Gianmarco Ferri, profile picture
Uploaded byGianmarco Ferri
328 views

Classification-HowToBoostInformationProtection

This document discusses how traditional data loss prevention solutions alone are not effective or efficient at preventing data leakage in today's distributed environments. It advocates for a data-centric security approach that focuses on identifying and classifying sensitive information at the point of creation. This enables sensitive data to be automatically protected with information rights management policies as it moves across systems and locations. The document outlines how such an approach based on flexible, dynamic classification policies and embedded protections can effectively and efficiently secure sensitive information throughout its lifecycle, regardless of where the data resides.

Embed presentation

Downloaded 14 times
Classification how to boost Information Protection Gianmarco Ferri, Business Development IMTF @ ISDays 2015
# 2 Let me ask 3 questions: 1. How many of us are using (or thinking of implementing) DLP solutions? 2. How many of us think that these are good and needed solutions? 3. How many think that DLPs on their own can effectively and efficiently prevent data leakage? − effectively => adequate to deliver the expected result − efficiently => perform with the least waste of time and effort
# 3 In confined and isolated IT environments it is relatively simple to protect data against leakage DLP, Firewalls, Routers, … are able to well protect organizations against information leakage within well defined IT boundaries … … even application boundaries can easily be audited and protected against information leakage.
# 4 But this is no more the case: we see cracks in the wall. The established solutions, alone, fail to protect information. Organizations are becoming distributed and mobile: • Endless locations − Inside and outside the Enterprise − Cloud services / SaaS • Endless applications − Standard market apps − Specific business value apps • Endless devices − Enterprise desktops/laptops/devices − Service providers − Mobile & Tablets (BYOD) … and so are the threats: • Endless cyber attack vectors − Insider threats, inadvertent data leakage Trojans, spyware, botnets, phishing, social engineering
# 5 Data produced & exchanged by organizations to do and be business is growing exponentially – Big-Data • Both structured and unstructured data is growing exponentially: − in volume (Zettabytes) − in velocity (speed & peaks) − in variety (unlimited formats) − in complexity (correlation & matching) • Perimeter-centric Information Security Tools on their own have limitations: − difficult to scale − difficult to keep up the pace with Big Data − static solutions (media & locations-based) − unreasonable monitoring burden (false positives)
# 6 In any organisation only a relatively small percentage of created, managed & exchanged data is sensitive information The security problem today is to find the needle of sensitive information, to protect against leakage, within the haystacks of non-sensitive daily business information in an effective and efficient way! not effective & not efficient
# 7 What if we change the approach and proactively create sensitive information “ differently ” … we are enabling simple and error free identification of Sensitive Information anywhere / anytime By embedding within the data itself it’s sensitive nature …
# 8 By concentrating attention on the sensitive information itself, the context in which it is created and accessed and leveraging its’ “natural” sensitiveness traits and qualities we can effectively and efficiently protect information: Focusing on sensitive information identification at creation, enables to implement data-centric security THIS IS: effective, efficient & smart
# 9 The world is not just black & white ! There is not just Normal or Sensible Information but a number of different and organisation specific types of Information Good Information Classification is not a trivial task
# 10 Data-centric security is not just classification but also about enforcing information usage policies • IRM (Information Rights Management) platforms like AD-RMS, allow to define, implement and track information usage policies. • An information usage policy precisely defines, enforces and track: − WHO can use the information − WHAT can each person/group/role do with/to the information − WHEN can the information de used − WHERE can the information be used • With IRM security can be embedded within the data protecting it wherever it is – in motion, at rest or in use
# 11 Classification Solution needs to be integrated into the entire IT landscape, & into IRM Platforms & Perimeter-Based Solutions… Identify Classify Protection Format Appli- cation User Device Services Location As per your directives Sub-Classification Flexibel & Dynamical Usage Tracking eDiscovery RMS: Encryption & Permisson Mangt. DLP: Feed the right information i.e. MS AD RMS IP/2Rules automatic/semi/manual i.e. Symantec
# 12 With IP/2 IMTF is offering an enterprise solution to protect all sensitive data and documents of any organization Any data and document in electronic format • Files, enterprise systems • Emails, cloud data, web content Protection through the entire information lifecycle • From creation through collaboration and storage • Beyond application and IT environment boundaries Policy-based IRM protection and security • Simple policy generation, application and enforcement • Application of enterprise-level encryption and key management tools
# 13 Information protection is achieved by first classifying sensitive information and then applying the appropriate protection policy
# 14 IP/2 first key feature is an effective and performant classification engine to correctly classify information • An integrated rule based engine allows for flexible and comprehensive “classification policy authoring” referring to: − Content and metadata − Time criteria − User identity and actions − Locations − Dynamic and static values − Events or other attributes • Instant, zero false-positive, automatic, identification and classification − New, modified, or accessed sensitive data − From any origin − To any destination − Via any channel
# 15 Once sensitive information assets are identified and classified, IRM protection can be effectively implemented to avoid unauthorized usage and leakage • Effective enforcement of data protection mechanisms − Data encryption (based on «your» encryption engine and PKI) − Strict access rights management (permissions) − Strict usage rights management (actions) − Enable existing and trusted IT systems and applications to work seamlessly with secured and encrypted data
# 16 The technology is based on an “agent to server architecture” that triggers the IP/2 event driven classification and protection Multi Source Data Acquisition System ClassificationPolicy ProtectionPolicy Optimized Classification and Protection Mechanism Optimized classification cycle is triggered upon intercepted events like: create, open, save, close, download, upload, copy, etc.
# 17 Simple IT protection Use Case: Secure enterprise solutions interfaces that, need to share potentially reserved and sensitive information All sensitive data is identified and protected (encrypted) at all time and anywhere NO RISK OF LEAKAGE !!!
# 18 Data Centric information security has 2 parts: • A technical solution enabling embedded data classification and IRM enforcement to effectively and efficiently prevent sensitive data leakage • A business process and methodology to correctly identify and classify sensitive information within the specific and unique enterprise context
# 19 Sensitive Information identification and classification can help organizations adherence to many international standard for information security (e.g. ISO 27001) …
# 20 … and can help comply with many specific industry regulations over Information Protection & Control (e.g. PCI-DSS)
# 21 What is to be considered sensitive information mainly depends on the enterprise activity domain and operational exposure • The financial world is focused in protecting CID information: − Direct Identifying Data (name, signature, address, email, phone, … ) − Indirect Identifying Data (customer num., account num., card num., passport num., …) − Potentially indirect Identifying Data (birth info, memberships, wedding date, profession, …) • In the health insurance industry PHI customer data are key assets • In chemical industry formulas and production processes are key information assets to identify, classify and protect • In HighTech companies R&D and technology innovations are key assets
# 22 All sensitive information assets of a company can be considered as one (or many) of 4 main sensitive data types: • PCI-DSS (Payment Card Industry – Data Security Standard) • PHI (Personal Health Information) • PII (Personally Identifiable Information) • IP (Intellectual Property) • BI (Business Information)
# 23 Data Leakage Prevention Source? - Employees - Business units - Applications - Locations - etc. Processes/ Use Cases? Final destination? - eMail - Repositories - etc. How do we help our clients classify their digital assets and identify the organization Crown Jewels IRM / RMS end-point DLP etc. Classification encryption IAM context Parameter context B labeling What to be protected? - Information types - Assets - etc. Why to be protected? - Regulations - Intelectual Properties - Defence - Reputation - etc. Protective Mechanism? Generic context A Processes 1 Classification 2
# 24 We truly believe that Data-Centric-Security is the way to go: the information (metadata) itself can trigger suitable protection mechanisms! Secure Creation & Access Points Open Creation & Access Points Open Creation & Access Points Secure Creation & Access Points Open Creation & Access Points Secure Creation & Access Points perimeter 100% accurate LifeCycle Classification  flexible & dynamic  considering context  automatic to manual = protecting vs teaching  To derive suitable protection mechanism technical processes RMS / IRM
# 25 A take away for you: Are you thinking to Go Cloud? Once sensitive data is identified and protected it can go anywhere… … even in the CLOUD !
# 26 Thank You ! Gianmarco Ferri Business Development Direct +41 26 460 66 41 Mobile +41 79 776 47 26 Mail gianmarco.ferri@imtf.ch Skype ferrig www.imtf.com

