Can you buy PCI compliance, a good article from Information Weeek: http://informationweek.com/security/showArticle.jhtml?articleID=206800868
Of course, you can get solid advice from vendors, but technology is just one part of the equation. First, you should evaluate if you have the right skill set in your organization, then you should evaluate your current processes, and re-engineer if needed. Only when you have evaluated both people and processes, should you start evaluating technology
Thursday, February 28, 2008
Password database of stolen passwords found by Finjan: http://www.eweek.com/c/a/Security/Finjan-Finds-Database-of-8700-Stolen-FTP-Credentials/
Passwords should be treated as highly sensitive information as passwords are often reused by users, and can lead to the loss of all types of sensitive information within information systems. However, passwords can be hard to search for unless you already have a database of passwords. In the case passwords has to be stored electronically, they should at all times stay encrypted
Passwords should be treated as highly sensitive information as passwords are often reused by users, and can lead to the loss of all types of sensitive information within information systems. However, passwords can be hard to search for unless you already have a database of passwords. In the case passwords has to be stored electronically, they should at all times stay encrypted
Sunday, February 17, 2008
New study from Symantec
IT organizations are now reporting back to Symantec's survey that work on regulatory compliance is either comparable to other projects, or more important than risk mitigation efforts: http://www.infoworld.com/article/08/01/31/Study-reframes-IT-risk-management_1.html
This should be good news for information loss prevention programs, as PCI is definitely a driver for improved controls on how and when information is shared and to whom.
I believe the future trends will be divestments in some security strategies historically undertaken by an organization, such as extranet solutions, firewall deployments etc, and that the major investments for the future is in a blend between identity management and entitlement management. If you look at current encryption solutions, they usually stop at the enterprise egress point, as most organizations are not able to convince their partners to agree on a federation model.
It is time to divest in underperforming security initiatives, and invest in areas where you can find a better return on your investment. Today investment in compliance can provide better ROI than just merely investing in security controls. If you combine your investment so that you improve uptime, enable business, and can prove compliance, you find much more value than just investing in security controls.
http://www.infoworld.com/article/08/01/31/Study-reframes-IT-risk-management_1.html
IT organizations are now reporting back to Symantec's survey that work on regulatory compliance is either comparable to other projects, or more important than risk mitigation efforts: http://www.infoworld.com/article/08/01/31/Study-reframes-IT-risk-management_1.html
This should be good news for information loss prevention programs, as PCI is definitely a driver for improved controls on how and when information is shared and to whom.
I believe the future trends will be divestments in some security strategies historically undertaken by an organization, such as extranet solutions, firewall deployments etc, and that the major investments for the future is in a blend between identity management and entitlement management. If you look at current encryption solutions, they usually stop at the enterprise egress point, as most organizations are not able to convince their partners to agree on a federation model.
It is time to divest in underperforming security initiatives, and invest in areas where you can find a better return on your investment. Today investment in compliance can provide better ROI than just merely investing in security controls. If you combine your investment so that you improve uptime, enable business, and can prove compliance, you find much more value than just investing in security controls.
http://www.infoworld.com/article/08/01/31/Study-reframes-IT-risk-management_1.html
Saturday, February 09, 2008
Data bases and DLP
Quote from article in eweek: http://www.eweek.com/c/a/Security/DLP-DAM-Share-Common-Data-Security-Objectives/ "Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly," said Paul Proctor, an analyst with Gartner."
I completely agree, I believe DLP vendors need to address data bases along with repositories email and endpoints. Furthermore, such solutions should also protect any sensitive information leaving the data base
Quote from article in eweek: http://www.eweek.com/c/a/Security/DLP-DAM-Share-Common-Data-Security-Objectives/ "Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly," said Paul Proctor, an analyst with Gartner."
