Securing Your ESISteven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud

Essentials

Principal, nControl, LLCAdjunct Professor

President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

• Presentation Overview– WI3FM….?– ESI Overview– Security Overview– Security Tips & Tricks

Securing Your ESI

• WI3FM– What is in it for me?–Why should I care?

Securing Your ESI

• Data Breaches & Security Incidents– Average Cost: $7.2 million

– http://www.networkworld.com/news/2011/030811-ponemon-data-breach.html

– Leading Cause: Negligence, 41%; Hacks, 31%– http://www.networkworld.com/news/2011/030811-

ponemon-data-breach.html

– Responsible Party: Vendors, 39%– http://www.theiia.org/chapters/index.cfm/

view.news_detail/cid/197/newsid/13809

– Increased Frequency: 2010-2011, 58%– http://www.out-law.com/en/articles/2011/october/personal-

data-breaches-on-the-increase-in-private-sector-reports-ico/

Securing Your ESI

Source: Flickr

Source: Flickr

Source: Flickr

• ESI Overview– Electronically Stored Information (ESI)

• Defined for the federal rules of civil procedure (FRCP): – Information created, manipulated, communicated, stored, and best

utilized in digital form, requiring the use of computer hardware and software.» http://www.law.northwestern.edu/journals/njtip/v4/n2/3/

• Structured ESI– Stored in database or content management systems.

» Examples: Claims, Brokerage / e-Commerce Transactions

• Unstructured ESI– Free-form information stored in a manner that is difficult to search

within.» Examples: Tweets, Web Site Content, Word Document Content

Securing Your ESI

• Security Overview– CIA Triad

• Confidentiality– Categorization / Classification– Privacy – Least Privilege– AAA: Authentication, Authorization and Accounting

• Integrity– Nonrepudiation– Segregation / Separation of Duties

• Availability– Business Continuity (BC) / Disaster Recovery (DR)– Defense-in-Depth

Securing Your ESI

Source: Flickr

• Vendor Selection– Service-Level Agreements (SLAs)

• Temporal Service Contract– Term– Metrics– Definitions– Cause for X (e.g. Termination / Exit Clause)

– Certifications / Attestations• SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402• ISO 27001 / 2, 27036, 15489• BITS Shared Assessments• PCI DSS• HIPAA / HITECH

Securing Your ESI

• Vendor Selection– Incident Response

• Computer Security Incident Response Team (CSIRT)– Digital Forensics

• Legal Hold / Litigation Response / e-Discovery– Electronic Discovery Reference Model (EDRM)– FRCP 30(b)(6)

– Right to Audit• Use your internal vendor assessment team or a mutually

agreed upon third party.

Securing Your ESI

• Mobile Device Security Guidance– Devices

• Not all devices are the same.• Balancing Act (Draconian versus Cow-folk)

– People lose stuff all the time.

• Who owns the device?– Bring Your Own Device (BYOD) = consumerization of IT

• Is device content discoverable?• Vicarious Liability

– Driving & Texting / Talking– Mobile Device User Acceptance Policy

– Applications / Data• Not all applications are the same.• Segment Work & Play

– Sandboxing / Data-boxing– Mobile Facebook App Pulls / Pushes Data to Address Book

Securing Your ESI

• Physical Media Security Guidance– Laptops / Tablets

• They should be password-protected / encrypted.• Wipe / degauss hard disk drive (HDD) before shredding.

• Receive a certificate / bill of laden for shredding.

– Thumb Drives / External Hard Drives• They should be password-protected / encrypted.• Wipe / degauss before shredding.

• Receive a certificate / bill of laden for shredding.

– Backup Tapes• They should be in your records retention schedule (RRS).

• Information Lifecycle

• They should be password-protected / encrypted.• Wipe / degauss before shredding.

• Receive a certificate / bill of laden for shredding.

Securing Your ESI

• Cloud Security Guidance– Change / Configuration Management, Provisioning– Matrices

• CSA Consensus Assessments Initiative Questionnaire• CSA Cloud Controls Matrix• BITS Enterprise Cloud Self-Assessment• BITS Shared Assessments

– Guidance Specifically for the Cloud• Cloud Security Alliance (CSA) Guide v3.0• CSA Security, Trust & Assurance Registry (STAR)• ENISA Cloud Computing Risk Assessment• NIST SP 800-144 Guidelines Security / Privacy for a Public Cloud

Securing Your ESI

• Big Data Security Guidance– Information Management

• Generally Accepted Recordkeeping Principles (GARP®)• Information Governance Reference Model (IGRM)• Information Lifecycle Management (ILM)• MIKE2.0• ISO 23081 (Records Metadata)

– Known Black Ice• Log Files• Web Metadata• Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL)• Data Backups (Tapes, Cloud Object Storage)• Social Media

Securing Your ESI

• Social Media Security Guidance– Sites

• Manage (Strategy, Policy, Access, Auditing, e-Discovery)• Strong Passwords• Change / Configuration Management

– Provisioning / De-provisioning

• Haters (Competitors, Former Employees / Customers)• Wash & Repeat• Mobile Apps for Approved Personnel?