More Related Content

PDF
Information Security It's All About Compliance
byDinesh O Bareja
 
PPTX
Seclore: Information Rights Management
byRahul Neel Mani
 
PDF
Information Rights Management (IRM)
byNetwork Intelligence India
 
PDF
18 Tips of IRM - Making IRM Work for You
bySecure Islands - Data Security Policy
 
PDF
Cross border - off-shoring and outsourcing privacy sensitive data
byUlf Mattsson
 
PDF
3 ways to secure your law firm’s information and reputation
byNikec Solutions
 
PPT
What is IRM? bright talk
byritupande
 
PPTX
20100224 Presentation at RGIT Mumbai - Information Security Awareness
byDinesh O Bareja
 
Information Security It's All About Compliance
byDinesh O Bareja
 
Seclore: Information Rights Management
byRahul Neel Mani
 
Information Rights Management (IRM)
byNetwork Intelligence India
 
18 Tips of IRM - Making IRM Work for You
bySecure Islands - Data Security Policy
 
Cross border - off-shoring and outsourcing privacy sensitive data
byUlf Mattsson
 
3 ways to secure your law firm’s information and reputation
byNikec Solutions
 
What is IRM? bright talk
byritupande
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
byDinesh O Bareja
 

What's hot

PPTX
IQProtector Suite
bySecure Islands - Data Security Policy
 
PPT
Compliance Awareness
byDinesh O Bareja
 
PPTX
IT Asset Management by Miradore
byMiradore
 
PPT
Information security management v2010
byjoevest
 
PDF
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
byKyle Lai
 
PDF
Drivelock modern approach of it security & amp; encryption solution -whitep...
byArbp Worldwide
 
PPT
Microsoft Rights Management
byPeter1020
 
PPTX
Presentation by Seclore Technologies at Zensar #TechShowcase. An iSPIRT Produ...
byProductNation/iSPIRT
 
PDF
Office 365 Security Features That Nonprofits Should Know and Use
byTechSoup
 
PPTX
IT compliance
byPhan Vuong
 
PDF
Information Security Management Education Program - Concept Document
byDinesh O Bareja
 
PDF
Top 25 Cyber Security Blogs You Should Be Reading
byDDoS Mitigation
 
PPTX
BREACHED: Data Centric Security for SAP
byUL Transaction Security
 
PDF
secureMFP
byMike Maccabe
 
PPTX
Aalto cyber-10.4.18
byjapijapi
 
PPTX
Security For Business: Are You And Your Customers Safe
bywoodsy01
 
IQProtector Suite
bySecure Islands - Data Security Policy
 
Compliance Awareness
byDinesh O Bareja
 
IT Asset Management by Miradore
byMiradore
 
Information security management v2010
byjoevest
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
byKyle Lai
 
Drivelock modern approach of it security & amp; encryption solution -whitep...
byArbp Worldwide
 
Microsoft Rights Management
byPeter1020
 
Presentation by Seclore Technologies at Zensar #TechShowcase. An iSPIRT Produ...
byProductNation/iSPIRT
 
Office 365 Security Features That Nonprofits Should Know and Use
byTechSoup
 
IT compliance
byPhan Vuong
 
Information Security Management Education Program - Concept Document
byDinesh O Bareja
 
Top 25 Cyber Security Blogs You Should Be Reading
byDDoS Mitigation
 
BREACHED: Data Centric Security for SAP
byUL Transaction Security
 
secureMFP
byMike Maccabe
 
Aalto cyber-10.4.18
byjapijapi
 
Security For Business: Are You And Your Customers Safe
bywoodsy01
 

Viewers also liked

PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPTX
Information classification
byHoward Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
PPTX
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
byJim Brashear
 
