Information Security

Pradeep Jain RSA, The Security Division of EMC.

Agenda
Observations of information security Why is information so difficult to secure? A risk-based approach to information security 3 Use Cases

Todays Security Challenges

Information Security is perceived as a mission inhibitor, not a mission accelerator

ineffective
Agency Initiatives
not protecting whats important resource-constrained

costly
too many security products too many security procedures

inhibiting compliance
IT Security
too many controls manual, complicated, labor-intensive

Need a holistic approach to make security more effective and align it with the agencys mission
3

IT Security Landscape
Todays Problems Sophisticated emerging threats

Combating these challenges Understand the threat landscape Understand the infrastructure

Cyber espionage Cyber warfare Terrorism Pandemics Structure, Unstructured Voice, Video Metadata Many access points Information silos Technologies built in a global supply chain

Data explosion

Complex infrastructure

Know the boundaries Know the devices Know the information Know the users Know what users are doing with the information

Multiple changing regulations

4

Federal Government Security Breaches

System Vulnerability 2006 U.S. Dept of Defense Hacker accessed a Tricare Management Activity (TMA) public server containing personal information on military employees. Impact: Unknown Lost, unencrypted media 2006: U.S. Dept. of Veterans Affairs Laptop and hard drive containing sensitive personally identifiable information stolen from an employees home Impact: 25.6 Million identities compromised

Stolen, unencrypted media 2005 U.S. Dept. of Justice Stolen lop containing sensitive law enforcement information Impact: 80,000 identities compromised

Unintentional distribution 2006: U.S. Dept. of Agriculture Inadvertent exposure of Social Security numbers and tax identification numbers during a Freedom of Information Act request Impact: 350,000 numbers compromised
5

Why is protecting information so difficult?

because sensitive information is always moving and transforming

DR

WAN Global Locations Government Analytics

Data warehouse

Back up tape WWW Other Federal Agencies Agency Portal Production Data Disk storage

WAN Supply Chain Partners Development Contractors Staging Back up disk

File Server Remote Employees VPN Enterprise email

Endpoint

Network

Apps/DBs

Files

Storage

Why is protecting information so difficult?

and every movement & transformation has unique risks

Device Device Theft Theft

DR Media Media Theft Theft WAN Unauthorized Unauthorized Data Activity warehouse Activity Government Analytics Intercept Intercept WWW Unauthorized Unauthorized Access Access Unauthorized Unauthorized Access Access Unavailability Unavailability Back up tape Media Media Loss Loss

Global locations Cyber Cyber Espionage Espionage

Other Federal Agencies Eavesdropping Eavesdropping Unintentional Unintentional WW Partners Distribution Distribution Data Data Loss Loss Remote Employees Device Device Loss Loss

Fraud Fraud

Agency portal

Production Data Corruption Corruption

Disk storage

WAN Development Contractors Unauthorized Unauthorized Activity Activity Enterprise email Staging Data Data Theft Theft Back up disk

File Server

VPN DOS DOS

Endpoint

Network

Applications

Files

Storage

Risk Prioritizes Investment

National Security Cost Reduction Protect Citizens
Social Security Numbers

Continuity of Operations
Controlled Unclassified Information

Compliance

Personally Identifiable Information Classified Information

Sensitive Security Information

Secret

Employee Information

What information is important?

Sensitive Information
Top Secret

Risk

What risks are we willing to accept? What risks do we need to protect against?

Where does it go?

Security Incidents

What bad things can happen?