I completely agree, I believe DLP vendors need to address data bases along with repositories email and endpoints. Furthermore, such solutions should also protect any sensitive information leaving the data base
Amendments to Federal Rules of Civil Procedure, FRCP, creating opportunities for content management solutions: http://www.byteandswitch.com/document.asp?doc_id=144806&WT.svl=news1_6
Some solutions sit on email, and use keywords and phrases, others enable retrieval from tapes and other media.
At some time in the not so distant future, eDiscovery solutions and ILP solutions will probably merge, as they are both solving much the same problem.
Some solutions sit on email, and use keywords and phrases, others enable retrieval from tapes and other media.
At some time in the not so distant future, eDiscovery solutions and ILP solutions will probably merge, as they are both solving much the same problem.
Friday, February 08, 2008
Eli Lilly legal documents wrongfully sent to New York Times in a Billion dollar lawsuit
Eli Lilly could probably have been better protected if they had in place a federated trust with their law firm, Pepper Hamilton, and had the opportunity to protect their confidential communication with their outside counsel. This is truly the case for where Digital Rights Management could really protect their information.
http://news.cnet.co.uk/software/0,39029694,49295453,00.htm
This case of information leak is enlightening in several aspects.
One, Eli Lilly could potentially have lost ground in a serious legal matter
Two, this is an understandable mistake by the outside counsel, albeit one could argue that more care should have been taken. Awareness is key, and an awareness program can reduce the risk of such incidents.
Three, when conducting business with partners, just having legal agreements in place on how information is to be handled is not good enough. Contractual obligations should be audited against. This email could potentially have been stopped at the email server if an information loss prevention solution had been in place
Eli Lilly could probably have been better protected if they had in place a federated trust with their law firm, Pepper Hamilton, and had the opportunity to protect their confidential communication with their outside counsel. This is truly the case for where Digital Rights Management could really protect their information.
http://news.cnet.co.uk/software/0,39029694,49295453,00.htm
This case of information leak is enlightening in several aspects.
One, Eli Lilly could potentially have lost ground in a serious legal matter
Two, this is an understandable mistake by the outside counsel, albeit one could argue that more care should have been taken. Awareness is key, and an awareness program can reduce the risk of such incidents.
Three, when conducting business with partners, just having legal agreements in place on how information is to be handled is not good enough. Contractual obligations should be audited against. This email could potentially have been stopped at the email server if an information loss prevention solution had been in place
Thursday, February 07, 2008
An interesting book from the CEO of Kaiser Permanente, George Halvorson: http://www.healthcarereformnow.org/
In the second hard truth, Mr. Halvorson discusses care linkage deficiencies, of which he describes how medical doctors creates paper based medical records for their patients.
It is commendable that a person like Mr. Halvorson which has so much influence, is actively driving for digitizing health care records. If these records are made easily available to care providers as well as care recipients, great efficiencies can be created.
Digitizing medical records does come with some security concerns, which should be addressed. Only authorized personnel should have access. Anecdotal evidence which I have seen and heard points to the need for improving the culture in the health care industry in regards to safe guarding patient information. An awareness campaign is needed among care givers to educate them on how to best secure such information. Furthermore, tools needs to be made available to the health care professionals which allows them to continue to provide healthcare without being bogged down with security measures hindering them in their work.
These tools should address the who, what, when and where in regards to access to highly sensitive information such as patient records, while enabling the health care professionals to spend more time caring for patients. So these tools must enable secure collaboration so each professional who needs access to information readily has this information, however is restricted to only this information and not all information of all patients.
In the second hard truth, Mr. Halvorson discusses care linkage deficiencies, of which he describes how medical doctors creates paper based medical records for their patients.
It is commendable that a person like Mr. Halvorson which has so much influence, is actively driving for digitizing health care records. If these records are made easily available to care providers as well as care recipients, great efficiencies can be created.
