prevent data breaches and pii from walking out the door jim farrell, senior vice president products...
TRANSCRIPT
Prevent Data Breaches and PII from Walking Out the Door
Jim Farrell, Senior Vice President ProductsArchive Systems
9/18/2015
Sensitive data (more than PII)Data BreachesHow to keep Sensitive Data protectedWhat to look for in a cloud-based solution
Agenda
Sensitive Data
PII Data can be…ethnic or racial origin; political opinion;
religious beliefs;
physical or mental health details;
personal life;
or criminal or civil offences.
Color…. Age… disability status
DOBSSNDriver’s License #Phone #sAddresses…
…and more
Employee InformationProprietary Company InformationFinancial/Credit CardsFederally Protected DataState Protected Data
Sensitive Data is……..“Sensitive”
Data Breaches
Data Breach… an incident that results in unauthorized access of data, applications, services, networks, and/or devices by perpetrators bypassing underlying security mechanisms.
Archive Systems, Inc.
What does Vulnerability mean?Vulnerability…
cyber-security term, refers to a flaw in a system that can leave it open to attack.
Archive Systems, Inc.
Thriving black market in software vulnerabilities driven by:
Archive Systems, Inc.
Threat Categories
Archive Systems, Inc.
Phishing Process of attempting to acquire sensitive
information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.
• Most breaches are very sophisticated
• Threats are coming from the outside only
• They are inevitable so focus on response rather
than prevention• Patching systems is sufficient
enough to thwart all breachesCommon Misconceptions of Data Breaches
Examples of Sensitive Data
2014THE YEAR
OF THE DATA
BREACH
As of August 25, 2015
Number of breaches = 519
Number of Records = 139,993,068
Keep Sensitive Data Protected
Inventory your Information Assets
Inventory your assets & Interview relevant staff
• What you have? • Who has access to
it?• How does it come
into company?
1
Less is More2
3Encrypt Sensitive Data
“At Rest”… AND “In Transit”
4Disposal ofInformationAssets
5
User Awareness Training
What to look for in a cloud-based solution
Security, Security, Security
Security related questions to ask a Cloud-Based provider
• Will my data be encrypted in transit and while at rest?
• What is the configurability of password length and complexity?
• Do you support IP address-based access control (IP restrictions)
• Do you support Two-Factor authentication?• Are all user activities in an accessible audit log?• Do you annual go through an SSAE 16 audit?• Do you annually subject your solution to 3rd party
vulnerability scanning and penetration testing annually?
Example: Archive SystemsData Security Measures
• Data in Transit• 256-bit SSL encryption for web applications• 1024-bit RAS public keys for data transfer
• Data at Rest• AES 256-bit encryption of data
• Audit logs for all user activities• Secure usernames and passwords
• Encrypted/hashed with SHA-2• Password complexity requirements• Scheduled expiration• Restricted password re-use
• Role-based access control• SAML 2.0 Single Sign On (SSO)• IP address-based access control• Encrypted session ID cookies to uniquely identify each user• Two-factor authentication availability• 3rd party penetration testing• SSAE16 audited annually
• Physical Security Measures (Data Centers)
• Three-factor authentication• Proximity Card / Biometric fingerprint reader / facial
geometry scanner• Anti-tailgating / Anti pass-back turnstile gate• Single entry point into colocation facility• Access to private cage: biometric fingerprint scan and
proximity card• 24/7 on-site security• High Def CCTV of all interior and external strategic locations
and access points with 90 day retention• SSAE16 audited
Example: Archive Systems
Key take away…• Sensitive Data (PII) is valuable to you – and others that should
not have it!• Data breaches and vulnerabilities are not going away• IT certainly plays a key role in creating and preserving a secure
environment• HR Departments must actively partner with IT to protect
Sensitive data• Employees play a critical part to keeping Sensitive Data where
it belongs• Information Governance also implies to restricting access to HR
data as well as its timely destruction• Cloud providers must have secure environments and the good
providers are very secure.