– Applications• Immature• Insecure• Discoverable?

Securing Your ESI

• Security Tips & Tricks– Governance, Risk & Compliance (GRC)– Encryption / Hashing– Authentication, Authorization & Accounting (AAA)– Change / Configuration Management– Incident Response / e-Discovery / DR Testing– Physical Access– End User Training

Securing Your ESI

• GRC– Documented controls and safeguards.• Potential audit findings and remediation actions.

– Enterprise view of compliance.• Potential functional / system / application view as well.

– Establish standards, best practices and guidance.• Make users, vendors and partners aware of these.

Securing Your ESI

• Encryption / Hashing– Data at Rest (DAR)• Object (File, Table, Record, Column), Volume or Block

– Data in Motion (DIM)• ‘Across the Wire’, Data-com Link

– Data in Use (DIU)• Object (File, Table, Record, Column), Volume or Block

Securing Your ESI

• Encryption / Hashing– Nuances• Encryption wraps a layer of protection around your

information.– Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA

• Hashing re-arranges the bits per the program.– Database Hashing: HMAC SHA 1 / 2 / 3, MD5

– Key Management• If you lose the encryption key then your data is lost.

– Try telling Legal, a judge or an attorney that!

Securing Your ESI

• AAA– Authentication• Validating who the user is claiming to be.

– Authorization• Allocating the lowest privilege for the user.

– Accounting• Tracking the user’s actions.

Securing Your ESI

Securing Your ESI

• Identity & Access Management (IAM)– Single Sign-on (SSO)• Allows User to Gain Access to Multiple Systems / Apps

– Negates password fatigue.

• Implementations– Externally

» One-time Password (OTP) / Tokenization» Federated Identity / Tokenization» Smart Card / Two Factor Authentication (2FA)» Remote Access Dial-In User Service (RADIUS)

– Internally» Kerberos» Lightweight Directory Access Protocol (LDAP)

Securing Your ESI

• IAM Technologies– Federated Identity• OpenID• OAuth• Security Assertion Markup Language (SAML)• Web Services – Trust Language (WS-Trust)• Representational State Transfer (REST)• Active Directory Federation Services (ADFS)

– Microsoft Federation Gateway (MFG)

Securing Your ESI

• Password Tips & Tricks– Use a password.– Create a strong password / PIN.• Alphanumeric with at least one uppercase letter, one lower-case

letter, one number & one special character.• No dictionary words, SSNs, kids, pets, DOBs or address.• No usernames.• Use different passwords for different accounts.

– Protect it.• Use a password book if necessary.

– Change it.• Semi-annually

Securing Your ESI

• Change / Configuration Management– Process• Cost, GRC & Quality are huge drivers for:

– Software Development Lifecycle (SDLC)– Project Management Office (PMO), Project Portfolio Mgmt (PPM)– Lean / Six Sigma, ISO 9000, CMMi

– Provisioning / De-provisioning• On-loading / Off-loading

– Profit Centers / Business Units / Functions– Data– Applications– Vendors / Partners– Customers

• Periodic Reviews of Processes & Accounts

Securing Your ESI

• Incident Response / e-Discovery / DR Testing– Practice makes perfect.• Wash & Repeat

– Crawl Walk Run• Crawl: Internal Tabletop Testing• Walk: Internal Exercise, “cause you have nothing better

to do on a Saturday”.• Run: Incorporate Vendors, Partners & Customers

Securing Your ESI

• Physical Security– Privacy Screen– Physical Location & Office Access– Dumpster Diving– Lost Hard-copy Reports

Securing Your ESI

Source: Flickr

Source: Amazon

Source: Flickr

• End-user Training– New-hires• Especially for milennials (IT consumerization).

– Quarterly Computer-based Training (CBT)• For heavily regulated industries.

– Annual On-site Training• Be liberal with the swag.

– Pilot new marketing campaigns (logo, tag, brand).

– Educate Your Ecosystem

Securing Your ESI

• Take-aways– Educate Your Ecosystem– Healthy Dose of Skepticism– Embrace Change Pragmatically– Secured Technology is an Enabler– Privacy is Important Too

Securing Your ESI

• Questions?• Contact– Email: steve@ncontrol-llc.com– Twitter: @markes1, @casdelval2011– LI: http://www.linkedin.com/in/smarkey