Security in an era of thinning perimeter

Singapore, June 2011

Vishal Gupta

Seclore

The perimeter The perimeter -- definitiondefinition

• Traditional definitions of perimeters have relied on a combination

of the following perimeters:

– Physical locations

– “Managed” computers

– Applications

Networks– Networks

– People

What is the relevance of each of these today ?

TheThe perimeterperimeter

CUSTOMERSVENDORS

EXT. AUDITORCONSULTANTS

TELEMARKETER

Enterprise

Competitors

LAWYERS

GOVERNMENT

TheThe ProblemProblem - defineddefined

• Sensitive data is created in many contexts

– NEEDS to be shared with internal and

external stakeholders

• NDAs and legal contracts with employees and vendors

– Ineffective and um-implementable

• Methods of sharing confidential data are varied (Email, CD, FTP,

USB, …)

– Complex policies for information security

No control of confidential information once it

leaves the “perimeter”

The problem The problem -- experiencedexperienced

� 82% of C-level executives report that their organization has

experienced a data breach

� 94% of C-level executives report that they have had their data

attacked in the last 6 months

� 60% of the employees that lost their job admitted of taking

sensitive information from their former company for reselling by

downloading onto CD or DVD (53%), on a USB key (42%) or as an

attachment to a personal email account (38%)attachment to a personal email account (38%)

70% of all serious incidents are sparked by insidersSource: International Data Corporation - 2009

CollaborationCollaborationInformation is exchanged between Employees of the organisation

Enterprise

CUSTOMERS

VENDORS

Information is exchanged between employees & vendors & employees & customers

What happens if an employee with privileged access leaves to join a competitor ?

What happens if information shared with a vendor is lost by the vendor ?

Firewalls

TELEMARKETER

Competitors

VPN

SSL

UTM

Firewall

7

Firewalls

Implementing controlsImplementing controls

Option 1 : Control Distribution

. . . . . .

Security Collaboration

Information as a perimeter ..Information as a perimeter ..

Option 2 : Control Usage

. . .

Security Collaboration

Right

Location

Right

Time

Right

Action

Right

Person

• WHO can use the informationPeople & groups within and outside of the organization

can be defined as rightful users of the information

• WHAT can each person doIndividual actions like reading, editing, printing,

distributing, copy-pasting, screen grabbing etc.

can be controlled

IRM systems allow enterprises to define, implement & audit information

usage “policies”. A “policy” defines :

Information Rights ManagementInformation Rights Management

can be controlled

• WHEN can he use itInformation usage can be time based e.g. can only be

used by Mr. A till 28th Sept OR only for the 2 days

• WHERE can he use it fromInformation can be linked to locations e.g. only 3rd

floor office by private/public IP addresses

Policies are persistent with data, dynamic & audit-able

A Process Flow of Product Plan

Policy adminExternal reviewer

Research

Dept

Maya

Research

Associate

Neal

Research

Associate

Head

Research

Head - Marketing

Head - Finance

Head - Legal

Maya’s

Computer

Owner of Document protects the file

Maya’s

Computer

Maya’s

Computer

Policy Admin

Computer

WHAT

(VIEW, EDIT,

PRINT, FORWARD,: )

Policy name

& description

WHO

people / groups

within or outside

of the enterprise

Internal Users

External Users

Policy Admin

Computer

WHERE

Specific computers,

specific networks,

only from

WHEN

date range,

time span, 7

the office, 7

Product Plan is Reviewed by Research Team

Research Research

Dept.

Maya

Research

Associate

Neal

Research

Associate

Head

Research

Neal’s

Computer

Owner of

Document

Unique File ID

Neal’s

Computer

After a user “accepts” the policy is when the actual content is shown to him/her

Neal’s

Computer

Neal’s

Computer

Neal’s

Computer

Neal’s

Computer

Neal’s

Computer

“Screen Print”

of a protected

document

Neal’s

Computer

One more users receives File

Head Research

Computer

This user has full control of document

Head Research

Computer

Policy admin

Research

External reviewer

Head Research Distributes files to other Internal Employees and External Users

Research

Dept.