Endpoint

Network

Applications

Files / CMS

Storage

Information Risk Management Framework

The Process

Define Policy
Describe how sensitive information should be protected
Data, People, Infrastructure

Discover and Classify

Policy

Discover all sources of sensitive information across the infrastructure

Enforce Controls
Establish a control framework and implement appropriate controls to enforce the policy
Data Controls Access Controls

Report and Audit

Audit the environment to ensure and document compliance with policy
9

Comprehensive National Cybersecurity Initiative (CNCI)

Twelve step plan to secure government cyber networks

Multiple agencies Multi-year time frame

Presidents largest request for funds in FY 2009 intelligence budget Objectives

Secure government IT systems from intruders Prepare for future threats Increase situational awareness in the cyber world

10

Case: Infrastructure Security Awareness

Agency Profile: US Defense Department Contractor Serves all military branches, NHS, DHS Supports global geographic command centers

Endpoint

Network

Application / DB

File Server / CMS

Storage

Business Drivers:

Potential Security Incidents:

11

Decrease time to identify threats/ vulnerabilities Improve response time to address threats/ vulnerabilities Comply with secure configuration policies

Unauthorized access to networks, file servers and storage Data corruption Unauthorized changes to configurations

Solution Case: Infrastructure Security Awareness

Agency Profile: US Defense Department Contractor Serves all military branches, NHS, DHS Supports global geographic command centers

Endpoint

Network

Application / DB

File Server / CMS

Storage

RSA enVision & EMC Voyence, EMC Smarts

Monitor security events and IT infrastructure; Automate configuration and change mgmt
12

Better visibility into infrastructure increased responsiveness to security incidents Decreased hours spent on log management and auditing activities Enforced secure configurations and changes Simplified compliance reporting

Secure Information Sharing Information Sharing Requires:

Authentication based on genuine users roles and context Protection from unauthorized access and activity associated with sensitive information Ease of use for users to leverage the value of information

13

Case: Information Sharing Initiative - Portal

Agency Profile: Provider of civilian services Multi-billion dollar budget >200,000 employees
Endpoint Network Application / DB File Server / CMS Storage

Business Drivers:

Potential Security Incidents:

14

Enable inter-agency data exchange Ensure access to legitimate users Deny access to unauthorized users Enhance ease of use Reduce cost through portal services

Fraud Unauthorized access Data corruption Leak of sensitive information

Solution Case: Information Sharing Initiative - Portal

Agency Profile: Provider of civilian services Multi-billion dollar budget >200,000 employees
Endpoint Network Application / DB File Server / CMS Storage

RSA Adaptive Authentication, RSA Access Manager, RSA ID Federation

Reduced Fraud: Risk-based multi-factor authentication ensures only genuine authorized users have access Improved Efficiency: Single sign-on enables trusted identities to seamlessly reach across agency boundaries Cost Reduction: Saved time and money on password administration

15

Discover and Protect Sensitive Data

Automate discovery of unprotected sensitive data

Scan systems to find sensitive data Map flow of sensitive data within the infrastructure Attach classification level to data

Create a policy that clearly defines how information risk will be addressed Implement tools that support the policy

Encrypt sensitive data User privileges (read/edit/copy/print)

16

Case 3: Protect Sensitive Data

Agency Profile: Defense industrial contractor Serves intelligence community and military Stores and uses intellectual property and classified information
Endpoint Network Application / DB File Server / CMS Storage

Business Drivers:

Potential Security Incidents:

17

Compliance with federal data protection policies Complete understanding of what data they store and use Maintain solid reputation

Unintentional distribution of sensitive agency information Loss or theft of device with sensitive information Non-compliance

Solution Case 3: Protect Sensitive Data

Agency Profile: Defense industrial contractor Serves intelligence community and military Stores and uses intellectual property and classified information
Endpoint Network Application / DB File Server / CMS Storage

Risk Advisor Service, Data Loss Prevention Suite, RSA Encryption & Key Mgmt, EMC Info Rights Mgmt

Quickly and accurately locate sensitive content across laptops, desktops and file servers and storage. Ensure that sensitive information is encrypted Centralize and streamline encryption key management Apply policy-driven access rights to unstructured content

18

Thank you!
20

Backup Slides

21

Information Security Core Principles

Confidentiality Preventing unauthorized disclosure of information Integrity Preventing unauthorized modification of information Availability Ensure availability of information for authorized user at all times

22

Security Trivia #1

23

Security Trivia #2

24

Security Trivia #3

25