PPT
Email Security and Awareness
bySanjiv Arora
 
PPTX
Email Security Awareness
byDale Rapp
 
PPTX
IT & Network Security Awareness
byThe Network Support Company
 
PPTX
Strategies for policy driven information classification
byWatchful Software
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information classification
byHoward Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
byJim Brashear
 
Email Security and Awareness
bySanjiv Arora
 
Email Security Awareness
byDale Rapp
 
IT & Network Security Awareness
byThe Network Support Company
 
Strategies for policy driven information classification
byWatchful Software
 

Similar to Classification-HowToBoostInformationProtection

PDF
Modern Methods for Managing Data Security
byEnterprise Knowledge
 
PDF
Microsoft 365 Compliance and Security Overview
byDavid J Rosenthal
 
PDF
Threat Ready Data: Protect Data from the Inside and the Outside
byDLT Solutions
 
PPTX
L2 - Protecting Security of Assets_.pptx
byRebeccaMunasheChimhe
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPTX
Comprehensive Data Leak Prevention
byTanvir Hashmi
 
PPTX
Microsoft Azure Information Protection
bySyed Sabhi Haider
 
PPTX
Data Leakage Prevention
byMicrosoft TechNet - Belgium and Luxembourg
 
PDF
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
byFinancial Poise
 
PDF
Closing the Governance Gap - Enabling Governed Self-Service Analytics
byPrivacera
 
PDF
Encrypt-Everything-eB.pdf
byalexguzman510050
 
PDF
A data-centric program
byat MicroFocus Italy ❖✔
 
PDF
Isaca new delhi india privacy and big data
byUlf Mattsson
 
PDF
Isaca new delhi india - privacy and big data
byUlf Mattsson
 
PPTX
Jul 16 isaca london data protection, security and privacy risks - on premis...
byUlf Mattsson
 
PPTX
Isaca atlanta - practical data security and privacy
byUlf Mattsson
 
PDF
Perimeter Security is Failing
byUL Transaction Security
 
PPTX
New york oracle users group 2013 spring general meeting ulf mattsson
byUlf Mattsson
 
PDF
Where In The World Is Your Sensitive Data?
byDruva
 
PDF
Data centric security key to digital business success - ulf mattsson - bright...
byUlf Mattsson
 
Modern Methods for Managing Data Security
byEnterprise Knowledge
 
Microsoft 365 Compliance and Security Overview
byDavid J Rosenthal
 
Threat Ready Data: Protect Data from the Inside and the Outside
byDLT Solutions
 
L2 - Protecting Security of Assets_.pptx
byRebeccaMunasheChimhe
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
Comprehensive Data Leak Prevention
byTanvir Hashmi
 
Microsoft Azure Information Protection
bySyed Sabhi Haider
 
Data Leakage Prevention
byMicrosoft TechNet - Belgium and Luxembourg
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
byFinancial Poise
 
Closing the Governance Gap - Enabling Governed Self-Service Analytics
byPrivacera
 
Encrypt-Everything-eB.pdf
byalexguzman510050
 
A data-centric program
byat MicroFocus Italy ❖✔
 
Isaca new delhi india privacy and big data
byUlf Mattsson
 
Isaca new delhi india - privacy and big data
byUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
byUlf Mattsson
 
Isaca atlanta - practical data security and privacy
byUlf Mattsson
 
Perimeter Security is Failing
byUL Transaction Security
 
New york oracle users group 2013 spring general meeting ulf mattsson
byUlf Mattsson
 
Where In The World Is Your Sensitive Data?
byDruva
 
Data centric security key to digital business success - ulf mattsson - bright...
byUlf Mattsson
 