Maya

Research

Associate

Neal

Research

Associate

Head

Research

Head - Marketing

Head - Finance

Head - Legal

External UsersInternal Users

Head Research Distributes files to other Internal Employees and External Users

Head Research

Computer

Head Marketing

Computer

External Reviewer's

Computer

External Reviewer's

Computer

External Reviewer's

Computer

External Reviewer's

Computer

External Reviewer's

Computer

Maya's

Computer

Audit trails capture

authorized activities

AND

unauthorized attempts

Maya's

Computer

Maya's

Computer

Owner (Maya) Redistributes the File with New Policy

Maya’s

Computer

Old Policy Definition

Maya's

Computer

Old Policy DefinitionPolicy Admin

Computer

Internal Users

External Users

Old Policy DefinitionPolicy Admin

Computer

Internal Users

External Users

New Policy definition

Unique File ID

(Is Constant even After applying New policy Definition)

Maya's

Computer

Policy Admin

Computer

Internal Users

Policy Admin

Computer

Internal Users

External Reviewer Still has a file on his desktop

External Reviewer's

Computer

External Reviewer's

Computer

External Reviewer's

Computer

Business Case Business Case -- 11

Do you have confidential information

which only a specific employee group,

while in employment, should use?

Business plans, forward-looking

financial statements and MIS

reports are just some examples of

Seclore FileSecure protects information

from leakage due to malicious intent,

errors and omissions, as well as lack of reports are just some examples of

information which are best used

only within the walls of the

enterprise.

Malicious intent, errors and

omissions and lack of awareness

could make this information

publicly available leading to

potential losses.

errors and omissions, as well as lack of

awareness, by providing a persistent,

information-locked method of protection.

1. Forward looking financial statements

2. Business plans

3. Salary and appraisal data

4. Internal process documents and forms

�

Business Case Business Case -- 22

Do you frequently establish

temporary / project-based relationships

with partners and contractors?

Temporary relationships with

partners and vendors for a specific

project typically leads to extensive

Seclore FileSecure enables you to

“retract” information shared with

business partners after a specified project typically leads to extensive

information sharing during the

execution.

After the project ends, the

information and intellectual

property shared continues to be

retained and used by the partner,

sometimes against the enterprise,

leading to financial losses.

business partners after a specified

period thus protecting intellectual

property and driving revenues.

1. M&A advisory services

2. IT project execution

3. Corporate development

4. HR consultants

�

Business Case Business Case -- 33

Do you need to monitor the flow and

usage of confidential information for

compliance to ISO, PCI, SOX ?

While GRC technologies and

processes effectively monitor and

control access rights within

Seclore FileSecure provides

comprehensive and detailed audit trails

for information usage including the control access rights within

applications and folders, they do

not effectively track the flow and

usage of unstructured information

in the form of documents and

emails.

Confidential information traverses

department and organization

boundaries in unstructured forms

without effective controls or

monitoring of its use.

for information usage including the

WHO, WHAT, WHEN and WHERE of the

usage. This includes authorized activities

and unauthorized attempts.

1. Internal ISO compliance

2. BASEL compliance and operational

risks mitigation

3. IT act 2008

4. PCI compliance

�

Business Case Business Case -- 44

Do you send confidential information to

vendors?

Typically confidential information

sent to vendors is governed by

non disclosure agreements

Seclore InfoSource enables you to

control the usage of information sent to

vendors and prevent unauthorized non disclosure agreements

without a mechanism to enforce or

track the agreement. Therefore

you are dependent on the vendors'

systems and processes for the

confidentiality of your critical

information.

Loss of information from the

vendor could lead to reputation

and legal risks for your enterprise.

vendors and prevent unauthorized

viewing, printing, editing and distributing

of the information.

1. Bill / statement / cheque book printing

2. ATM pin generation

3. Card fabrication / welcome kit

4. Data analysis and BI

�

About :About :

Seclore is a high growth information security product company focused on

providing Security without compromising collaboration

Seclore’s flagship product Seclore FileSecure is used by More than 1.5 M

users & some of the largest enterprises

• Security concerns in

outsourcing (Webcast) –

www.seclore.com

Vishal Guptavishal.gupta@seclore.com

+91-22-4015-5252

Contact and further referencesContact and further references

• IRM for PCI compliance –

http://blog.seclore.com

• “Boundary-less

organizations” –

www.seclore.com

www.seclore.com

Singapore Distributor:

Intranet (Singapore) Pte Ltd

colin@intranetasia.com

+65 6778 8238