Digitizing medical records does come with some security concerns, which should be addressed. Only authorized personnel should have access. Anecdotal evidence which I have seen and heard points to the need for improving the culture in the health care industry in regards to safe guarding patient information. An awareness campaign is needed among care givers to educate them on how to best secure such information. Furthermore, tools needs to be made available to the health care professionals which allows them to continue to provide healthcare without being bogged down with security measures hindering them in their work.
These tools should address the who, what, when and where in regards to access to highly sensitive information such as patient records, while enabling the health care professionals to spend more time caring for patients. So these tools must enable secure collaboration so each professional who needs access to information readily has this information, however is restricted to only this information and not all information of all patients.
An article discussing learning to address High Business Impact, HBI, in the enterprise in the SC magazine written by Joel Christner with Reconnex: http://www.scmagazineus.com/Learning-applications-Revolutionizing-data-loss-prevention/article/105073/
Entitlement management
Entitlement management is important not only for your security posture, it is also important for your compliance efforts for SOX and PCI.
The problem with entitlement management is of course to know who has access to what. You probably know who unless you have too broad of an access policy on your information. How would you know if you have to broad of an access? You need to scan for large user groups, and global groups. These groups should not be allowed for sensitive and highly sensitive information. Do you know all the instances within your organization of sensitive and highly sensitive information? You can of course use DLP to scan for these information types. The problem is of course that the DLP solutions do not map back to who had access when.
With these questions/problems, what are you to do?
One, you should scan all your information, and identify where you have highly sensitive and sensitive information.
When this has been identified, you need to keep a persistent classification of the information, so a classification solution must be deployed and implemented.
When you have applied the classification, you need to ensure that the large groups and or global groups do not have access to this information.
For information where you need to validate that users who should have access have access, and users who should not have access does not have access, custodians of the sensitive information are required to validate the users who has access. By forcing the validation at the lowest level possible, you can effectively address the biggest problem in organizations today, which is entitlement creep. Entitlement creep happens when employees move from one job to another, or the job changes over time, and access needs change with them. Most often, when this happens, the employee gets access to the new areas needed for their job, but the old entitlements are not removed. By clearly assigning custodianship at as low of a level as possible, this can be taken care of if the custodians are reminded periodically to validate who should have access, and that they are aware that they are also audited agaist their accountability
In other words, the full solution is to map your scanning of sensitive information to your identity management systems, as well as a classification and remediation solution
Entitlement management is important not only for your security posture, it is also important for your compliance efforts for SOX and PCI.
The problem with entitlement management is of course to know who has access to what. You probably know who unless you have too broad of an access policy on your information. How would you know if you have to broad of an access? You need to scan for large user groups, and global groups. These groups should not be allowed for sensitive and highly sensitive information. Do you know all the instances within your organization of sensitive and highly sensitive information? You can of course use DLP to scan for these information types. The problem is of course that the DLP solutions do not map back to who had access when.
With these questions/problems, what are you to do?
One, you should scan all your information, and identify where you have highly sensitive and sensitive information.
When this has been identified, you need to keep a persistent classification of the information, so a classification solution must be deployed and implemented.
When you have applied the classification, you need to ensure that the large groups and or global groups do not have access to this information.
For information where you need to validate that users who should have access have access, and users who should not have access does not have access, custodians of the sensitive information are required to validate the users who has access. By forcing the validation at the lowest level possible, you can effectively address the biggest problem in organizations today, which is entitlement creep. Entitlement creep happens when employees move from one job to another, or the job changes over time, and access needs change with them. Most often, when this happens, the employee gets access to the new areas needed for their job, but the old entitlements are not removed. By clearly assigning custodianship at as low of a level as possible, this can be taken care of if the custodians are reminded periodically to validate who should have access, and that they are aware that they are also audited agaist their accountability
In other words, the full solution is to map your scanning of sensitive information to your identity management systems, as well as a classification and remediation solution
Wednesday, February 06, 2008
According to the Ponemon institute, 69% of employees have access to too much information. This validates the need for tigther entitlement management: http://www.informationweek.com/news/showArticle.jhtml?articleID=206104613&subSection=News
Monday, February 04, 2008
An article by Rich Mogull about selecting the right DLP solution for your needs: http://www.networkworld.com/columnists/2008/020408insider.html
Amongst his most important criteria is to identify your key stakeholders within the organization, then agree on what problems to solve and how, then choose the right solution. I very much agree on this approach.
