Prevent Data Breaches and PII from Walking Out the Door

Jim Farrell, Senior Vice President ProductsArchive Systems

9/18/2015

Sensitive data (more than PII)Data BreachesHow to keep Sensitive Data protectedWhat to look for in a cloud-based solution

Agenda

Sensitive Data

PII Data can be…ethnic or racial origin; political opinion;

religious beliefs;

physical or mental health details;

personal life;

or criminal or civil offences.

Color…. Age… disability status

DOBSSNDriver’s License #Phone #sAddresses…

…and more

Employee InformationProprietary Company InformationFinancial/Credit CardsFederally Protected DataState Protected Data

Sensitive Data is……..“Sensitive”

Data Breaches

Data Breach… an incident that results in unauthorized access of data, applications, services, networks, and/or devices by perpetrators bypassing underlying security mechanisms.

Archive Systems, Inc.

What does Vulnerability mean?Vulnerability…

cyber-security term, refers to a flaw in a system that can leave it open to attack.

Archive Systems, Inc.

Thriving black market in software vulnerabilities driven by:

Archive Systems, Inc.

Threat Categories

Archive Systems, Inc.

Phishing Process of attempting to acquire sensitive

information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.

• Most breaches are very sophisticated

• Threats are coming from the outside only

• They are inevitable so focus on response rather

than prevention• Patching systems is sufficient

enough to thwart all breachesCommon Misconceptions of Data Breaches

Examples of Sensitive Data

2014THE YEAR

OF THE DATA

BREACH

As of August 25, 2015

Number of breaches = 519

Number of Records = 139,993,068

Keep Sensitive Data Protected

Inventory your Information Assets

Inventory your assets & Interview relevant staff

• What you have? • Who has access to

it?• How does it come

into company?

1

Less is More2

3Encrypt Sensitive Data

“At Rest”… AND “In Transit”

4Disposal ofInformationAssets

5

User Awareness Training

What to look for in a cloud-based solution

Security, Security, Security

Security related questions to ask a Cloud-Based provider

• Will my data be encrypted in transit and while at rest?

• What is the configurability of password length and complexity?

• Do you support IP address-based access control (IP restrictions)

• Do you support Two-Factor authentication?• Are all user activities in an accessible audit log?• Do you annual go through an SSAE 16 audit?• Do you annually subject your solution to 3rd party

vulnerability scanning and penetration testing annually?

Example: Archive SystemsData Security Measures

• Data in Transit• 256-bit SSL encryption for web applications• 1024-bit RAS public keys for data transfer

• Data at Rest• AES 256-bit encryption of data

• Audit logs for all user activities• Secure usernames and passwords

• Encrypted/hashed with SHA-2• Password complexity requirements• Scheduled expiration• Restricted password re-use

• Role-based access control• SAML 2.0 Single Sign On (SSO)• IP address-based access control• Encrypted session ID cookies to uniquely identify each user• Two-factor authentication availability• 3rd party penetration testing• SSAE16 audited annually

• Physical Security Measures (Data Centers)

• Three-factor authentication• Proximity Card / Biometric fingerprint reader / facial

geometry scanner• Anti-tailgating / Anti pass-back turnstile gate• Single entry point into colocation facility• Access to private cage: biometric fingerprint scan and

proximity card• 24/7 on-site security• High Def CCTV of all interior and external strategic locations

and access points with 90 day retention• SSAE16 audited

Example: Archive Systems

Key take away…• Sensitive Data (PII) is valuable to you – and others that should

not have it!• Data breaches and vulnerabilities are not going away• IT certainly plays a key role in creating and preserving a secure

environment• HR Departments must actively partner with IT to protect

Sensitive data• Employees play a critical part to keeping Sensitive Data where

it belongs• Information Governance also implies to restricting access to HR

data as well as its timely destruction• Cloud providers must have secure environments and the good

providers are very secure.

Jim Farrellwww.archivesystems.comjfarrell@archivesystems.com