SlideShare ist ein Scribd-Unternehmen logo

Securing your esi_piedmont

Als PPT, PDF herunterladen
S
scm24
Technologie
1 von 33
Securing Your ESI Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
Securing Your ESI • Presentation Overview – WI3FM….? – ESI Overview – Security Overview – Security Tips & Tricks
Securing Your ESI • WI3FM – What is in it for me? – Why should I care?
Securing Your ESI • Data Breaches & Security Incidents – Average Cost: $7.2 million – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Leading Cause: Negligence, 41%; Hacks, 31% – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Responsible Party: Vendors, 39% – http://www.theiia.org/chapters/index.cfm/view.news_detail/ cid/197/newsid/13809 – Increased Frequency: 2010-2011, 58% – http://www.out-law.com/en/articles/2011/october/personal- data-breaches-on-the-increase-in-private-sector-reports-ico/
Source: Flickr
Source: Flickr
Source: Flickr
Securing Your ESI • ESI Overview – Electronically Stored Information (ESI) • Defined for the federal rules of civil procedure (FRCP): – Information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. » http://www.law.northwestern.edu/journals/njtip/v4/n2/3/ • Structured ESI – Stored in database or content management systems. » Examples: Claims, Brokerage / e-Commerce Transactions • Unstructured ESI – Free-form information stored in a manner that is difficult to search within. » Examples: Tweets, Web Site Content, Word Document Content
Securing Your ESI • Security Overview – CIA Triad • Confidentiality – Categorization / Classification – Privacy – Least Privilege – AAA: Authentication, Authorization and Accounting • Integrity – Nonrepudiation – Segregation / Separation of Duties • Availability – Business Continuity (BC) / Disaster Recovery (DR) – Defense-in-Depth
Source: Flickr
Securing Your ESI • Vendor Selection – Service-Level Agreements (SLAs) • Temporal Service Contract – Term – Metrics – Definitions – Cause for X (e.g. Termination / Exit Clause) – Certifications / Attestations • SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402 • ISO 27001 / 2, 27036, 15489 • BITS Shared Assessments • PCI DSS • HIPAA / HITECH
Securing Your ESI • Vendor Selection – Incident Response • Computer Security Incident Response Team (CSIRT) – Digital Forensics • Legal Hold / Litigation Response / e-Discovery – Electronic Discovery Reference Model (EDRM) – FRCP 30(b)(6) – Right to Audit • Use your internal vendor assessment team or a mutually agreed upon third party.
Securing Your ESI • Mobile Device Security Guidance – Devices • Not all devices are the same. • Balancing Act (Draconian versus Cow-folk) – People lose stuff all the time. • Who owns the device? – Bring Your Own Device (BYOD) = consumerization of IT • Is device content discoverable? • Vicarious Liability – Driving & Texting / Talking – Mobile Device User Acceptance Policy – Applications / Data • Not all applications are the same. • Segment Work & Play – Sandboxing / Data-boxing – Mobile Facebook App Pulls / Pushes Data to Address Book
Securing Your ESI • Physical Media Security Guidance – Laptops / Tablets • They should be password-protected / encrypted. • Wipe / degauss hard disk drive (HDD) before shredding. • Receive a certificate / bill of laden for shredding. – Thumb Drives / External Hard Drives • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding. – Backup Tapes • They should be in your records retention schedule (RRS). • Information Lifecycle • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding.
Securing Your ESI • Cloud Security Guidance – Change / Configuration Management, Provisioning – Matrices • CSA Consensus Assessments Initiative Questionnaire • CSA Cloud Controls Matrix • BITS Enterprise Cloud Self-Assessment • BITS Shared Assessments – Guidance Specifically for the Cloud • Cloud Security Alliance (CSA) Guide v3.0 • CSA Security, Trust & Assurance Registry (STAR) • ENISA Cloud Computing Risk Assessment • NIST SP 800-144 Guidelines Security / Privacy for a Public Cloud
Securing Your ESI • Big Data Security Guidance – Information Management • Generally Accepted Recordkeeping Principles (GARP®) • Information Governance Reference Model (IGRM) • Information Lifecycle Management (ILM) • MIKE2.0 • ISO 23081 (Records Metadata) – Known Black Ice • Log Files • Web Metadata • Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL) • Data Backups (Tapes, Cloud Object Storage) • Social Media
