Mapping the Journey to

Effective Data Protection

SECURITY FOR A NEW ERA OF COMPUTING

Cindy Compert, CIPT/M

CTO Data Security & Privacy, IBM Security
[email protected]
@CCBigData

June 8, 2016
 Notices and Disclaimers

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission
from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of
initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS
DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE
USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers
have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries
in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials
and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or
their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law

2 IBM Security 2
 Agenda

• Introduction- Industry trends and challenges

• Best Practices
• What’s Next?

3 IBM Security 3
 Times have changed…

4 IBM Security
 Security & Privacy: Strategic Imperative

Valuable Data Heightened From Board-level

Competition & Brand Compliance to focus
Protection Investment

Medical records
2-6% 3-14%
worth 10X Credit Post-breach
Cards customer loss rates
Security spend % of
IT varies based on
IoT strategic importance
Mobile 2/3 of Corporate
Directors blame
New CEO for a breach.

Delivery
Cloud
Channels

5 IBM Security
 It’s all Big Data: IoT, Analytics, Cognitive, Cloud

6 IBM Security
 Security Cost/Risk

7 IBM Security
Best Practices
 1. Learn the Language

International Association of Privacy Professionals (IAPP) Glossary  https://iapp.org/resources/glossary

9 IBM Security
 Two Different Languages

Install app

Install app

Sources: http://laws-lois.justice.gc.ca/PDF/P-8.6.pdf
http://dia-installer.de/shapes/Flowchart/index.html.en
10 IBM Security
 2. Be Prepared- Security & Privacy by Design

11 IBM Security
 3. Know and Share the Rules

Cartoon courtesy of http://adexchanger.com/

12 IBM Security
 4. Have a (good) Treasure Map

13 IBM Security
 Data-Centric Maturity Model

We even know
where our
We have valuable data is
protected our when it’s in motion
data in proportion
We actually to its value
know where all Our data’s
We use best of our data is We’ve protected
practices in protected our even for
We protect our protecting our data We’ve figured most valuable Mobile
Maturity

structured data, out which data

We’ve got data is
don’t we? whole-disk
We’ll get to valuable
encryption for
our laptops
unstructured
data later

Time

14 IBM Security
 Business Risk – Critical data are the “Crown Jewels”

Crown Jewels
An organization’s most sensitive or business
critical information.
Average enterprise’s
critical data is less than 2%
Today, many organizations are not aware
of what their Crown Jewel information is,
where it resides, who has access to it,
Value of publicly traded corporations
estimated to be intellectual property
Source: U.S. President’s 2006 Economic
70%
or how it is protected. Report to Congress

Possessing information about Crown Jewels

is necessary in order to determine whether Crown Jewel Examples
adequate controls are in place.
Enterprise Executive
Crown Jewel protection is dependent • Intellectual property • Acquisition and
upon having access to vital information • Top-secret plans
divestiture plans
in order to apply proper controls. and formulas • Executive and board
deliberations

15 IBM Security
The level of security is determined by the value of data

% of Sensitive
Data type Security
Data
CRITICAL
Secure Communication, Separate Network, Backup Security, DATA
Enterprise
Physical Isolation, Real-time Response to 100% of Incidents, 0.01-0.1%
Critical
Insider Monitoring

Secure Communication, Separate Network, Backup Security,

0.01-
Executive 0.1-2%
Physical Isolation, Real-time Response to 100% of Incidents 2.0%
Data Value

Physical Isolation, Real-time Response to “Significant” Incidents,

Regulated 1-50%
Insider Monitoring, Privacy

Business Physical Isolation, Real-time Response to “Significant” Incidents,

1-5%
Strategic Insider Monitoring

Business Unit Near-Real-time Response to “Significant” Incidents, Insider

10-20%
Critical Monitoring

Operational Best Efforts Response to “Significant” Incidents 20-80%

Near-Public Event Response if Available Only 10-80%

Personally identifiable information (PII), or Sensitive Personal Information (SPI),Health Insurance Portability and Accountability Act (HIPAA);,
International Traffic in Arms Regulations (ITAR)

16 IBM Security
 5 steps to a Critical Data Protection Program

DEFINE DISCOVER BASELINE SECURE MONITOR

What are crown
jewels?
 Understand overall data
security strategy
 Determine data protection
objectives
 Develop organizational
data model / taxonomy
Where are they?
How are they used?
 Understand data
environment,
infrastructure and
lifecycle
 Perform iterative
discovery, analysis and
classification
What is required to
protect critical data?
 Establish baseline
security requirements
for crown jewels
 Assess current data
security processes and
controls
 Determine gaps and
identify solutions
How to plan, design How to manage
and implement? critical data
protection?
 Plan and prioritize  Develop governance
technical and business framework, risk metrics
process transformations and monitoring
processes
 Design and implement
solutions that protect  Periodically validate
critical data, enable data protection strategy
access and align to and methodology
business growth
objectives

Supported by:
Consulting Method | Industry-specific Data Models | Global Consulting Expertise | IBM Data Security Research
IBM Guardium, StoredIQ, DLP and other leading data protection technologies