Classification-HowToBoostInformationProtection

  • 1.
    Classification how to boostInformation Protection Gianmarco Ferri, Business Development IMTF @ ISDays 2015
  • 2.
    # 2 Let meask 3 questions: 1. How many of us are using (or thinking of implementing) DLP solutions? 2. How many of us think that these are good and needed solutions? 3. How many think that DLPs on their own can effectively and efficiently prevent data leakage? − effectively => adequate to deliver the expected result − efficiently => perform with the least waste of time and effort
  • 3.
    # 3 In confinedand isolated IT environments it is relatively simple to protect data against leakage DLP, Firewalls, Routers, … are able to well protect organizations against information leakage within well defined IT boundaries … … even application boundaries can easily be audited and protected against information leakage.
  • 4.
    # 4 But thisis no more the case: we see cracks in the wall. The established solutions, alone, fail to protect information. Organizations are becoming distributed and mobile: • Endless locations − Inside and outside the Enterprise − Cloud services / SaaS • Endless applications − Standard market apps − Specific business value apps • Endless devices − Enterprise desktops/laptops/devices − Service providers − Mobile & Tablets (BYOD) … and so are the threats: • Endless cyber attack vectors − Insider threats, inadvertent data leakage Trojans, spyware, botnets, phishing, social engineering
  • 5.
    # 5 Data produced& exchanged by organizations to do and be business is growing exponentially – Big-Data • Both structured and unstructured data is growing exponentially: − in volume (Zettabytes) − in velocity (speed & peaks) − in variety (unlimited formats) − in complexity (correlation & matching) • Perimeter-centric Information Security Tools on their own have limitations: − difficult to scale − difficult to keep up the pace with Big Data − static solutions (media & locations-based) − unreasonable monitoring burden (false positives)
  • 6.
    # 6 In anyorganisation only a relatively small percentage of created, managed & exchanged data is sensitive information The security problem today is to find the needle of sensitive information, to protect against leakage, within the haystacks of non-sensitive daily business information in an effective and efficient way! not effective & not efficient
  • 7.
    # 7 What ifwe change the approach and proactively create sensitive information “ differently ” … we are enabling simple and error free identification of Sensitive Information anywhere / anytime By embedding within the data itself it’s sensitive nature …
  • 8.
    # 8 By concentratingattention on the sensitive information itself, the context in which it is created and accessed and leveraging its’ “natural” sensitiveness traits and qualities we can effectively and efficiently protect information: Focusing on sensitive information identification at creation, enables to implement data-centric security THIS IS: effective, efficient & smart
  • 9.
    # 9 The worldis not just black & white ! There is not just Normal or Sensible Information but a number of different and organisation specific types of Information Good Information Classification is not a trivial task
  • 10.
    # 10 Data-centric securityis not just classification but also about enforcing information usage policies • IRM (Information Rights Management) platforms like AD-RMS, allow to define, implement and track information usage policies. • An information usage policy precisely defines, enforces and track: − WHO can use the information − WHAT can each person/group/role do with/to the information − WHEN can the information de used − WHERE can the information be used • With IRM security can be embedded within the data protecting it wherever it is – in motion, at rest or in use
  • 11.
    # 11 Classification Solutionneeds to be integrated into the entire IT landscape, & into IRM Platforms & Perimeter-Based Solutions… Identify Classify Protection Format Appli- cation User Device Services Location As per your directives Sub-Classification Flexibel & Dynamical Usage Tracking eDiscovery RMS: Encryption & Permisson Mangt. DLP: Feed the right information i.e. MS AD RMS IP/2Rules automatic/semi/manual i.e. Symantec
  • 12.
    # 12 With IP/2IMTF is offering an enterprise solution to protect all sensitive data and documents of any organization Any data and document in electronic format • Files, enterprise systems • Emails, cloud data, web content Protection through the entire information lifecycle • From creation through collaboration and storage • Beyond application and IT environment boundaries Policy-based IRM protection and security • Simple policy generation, application and enforcement • Application of enterprise-level encryption and key management tools
  • 13.