Securing Your ESI • Social Media Security Guidance – Sites • Manage (Strategy, Policy, Access, Auditing, e-Discovery) • Strong Passwords • Change / Configuration Management – Provisioning / De-provisioning • Haters (Competitors, Former Employees / Customers) • Wash & Repeat • Mobile Apps for Approved Personnel? – Applications • Immature • Insecure • Discoverable?
Securing Your ESI • Security Tips & Tricks – Governance, Risk & Compliance (GRC) – Encryption / Hashing – Authentication, Authorization & Accounting (AAA) – Change / Configuration Management – Incident Response / e-Discovery / DR Testing – Physical Access – End User Training
Securing Your ESI • GRC – Documented controls and safeguards. • Potential audit findings and remediation actions. – Enterprise view of compliance. • Potential functional / system / application view as well. – Establish standards, best practices and guidance. • Make users, vendors and partners aware of these.
Securing Your ESI • Encryption / Hashing – Data at Rest (DAR) • Object (File, Table, Record, Column), Volume or Block – Data in Motion (DIM) • ‘Across the Wire’, Data-com Link – Data in Use (DIU) • Object (File, Table, Record, Column), Volume or Block
Securing Your ESI • Encryption / Hashing – Nuances • Encryption wraps a layer of protection around your information. – Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA • Hashing re-arranges the bits per the program. – Database Hashing: HMAC SHA 1 / 2 / 3, MD5 – Key Management • If you lose the encryption key then your data is lost. – Try telling Legal, a judge or an attorney that!
Securing Your ESI • AAA – Authentication • Validating who the user is claiming to be. – Authorization • Allocating the lowest privilege for the user. – Accounting • Tracking the user’s actions.
Securing Your ESI • Identity & Access Management (IAM) – Single Sign-on (SSO) • Allows User to Gain Access to Multiple Systems / Apps – Negates password fatigue. • Implementations – Externally » One-time Password (OTP) / Tokenization » Federated Identity / Tokenization » Smart Card / Two Factor Authentication (2FA) » Remote Access Dial-In User Service (RADIUS) – Internally » Kerberos » Lightweight Directory Access Protocol (LDAP)
Securing Your ESI • IAM Technologies – Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Services (ADFS) – Microsoft Federation Gateway (MFG)
Securing Your ESI
Securing Your ESI • Password Tips & Tricks – Use a password. – Create a strong password / PIN. • Alphanumeric with at least one uppercase letter, one lower-case letter, one number & one special character. • No dictionary words, SSNs, kids, pets, DOBs or address. • No usernames. • Use different passwords for different accounts. – Protect it. • Use a password book if necessary. – Change it. • Semi-annually
Securing Your ESI • Change / Configuration Management – Process • Cost, GRC & Quality are huge drivers for: – Software Development Lifecycle (SDLC) – Project Management Office (PMO), Project Portfolio Mgmt (PPM) – Lean / Six Sigma, ISO 9000, CMMi – Provisioning / De-provisioning • On-loading / Off-loading – Profit Centers / Business Units / Functions – Data – Applications – Vendors / Partners – Customers • Periodic Reviews of Processes & Accounts
Securing Your ESI • Incident Response / e-Discovery / DR Testing – Practice makes perfect. • Wash & Repeat – Crawl  Walk  Run • Crawl: Internal Tabletop Testing • Walk: Internal Exercise, “cause you have nothing better to do on a Saturday”. • Run: Incorporate Vendors, Partners & Customers
Securing Your ESI • Physical Security – Privacy Screen – Physical Location & Office Access – Dumpster Diving – Lost Hard-copy Reports Source: Amazon Source: Flickr Source: Flickr
Securing Your ESI • End-user Training – New-hires • Especially for milennials (IT consumerization). – Quarterly Computer-based Training (CBT) • For heavily regulated industries. – Annual On-site Training • Be liberal with the swag. – Pilot new marketing campaigns (logo, tag, brand). – Educate Your Ecosystem
Securing Your ESI • Take-aways – Educate Your Ecosystem – Healthy Dose of Skepticism – Embrace Change Pragmatically – Secured Technology is an Enabler – Privacy is Important Too
• Questions? • Contact – Email: steve@ncontrol-llc.com – Twitter: @markes1, @casdelval2011 – LI: http://www.linkedin.com/in/smarkey