17 IBM Security
 Discover your Crown Jewels: Automate

18 IBM Security
 Sensitive Data Discovery- Files- Example

19 IBM Security
 5. Protect Your Treasure

20 IBM Security
 Organizations Need a Comprehensive Enterprise-wide
Approach to Data Security and Compliance
Understand and define Assess Monitor database Help protect
Manage access
sensitive data vulnerabilities activity sensitive data
Automate detection Automate database Provide essential Help protect data – Manage and enforce
of sensitive data and vulnerability safeguards to protect in both production & privileges enterprise-
enterprise data and configuration high value databases non-production, both wide
relationships change detection across structured &
heterogeneous unstructured - from
environments unauthorized use
Capabilities: Capabilities: Capabilities: Capabilities: Capabilities:

Discover database Automated Continuous, real-time Mask information Centralize and

instances vulnerability database activity using realistic values automate collection of
assessment and monitoring entitlement information
Automate detection Automate key
remediation Comprehensive Assess privileges
of sensitive data in management process
suggestions audit trail granted directly and
databases  Database
Audit any indirectly
Automate responsive  Policy-based controls encryption
configuration or to detect unauthorized
actions security setting  Redact data in
or suspicious activity
Discover sensitive changes documents and forms
data in documents Review and update
policies and procedures Endpoint and
Create a data network data loss
taxonomy prevention
Classify sensitive End user device
data encryption
Create a DBMS Security Reference Architecture and Governance Framework
21 IBM Security
 ANALYZE. PROTECT. ADAPT.

Data Security Controls

Discovery, classification,
vulnerability assessment,
entitlement management

Encryption, masking,
and redaction

Data and file activity monitoring

Dynamic blocking and masking,

alerts, and quarantine

Compliance automation
and auditing

ANALYTICS

22 IBM Security
 6. Hide the Critical Parts With Invisible Ink

23 IBM Security
 Data Obfuscation Terminology
Original Value
4536 6382 9896 5200

Masking Redaction
 The ability to desensitize sensitive information  The process of obscuring part of a text for
and make it unreadable from original form while security purposes.
preserving format and referential integrity  The ability to replace real data with substitute
 it is a one way algorithm – ie. No unmasking data characters like (*)
 SDM – Static Data Masking
 DDM – Dynamic Masked Value Redacted Value
Data Masking
4212 5454 6565 7780 4536 6382 **** ****

Tokenization
 The process of substituting a “token” which can
be mapped to the original value
 Token is a non-sensitive equivalent which has no
extrinsic value
 Must maintain a mapping between the tokens and
the original values
Encryption
 The process of encoding data in such a way
that only authorized individuals can read it by
decrypting the encoded data with a key
 Format Preserving Encryption (FPE) is a special
form of encryption

Token Value Encrypted Value

ABCD GDIC JIJG VXYZ 1@#43$%!xy1K2L4P

24 IBM Security
 7. Ensure the Rulers are Informed

IBM CLOUD SECURITY

25 IBM Security
 Build a Bridge..

26 IBM Security
 Project Execution – Managing Steady State Data Risk (iDNA ) TM

Where are our

Which lines of business have
the highest risk?
“Crown Jewels?
What are our most
Sensitive data or
“Crown Jewels” and
are they safe and
protected?

What vulnerabilities or
compliance issues do
we have?

Who are the data owners ?

27 IBM Security
 Establish security as an immune system

Network visibility Vulnerability Device management Log, flow and

assessment data analysis

Antivirus Fraud protection

Anomaly detection Incident and threat management

Transaction protection Firewalls

Privileged identity management Application scanning Entitlements and roles Access management

Criminal detection Malware protection Data monitoring

Sandboxing Application security Content security

management

Virtual patching Endpoint patching and management

Identity management Data access control Incident

response

28 IBM Security
 Security as an Immune System
Global Threat Intelligence
Antivirus
Endpoint patching and management
Malware protection
Incident and threat management Transaction protection
Firewalls Device management
Sandboxing Content security
Virtual patching
Network visibility

Fraud protection
Log, flow and
data analysis Criminal detection
Security
Application scanning Intelligence Anomaly detection
Application security Vulnerability
management assessment
Incident
response

Privileged identity management

Data monitoring Cloud
Data access control Entitlements and roles
Access management
Consulting Services | Managed Services Identity management

29 IBM Security
Where Next?
 The next era of security

Moats, Intelligence, Cloud, Collaboration,

Castles Integration Cognitive

31 IBM Security
 Questions to ask yourself

1. Where am I most concerned regarding the gap

between where my privacy and data security
program is today and where it needs to be?

2. How do I want to close the gap, be compliant and

stay off the evening news?

3. Where do I need help?

4. What do we do next?

32 IBM Security
33 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
 Start the Conversation..

Start an executive discussion: Forbes “8 Privacy Steps

To Keep ‘Pirates’ Away From Your Firm's
"Crown Jewels“: https://ibm.biz/BdXV7m

Start a technical discussion: “Find the Map, Locate the

Treasure and Keep the Pirates Away: 10 Data Security &
Privacy Best Practices (Part I)”: https://ibm.biz/BdXY3p
and Part II: http://ibm.biz/BdH5rQ

35 IBM Security