    # 13 Information protectionis achieved by first classifying sensitive information and then applying the appropriate protection policy
  • 14.
    # 14 IP/2 firstkey feature is an effective and performant classification engine to correctly classify information • An integrated rule based engine allows for flexible and comprehensive “classification policy authoring” referring to: − Content and metadata − Time criteria − User identity and actions − Locations − Dynamic and static values − Events or other attributes • Instant, zero false-positive, automatic, identification and classification − New, modified, or accessed sensitive data − From any origin − To any destination − Via any channel
  • 15.
    # 15 Once sensitiveinformation assets are identified and classified, IRM protection can be effectively implemented to avoid unauthorized usage and leakage • Effective enforcement of data protection mechanisms − Data encryption (based on «your» encryption engine and PKI) − Strict access rights management (permissions) − Strict usage rights management (actions) − Enable existing and trusted IT systems and applications to work seamlessly with secured and encrypted data
  • 16.
    # 16 The technologyis based on an “agent to server architecture” that triggers the IP/2 event driven classification and protection Multi Source Data Acquisition System ClassificationPolicy ProtectionPolicy Optimized Classification and Protection Mechanism Optimized classification cycle is triggered upon intercepted events like: create, open, save, close, download, upload, copy, etc.
  • 17.
    # 17 Simple ITprotection Use Case: Secure enterprise solutions interfaces that, need to share potentially reserved and sensitive information All sensitive data is identified and protected (encrypted) at all time and anywhere NO RISK OF LEAKAGE !!!
  • 18.
    # 18 Data Centricinformation security has 2 parts: • A technical solution enabling embedded data classification and IRM enforcement to effectively and efficiently prevent sensitive data leakage • A business process and methodology to correctly identify and classify sensitive information within the specific and unique enterprise context
  • 19.
    # 19 Sensitive Informationidentification and classification can help organizations adherence to many international standard for information security (e.g. ISO 27001) …
  • 20.
    # 20 … andcan help comply with many specific industry regulations over Information Protection & Control (e.g. PCI-DSS)
  • 21.
    # 21 What isto be considered sensitive information mainly depends on the enterprise activity domain and operational exposure • The financial world is focused in protecting CID information: − Direct Identifying Data (name, signature, address, email, phone, … ) − Indirect Identifying Data (customer num., account num., card num., passport num., …) − Potentially indirect Identifying Data (birth info, memberships, wedding date, profession, …) • In the health insurance industry PHI customer data are key assets • In chemical industry formulas and production processes are key information assets to identify, classify and protect • In HighTech companies R&D and technology innovations are key assets
  • 22.
    # 22 All sensitiveinformation assets of a company can be considered as one (or many) of 4 main sensitive data types: • PCI-DSS (Payment Card Industry – Data Security Standard) • PHI (Personal Health Information) • PII (Personally Identifiable Information) • IP (Intellectual Property) • BI (Business Information)
  • 23.
    # 23 Data LeakagePrevention Source? - Employees - Business units - Applications - Locations - etc. Processes/ Use Cases? Final destination? - eMail - Repositories - etc. How do we help our clients classify their digital assets and identify the organization Crown Jewels IRM / RMS end-point DLP etc. Classification encryption IAM context Parameter context B labeling What to be protected? - Information types - Assets - etc. Why to be protected? - Regulations - Intelectual Properties - Defence - Reputation - etc. Protective Mechanism? Generic context A Processes 1 Classification 2
  • 24.
    # 24 We trulybelieve that Data-Centric-Security is the way to go: the information (metadata) itself can trigger suitable protection mechanisms! Secure Creation & Access Points Open Creation & Access Points Open Creation & Access Points Secure Creation & Access Points Open Creation & Access Points Secure Creation & Access Points perimeter 100% accurate LifeCycle Classification  flexible & dynamic  considering context  automatic to manual = protecting vs teaching  To derive suitable protection mechanism technical processes RMS / IRM
  • 25.
    # 25 A takeaway for you: Are you thinking to Go Cloud? Once sensitive data is identified and protected it can go anywhere… … even in the CLOUD !
  • 26.
    # 26 Thank You! Gianmarco Ferri Business Development Direct +41 26 460 66 41 Mobile +41 79 776 47 26 Mail [email protected] Skype ferrig www.imtf.com