Empfohlen

Cloud computing arma_nnj
Cloud computing arma_nnjCloud computing arma_nnj
Cloud computing arma_nnj
scm24
 
Bd cloud v3
Bd cloud v3Bd cloud v3
Bd cloud v3
scm24
 
Maximizing your share_point_investment_final
Maximizing your share_point_investment_finalMaximizing your share_point_investment_final
Maximizing your share_point_investment_final
scm24
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
tmather
 
Tci reference architecture_v2.0
Tci reference architecture_v2.0Tci reference architecture_v2.0
Tci reference architecture_v2.0
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1
Steve Markey
 
AWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS Corp
AWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS CorpAWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS Corp
AWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS Corp
Amazon Web Services
 

Empfohlen

Cloud computing arma_nnj
Cloud computing arma_nnjCloud computing arma_nnj
Cloud computing arma_nnj
scm24
 
Bd cloud v3
Bd cloud v3Bd cloud v3
Bd cloud v3
scm24
 
Maximizing your share_point_investment_final
Maximizing your share_point_investment_finalMaximizing your share_point_investment_final
Maximizing your share_point_investment_final
scm24
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
tmather
 
Tci reference architecture_v2.0
Tci reference architecture_v2.0Tci reference architecture_v2.0
Tci reference architecture_v2.0
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1
Steve Markey
 
AWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS Corp
AWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS CorpAWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS Corp
AWS Cloud Use Cases - Ezhil Arasan Babaraj, CSS Corp
Amazon Web Services
 
Cw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamerCw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamer
inevitablecloud
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
Aung Thu Rha Hein
 
Systems Advantage Forum : Autonomous DB e DBaaS
Systems Advantage Forum : Autonomous DB e DBaaS Systems Advantage Forum : Autonomous DB e DBaaS
Systems Advantage Forum : Autonomous DB e DBaaS
Riccardo Romani
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Vic Winkler
 
Security & privacy challenges in cloud computing
Security & privacy challenges in cloud computingSecurity & privacy challenges in cloud computing
Security & privacy challenges in cloud computing
kdore
 
Capacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing WorldCapacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing World
David Linthicum
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
Aleem Mohammed
 
Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3
Ignacio M. Llorente
 
Embracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterEmbracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data Center
Brian Anderson
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
AWS User Group Bengaluru
 
Adopting the open group cloud eco system reference model
Adopting the open group cloud eco system reference modelAdopting the open group cloud eco system reference model
Adopting the open group cloud eco system reference model
Krishna-Kumar
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive SummitAdvantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Richard Harbridge
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
OpSource
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
Ryan Koop
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
Rohit Buddabathina
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
AAF - Enterprise Architecture and Cloud Computing
AAF - Enterprise Architecture and Cloud ComputingAAF - Enterprise Architecture and Cloud Computing
AAF - Enterprise Architecture and Cloud Computing
Marc Caltabiano
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and facts
Arun Ganesh
 
Securing_Native_Big_Data_v1
Securing_Native_Big_Data_v1Securing_Native_Big_Data_v1
Securing_Native_Big_Data_v1
Steve Markey
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
Camilo Fandiño Gómez
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamerCw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamer
inevitablecloud
 
Capacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing WorldCapacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing World
David Linthicum
 
Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3
Ignacio M. Llorente
 
Embracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterEmbracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data Center
Brian Anderson
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive SummitAdvantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Richard Harbridge
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
OpSource
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
Rohit Buddabathina
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and facts
Arun Ganesh
 

Was ist angesagt? (20)

Cw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamerCw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamer
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Systems Advantage Forum : Autonomous DB e DBaaS
Systems Advantage Forum : Autonomous DB e DBaaS Systems Advantage Forum : Autonomous DB e DBaaS
Systems Advantage Forum : Autonomous DB e DBaaS
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
 
Security & privacy challenges in cloud computing
Security & privacy challenges in cloud computingSecurity & privacy challenges in cloud computing
Security & privacy challenges in cloud computing
 
Capacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing WorldCapacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing World
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3
 
Embracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterEmbracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data Center
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
 
Adopting the open group cloud eco system reference model
Adopting the open group cloud eco system reference modelAdopting the open group cloud eco system reference model
Adopting the open group cloud eco system reference model
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive SummitAdvantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
Advantages to Adoption the Microsoft Cloud - Microsoft Customer Executive Summit
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
 
AAF - Enterprise Architecture and Cloud Computing
AAF - Enterprise Architecture and Cloud ComputingAAF - Enterprise Architecture and Cloud Computing
AAF - Enterprise Architecture and Cloud Computing
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and facts
 

Ähnlich wie Securing your esi_piedmont

Securing_Native_Big_Data_v1
Securing_Native_Big_Data_v1Securing_Native_Big_Data_v1
Securing_Native_Big_Data_v1
Steve Markey
 
E discovery 2-cloud_v5
E discovery 2-cloud_v5E discovery 2-cloud_v5
E discovery 2-cloud_v5
scm24
 
e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5
Steve Markey
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
Olajide Kuku
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 

Ähnlich wie Securing your esi_piedmont (20)

Securing_Native_Big_Data_v1
Securing_Native_Big_Data_v1Securing_Native_Big_Data_v1
Securing_Native_Big_Data_v1
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
E discovery 2-cloud_v5
E discovery 2-cloud_v5E discovery 2-cloud_v5
E discovery 2-cloud_v5
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conference
 
Office 365 Security, Privacy and Compliance - SMB Nation 2015
Office 365 Security, Privacy and Compliance - SMB Nation 2015Office 365 Security, Privacy and Compliance - SMB Nation 2015
Office 365 Security, Privacy and Compliance - SMB Nation 2015
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
 
Security and privacy of cloud data: what you need to know (Interop)
Security and privacy of cloud data: what you need to know (Interop)Security and privacy of cloud data: what you need to know (Interop)
Security and privacy of cloud data: what you need to know (Interop)
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Top five configuration security errors and how to avoid them - DEM09-S - Chic...
Top five configuration security errors and how to avoid them - DEM09-S - Chic...Top five configuration security errors and how to avoid them - DEM09-S - Chic...
Top five configuration security errors and how to avoid them - DEM09-S - Chic...
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Security data deluge
Security data delugeSecurity data deluge
Security data deluge
 
DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsDSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Securing your esi_piedmont