Amongst his most important criteria is to identify your key stakeholders within the organization, then agree on what problems to solve and how, then choose the right solution. I very much agree on this approach.
Vontu gets coverage on CNNMoney.com for winning a contract protecting health information at The Mount Sinai Medical Center. It seems that Mount Sinai chose a desktop/laptop solution to protect their information: http://money.cnn.com/news/newsfeeds/articles/marketwire/0356611.htm
Agent versus no agent what is the right answer?
When looking at DLP as well as other security products such as patch management, anti virus etc, the question comes to mind, is an agent on the end point the answer to the question?
It is neither yes or no. Agents have two main problems, reach and failure rate. For reach, you have to either force an agent out via a systems management systems solution, GPO, script, or distribution via a portal. To have a 100% reach for a large usually becomes either too expensive or outright impossible if your network is segmented into areas of different management segments, such as lab versus production.
The right answer is a mix, where you use agents on high risk desktops, laptops and mobile devices, applications or appliances on email servers and data center servers such as repository systems line of business applications and data bases, and applications/appliances on network ingress/egress points. It is also important to note that if you need to transport sensitive information between organizations, you need to ensure contractual obligations are put in place and met between the organizations.
There are several good ways to deploy agents. One is to use Group Policy Software Installation, GPSI, another is to use System Center, Tivoli or other agent management systems. You could of course also use a portal such that if a user went to a portal (Line of Business) to retrieve sensitive information, they would have to download and install an agent before they were allowed access to the information. The benefit of using an agent management system is of course the breadth of information these systems provide of installation metrics, health metrics, reach etc.
In my opinion, the perfect agent would be installed seamlessly via an agent management system, and control what the user can do with the information without impeding productivity. So for example, blocking USB might not be the answer if the user has a genuine need to transport information using a USB key. A better solution would be, if information goes on a USB, is it sensitive and is it protected? If the information is sensitive and it is not protected, the solution should interact with the user and make it easy to do the right thing. The same goes for emails, and any other communication where the user may divulge sensitive information. For file transfers, a transfer would either be approved or disapproved based on the content sensitivity and where it is going, and protected appropriately.
When looking at DLP as well as other security products such as patch management, anti virus etc, the question comes to mind, is an agent on the end point the answer to the question?
It is neither yes or no. Agents have two main problems, reach and failure rate. For reach, you have to either force an agent out via a systems management systems solution, GPO, script, or distribution via a portal. To have a 100% reach for a large usually becomes either too expensive or outright impossible if your network is segmented into areas of different management segments, such as lab versus production.
The right answer is a mix, where you use agents on high risk desktops, laptops and mobile devices, applications or appliances on email servers and data center servers such as repository systems line of business applications and data bases, and applications/appliances on network ingress/egress points. It is also important to note that if you need to transport sensitive information between organizations, you need to ensure contractual obligations are put in place and met between the organizations.
There are several good ways to deploy agents. One is to use Group Policy Software Installation, GPSI, another is to use System Center, Tivoli or other agent management systems. You could of course also use a portal such that if a user went to a portal (Line of Business) to retrieve sensitive information, they would have to download and install an agent before they were allowed access to the information. The benefit of using an agent management system is of course the breadth of information these systems provide of installation metrics, health metrics, reach etc.
In my opinion, the perfect agent would be installed seamlessly via an agent management system, and control what the user can do with the information without impeding productivity. So for example, blocking USB might not be the answer if the user has a genuine need to transport information using a USB key. A better solution would be, if information goes on a USB, is it sensitive and is it protected? If the information is sensitive and it is not protected, the solution should interact with the user and make it easy to do the right thing. The same goes for emails, and any other communication where the user may divulge sensitive information. For file transfers, a transfer would either be approved or disapproved based on the content sensitivity and where it is going, and protected appropriately.
