere Imam Sheikh Director, Product Management Vormetric
Move Cyber Threats On To Another Target
Encrypt Everything, Everywhere
Imam Sheikh Director, Product Management Vormetric
State of the Market
Evolving Threats
Today’s spectrum of Insider Threats
TRADITIONAL INSIDERS
POROUS PERIMETERS
HACKERS ACTIVELY TARGETING INSIDER ACCOUNTS
BIG DATA
CLOUD/SAAS
NATION STATES
CRIMINAL HACKERS
PRIVILEGED USERS
IN THE PAST COMPANY EMPLOYEES WITH KNOWLEDGE-REQUIRED ACCESS
TODAY WE MUST ADD
IT PERSONNEL, CONTRACTORS SERVICE PROVIDER EMPLOYEES COMPROMISE OF INSIDER ACCOUNTS BY OUTSIDERS
(ISC)2 e-Symposium 3
Failing to Secure Their Data
X ARE PROTECTING DATA BECAUSE OF A PARTNER OR COMPETITOR’S BREACH
EXPERIENCED A DATA BREACH OR FAILED A COMPLIANCE AUDIT
48% 44% 40% 29% 26%
United States UK Japan ASEAN Germany
38% 33% 27% 25% 7%
GLOBAL- 40%
United States UK Japan ASEAN Germany
GLOBAL- 29%
Japan
(ISC)2 e-Symposium 4
Targets of Sensitive Data Acquisition Hackers target where the data resides
49%
DATABASES
39%
FILE SERVERS
36%
CLOUD
(ISC)2 e-Symposium 5
Industry and Security Experts Alike: “Encrypt Everything”
(ISC)2 e-Symposium 6
Sensitive Data Protection Technologies
• SSL, SSH,
HTTPS, IPSEC
(ISC)2 e-Symposium
Data in Motion Data at Rest
• ENCRYPTION,
TOKENIZATION, MASKING
7
Practical Encrypt Everything
Where is Sensitive Data? If you’re not sure… You are at risk
Enterprise / Hosted / Outsourced Data Centers
Big Data Environments
Users
Remote Servers
SaaS, PaaS, IaaS
Clouds
App Servers
Database Servers
Storage Servers
Web Servers
Remote? On Servers?
On Different Environments?
Windows Linux Unix
On Varying Storage?
SAN
NAS
Cloud Storage
(ISC)2 e-Symposium 9
Feb 2014
Good News Widening adoption of encryption
15%
35%
(ISC)2 e-Symposium 10
Bad News A disjointed, expensive collection of point products
Each use case requires individual infrastructure,
management consoles and training.
Complex – Inefficient - Expensive
Expense Reports
File Encryption
+ + + + + +
Customer Records
Database Encryption
PII Compliance
App Encryption
Cloud Migration
Cloud Encryption
Physical Security
Full Disk Encryption
Tape Archives
Key Management
Privileged User Control
Access Policies
…
(ISC)2 e-Symposium 11
No Magic Bullet
(ISC)2 e-Symposium 12
The Encrypt Everything Three Step Program
1. Set Vision Statement
2. Develop Policy
3. Develop Implementation Strategy
(ISC)2 e-Symposium 13
Set Vision Statement
• Protect all sensitive data to keep my
organization out of the data breach
news section.
(ISC)2 e-Symposium 14
Develop Policy
Analyze & State your corporate, organizational and security requirements/needs
Analyze & State the drivers for your strategy
Understand the security and compliance requirements from business units
Classify sensitive data further
(ISC)2 e-Symposium 15
Develop Implementation Strategy Recommended by Ovum
Concentrate on protecting data at the source
Make encryption with access controls the default
Monitor and analyze data access patterns
Replace point solutions with data security platforms
(ISC)2 e-Symposium 16
Realizing the Vision Within Budget
Types Of Encryption
(ISC)2 e-Symposium
App Level Encryption, Tokenization, TDE, Data Masking
File Encryption with access control
Disk Encryption (FDE)
18
Databases & Big Data Considerations
(ISC)2 e-Symposium 19
• Data sources/Nodes, Configuration, Logs, Reports, Targets
File Servers Considerations
Data
Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any
HR ERP Directory User: AccountsPayable App: ERP What: Read File Time: 2PM 11/14/2013 Where: ERP Directory
User: SystemAdmin-Group Process: Cat command What: Read File Time: 2PM 11/14/2013 Where: HR ERP Directory Block access and log attempt
File Level Encryption Accounts Payable Directory
• Auditing
• Separation of duties
(ISC)2 e-Symposium 20
Secure VPN
Key Manager (virtual or hosted physical appliances)
Deployed in cloud
Key Manager (virtual or physical appliances)
Deployed on premise
Key management:
• Appliance on premise
• Virtual appliance on premise
• Virtual appliance in cloud
• Appliance hosted by provider
Cloud Considerations
• Key Management
• Auditing
• Hybrid Cloud
(ISC)2 e-Symposium 21
Vormetric Data Security Platform Ready for the next use case
(ISC)2 e-Symposium 22
Vormetric Data Security Platform Enabling an “Encrypt Everything” strategy
(ISC)2 e-Symposium 23
Example Use Cases
McKesson Healthcare Company
(ISC)2 e-Symposium 25
Challenge
• Had to meet many compliance requirements
• Business Groups deploying many encryption solutions
• Level of solution “quality” varied
• Very expensive
Action
• Vormetric Data Security Platform
• Leveraged multi-domain management
• Available enterprise-wide
Result
• Higher availability
• Consistency
• Significant TCO reduction
Fortune 100 Finance Company
(ISC)2 e-Symposium 26
Challenge
• Faced with a customer mandate, traditional encryption approaches were sized at a 24 month engineering effort
Action
• Vendor bake-off
• Deployed Vormetric Transparent Encryption
Result
• Protected 160 servers in less than 3 months
• Have easily expanded solution to meet many more use cases