  • 1. Securing Your ESI Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
  • 2. Securing Your ESI • Presentation Overview – WI3FM….? – ESI Overview – Security Overview – Security Tips & Tricks
  • 3. Securing Your ESI • WI3FM – What is in it for me? – Why should I care?
  • 4. Securing Your ESI • Data Breaches & Security Incidents – Average Cost: $7.2 million – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Leading Cause: Negligence, 41%; Hacks, 31% – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Responsible Party: Vendors, 39% – http://www.theiia.org/chapters/index.cfm/view.news_detail/ cid/197/newsid/13809 – Increased Frequency: 2010-2011, 58% – http://www.out-law.com/en/articles/2011/october/personal- data-breaches-on-the-increase-in-private-sector-reports-ico/
  • 8.
  • 9. Securing Your ESI • ESI Overview – Electronically Stored Information (ESI) • Defined for the federal rules of civil procedure (FRCP): – Information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. » http://www.law.northwestern.edu/journals/njtip/v4/n2/3/ • Structured ESI – Stored in database or content management systems. » Examples: Claims, Brokerage / e-Commerce Transactions • Unstructured ESI – Free-form information stored in a manner that is difficult to search within. » Examples: Tweets, Web Site Content, Word Document Content
  • 10. Securing Your ESI • Security Overview – CIA Triad • Confidentiality – Categorization / Classification – Privacy – Least Privilege – AAA: Authentication, Authorization and Accounting • Integrity – Nonrepudiation – Segregation / Separation of Duties • Availability – Business Continuity (BC) / Disaster Recovery (DR) – Defense-in-Depth
  • 12. Securing Your ESI • Vendor Selection – Service-Level Agreements (SLAs) • Temporal Service Contract – Term – Metrics – Definitions – Cause for X (e.g. Termination / Exit Clause) – Certifications / Attestations • SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402 • ISO 27001 / 2, 27036, 15489 • BITS Shared Assessments • PCI DSS • HIPAA / HITECH
  • 13. Securing Your ESI • Vendor Selection – Incident Response • Computer Security Incident Response Team (CSIRT) – Digital Forensics • Legal Hold / Litigation Response / e-Discovery – Electronic Discovery Reference Model (EDRM) – FRCP 30(b)(6) – Right to Audit • Use your internal vendor assessment team or a mutually agreed upon third party.
  • 14. Securing Your ESI • Mobile Device Security Guidance – Devices • Not all devices are the same. • Balancing Act (Draconian versus Cow-folk) – People lose stuff all the time. • Who owns the device? – Bring Your Own Device (BYOD) = consumerization of IT • Is device content discoverable? • Vicarious Liability – Driving & Texting / Talking – Mobile Device User Acceptance Policy – Applications / Data • Not all applications are the same. • Segment Work & Play – Sandboxing / Data-boxing – Mobile Facebook App Pulls / Pushes Data to Address Book
  • 15. Securing Your ESI • Physical Media Security Guidance – Laptops / Tablets • They should be password-protected / encrypted. • Wipe / degauss hard disk drive (HDD) before shredding. • Receive a certificate / bill of laden for shredding. – Thumb Drives / External Hard Drives • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding. – Backup Tapes • They should be in your records retention schedule (RRS). • Information Lifecycle • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding.
  • 16. Securing Your ESI • Cloud Security Guidance – Change / Configuration Management, Provisioning – Matrices • CSA Consensus Assessments Initiative Questionnaire • CSA Cloud Controls Matrix • BITS Enterprise Cloud Self-Assessment • BITS Shared Assessments – Guidance Specifically for the Cloud • Cloud Security Alliance (CSA) Guide v3.0 • CSA Security, Trust & Assurance Registry (STAR) • ENISA Cloud Computing Risk Assessment • NIST SP 800-144 Guidelines Security / Privacy for a Public Cloud
  • 17. Securing Your ESI • Big Data Security Guidance – Information Management • Generally Accepted Recordkeeping Principles (GARP®) • Information Governance Reference Model (IGRM) • Information Lifecycle Management (ILM) • MIKE2.0 • ISO 23081 (Records Metadata) – Known Black Ice • Log Files • Web Metadata • Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL) • Data Backups (Tapes, Cloud Object Storage) • Social Media