Friday, February 01, 2008
Omnibank customer information stolen leading to the creation of false ATM card which criminals then used to obtain cash: http://breachblog.com/2008/01/28/omni.aspx
According to news stories, the amounts lost were small, but there was clearly an inconvenience to the customers of the bank.
Unfortunately, these types of attacks will continue to occur.
According to news stories, the amounts lost were small, but there was clearly an inconvenience to the customers of the bank.
Unfortunately, these types of attacks will continue to occur.
Britons working for the UK government are now banned from removing laptops from their offices unless they are encrypted: http://www.personneltoday.com/articles/2008/01/22/44056/laptops-containing-protected-data-banned-from-leaving-public-sector-offices.html
The real question is, is this an enforceable policy? It migth be, but then it begs the question, can current productivty among civil servants be sustained? The answer is no, unless there is a effort put in place to enable civil cervants to encrypt their laptop content easily.
This issue highlights two important areas for compliance. First of all, do you have effective policies addressing your areas of risk? By effective, I mean, are they clear and understandable, and are the users governed by the policies aware of them. Second important area, is of course compliance to policy. How do you effectively enforce, monitor and audit for compliance to your policy?
The hard part is of course to balance policy/compliance with business needs. If your policy and compliance efforts impede your business, then you face loss of productivty and probably profits. So a balance between business needs and your security/compliance needs must be obtained.
The best way to achieve this, is of course to evaluate your current risk profile, and decide if the current risk is something you are willing to accept or not. If you are not willing to accept your current risk, then you must put in place mitigations that moves the risk level to where you are comfortable.
The real question is, is this an enforceable policy? It migth be, but then it begs the question, can current productivty among civil servants be sustained? The answer is no, unless there is a effort put in place to enable civil cervants to encrypt their laptop content easily.
This issue highlights two important areas for compliance. First of all, do you have effective policies addressing your areas of risk? By effective, I mean, are they clear and understandable, and are the users governed by the policies aware of them. Second important area, is of course compliance to policy. How do you effectively enforce, monitor and audit for compliance to your policy?
The hard part is of course to balance policy/compliance with business needs. If your policy and compliance efforts impede your business, then you face loss of productivty and probably profits. So a balance between business needs and your security/compliance needs must be obtained.
The best way to achieve this, is of course to evaluate your current risk profile, and decide if the current risk is something you are willing to accept or not. If you are not willing to accept your current risk, then you must put in place mitigations that moves the risk level to where you are comfortable.
Gartner predicts that users will move to pocketable devices by 2012: http://gartner.com/it/page.jsp?id=593207
This means that we need to start thinking about content management on mobile devices. There are already systems available that enables full encryption on these devices, but they are not broadly deployed yet.
A different way of controlling sensitive information on these types of devices would of course be to give information persistent protection at the aggregation points such as email servers, and for line of busines applications at the web interface. DRM is a good solution for this space. You can control who has access when, and to a certain point where, compared to just letting the information get to the devices unprotected.
Here is a link to what Symantec has to say about mobile phone security: http://www.symantec.com/about/news/release/article.jsp?prid=20060404_01
This means that we need to start thinking about content management on mobile devices. There are already systems available that enables full encryption on these devices, but they are not broadly deployed yet.
A different way of controlling sensitive information on these types of devices would of course be to give information persistent protection at the aggregation points such as email servers, and for line of busines applications at the web interface. DRM is a good solution for this space. You can control who has access when, and to a certain point where, compared to just letting the information get to the devices unprotected.
Here is a link to what Symantec has to say about mobile phone security: http://www.symantec.com/about/news/release/article.jsp?prid=20060404_01
Subscribe to:
Posts (Atom)
