Discover, Protect, & , ,
Securely Share Sensitive
Corporate Data p
04/21/09 | Session ID: SPO-105
Erik T. Heidt, Assistant Vice President and
Information Security Architect Fifth Third BankInformation Security Architect, Fifth Third Bank
Dale Whiteaker-Lewis, IT Security Consultant, Dell
Rich Mogull, Analyst, Securosis
Tom Corn, VP Products, RSA, The Security Division
of EMC
John Chirapurath, Director, Identity and Security
Business Group MicrosoftBusiness Group, Microsoft
Agenda
Today’s realities – the challenges of securing data
What’s out there: strengths and weaknesses of
information protection technologies
“A-ha” moments: Lessons from real world deployments
The Future: Where is information protection headed?
Q&A
1
Why is Information Security So Difficult?
…because sensitive information is always moving and transforming
EndpointEndpoint StorageStorageApps/DBApps/DB FS/CMSFS/CMSNetwork/E-mailNetwork/E-mail
Customers
WWW
Privileged
Users
Privileged
Users
Privileged
Users
Privileged
Users
WWW
WAN
Customer
Entry Point Backup
Tape
File Server
Disk
Arrays
Internal
Employees
Remote
Campuses LAN
VPN
Enterprise
Applications
Portals
Disk
Arrays Backup
System
Production
Database
VPN
Business
Analytics
Replica
Backup
Disk
Collaboration &
C t t M t
Disk
Arrays
Remote
Employees
Partners PartnerEntry Point
Content Mgmt
Systems Disk
Arrays
Key Takeaways
• Focus: Start with top 1 - 3 drivers/policies
• Don’t just focus on controls look at the processes that are causing• Don t just focus on controls – look at the processes that are causing
the problem. Work with BU and data owners to resolve
• Leverage DLP to educate employees on corporate policies
• Automate the data protection, and make it easy for end users.
• Rollout remediation in stages; Audit Æ Notify Æ Active Blocking.
• Governance Reporting: Help management understand the value of the
solution in reducing risk
• Protecting data is an end to end problem; leveraging the infrastructureProtecting data is an end to end problem; leveraging the infrastructure
is critical to scalability
• This is about applying the right controls based on Identity (who),
Information (what) and Infrastructure (where)
Information (what) and Infrastructure (where)
Discover, ,
Protect, &
Securely Share y
Sensitive
Corporate DataCorporate Data
Process for Securing Information
Define &
ManageMonitor, Audit Presence of High Value Manage
Policiesand Review
Data or Credentials
Information Risk
Examples: DLP Management,
Enterprise Key Management
Example: Security Information
and Event Management
Make Policy
Inadequate controls on
Info Identity or Infrastructure
Information Risk
Make Policy
DecisionsEnforce Policy
Info, Identity or Infrastructure
Example: DLP Discovery &
Monitoring
Examples: Enterprise Rights
Management, Encryption
5
MonitoringManagement, Encryption