  • 18. Securing Your ESI • Social Media Security Guidance – Sites • Manage (Strategy, Policy, Access, Auditing, e-Discovery) • Strong Passwords • Change / Configuration Management – Provisioning / De-provisioning • Haters (Competitors, Former Employees / Customers) • Wash & Repeat • Mobile Apps for Approved Personnel? – Applications • Immature • Insecure • Discoverable?
  • 19. Securing Your ESI • Security Tips & Tricks – Governance, Risk & Compliance (GRC) – Encryption / Hashing – Authentication, Authorization & Accounting (AAA) – Change / Configuration Management – Incident Response / e-Discovery / DR Testing – Physical Access – End User Training
  • 20. Securing Your ESI • GRC – Documented controls and safeguards. • Potential audit findings and remediation actions. – Enterprise view of compliance. • Potential functional / system / application view as well. – Establish standards, best practices and guidance. • Make users, vendors and partners aware of these.
  • 21. Securing Your ESI • Encryption / Hashing – Data at Rest (DAR) • Object (File, Table, Record, Column), Volume or Block – Data in Motion (DIM) • ‘Across the Wire’, Data-com Link – Data in Use (DIU) • Object (File, Table, Record, Column), Volume or Block
  • 22. Securing Your ESI • Encryption / Hashing – Nuances • Encryption wraps a layer of protection around your information. – Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA • Hashing re-arranges the bits per the program. – Database Hashing: HMAC SHA 1 / 2 / 3, MD5 – Key Management • If you lose the encryption key then your data is lost. – Try telling Legal, a judge or an attorney that!
  • 23. Securing Your ESI • AAA – Authentication • Validating who the user is claiming to be. – Authorization • Allocating the lowest privilege for the user. – Accounting • Tracking the user’s actions.
  • 24. Securing Your ESI • Identity & Access Management (IAM) – Single Sign-on (SSO) • Allows User to Gain Access to Multiple Systems / Apps – Negates password fatigue. • Implementations – Externally » One-time Password (OTP) / Tokenization » Federated Identity / Tokenization » Smart Card / Two Factor Authentication (2FA) » Remote Access Dial-In User Service (RADIUS) – Internally » Kerberos » Lightweight Directory Access Protocol (LDAP)
  • 25. Securing Your ESI • IAM Technologies – Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Services (ADFS) – Microsoft Federation Gateway (MFG)
  • 27. Securing Your ESI • Password Tips & Tricks – Use a password. – Create a strong password / PIN. • Alphanumeric with at least one uppercase letter, one lower-case letter, one number & one special character. • No dictionary words, SSNs, kids, pets, DOBs or address. • No usernames. • Use different passwords for different accounts. – Protect it. • Use a password book if necessary. – Change it. • Semi-annually
  • 28. Securing Your ESI • Change / Configuration Management – Process • Cost, GRC & Quality are huge drivers for: – Software Development Lifecycle (SDLC) – Project Management Office (PMO), Project Portfolio Mgmt (PPM) – Lean / Six Sigma, ISO 9000, CMMi – Provisioning / De-provisioning • On-loading / Off-loading – Profit Centers / Business Units / Functions – Data – Applications – Vendors / Partners – Customers • Periodic Reviews of Processes & Accounts
  • 29. Securing Your ESI • Incident Response / e-Discovery / DR Testing – Practice makes perfect. • Wash & Repeat – Crawl  Walk  Run • Crawl: Internal Tabletop Testing • Walk: Internal Exercise, “cause you have nothing better to do on a Saturday”. • Run: Incorporate Vendors, Partners & Customers
  • 30. Securing Your ESI • Physical Security – Privacy Screen – Physical Location & Office Access – Dumpster Diving – Lost Hard-copy Reports Source: Amazon Source: Flickr Source: Flickr
  • 31. Securing Your ESI • End-user Training – New-hires • Especially for milennials (IT consumerization). – Quarterly Computer-based Training (CBT) • For heavily regulated industries. – Annual On-site Training • Be liberal with the swag. – Pilot new marketing campaigns (logo, tag, brand). – Educate Your Ecosystem
  • 32. Securing Your ESI • Take-aways – Educate Your Ecosystem – Healthy Dose of Skepticism – Embrace Change Pragmatically – Secured Technology is an Enabler – Privacy is Important Too
  • 33. • Questions? • Contact – Email: steve@ncontrol-llc.com – Twitter: @markes1, @casdelval2011 – LI: http://www.linkedin.com/in/smarkey