CA Community






This Blog
Syndication

May 2010 - Posts

Securing Your Road to Virtualization & Cloud: Data Loss Prevention based on content, context and identity (Part 2 of 2)

Published: May 27 2010, 11:08 AM | 2 Comment(s)
by Shirief Nosseir

In my last blog entry, I touched on how data loss prevention (DLP) solutions are used to help organization plan their move to virtual and cloud environments.  We'll continue the discussion in this post where I offer some quick thoughts on how DLP can provide end-to-end control and visibility throughout the infrastructure.

Enforcing Information Control

At runtime, DLP tools are required by both enterprises and cloud providers alike to protect sensitive information in virtual and cloud environments.  Having an understanding of the types of data and its classification enables policies to be enforced at real time to prevent data leakage and control information usage.  For example, end-users cannot be expected to understand what information is and is not allowed to be processed and stored in each information zone (or cloud instance).  They may be completely unaware that copying sensitive information from one application to another is propagating it from internally managed to third party infrastructure, where it might be in contravention of corporate policy.

Furthermore, it is clear that we cannot rely on end users to remember to encrypt sensitive information.  By automating the process, DLP has proven to be effective at ensuring the encryption of information at rest, in motion and in use.  In this regard, DLP's importance is only set to increase since encryption becomes even more critical in a virtual/cloud model where it is not apparent where data will be physically stored and processed.

In addition, in order to reach higher levels of information control, it's becoming clear that it is necessary to link identity management to DLP technologies.  Information should not be controlled using one-size-fits-all, enterprise-wide DLP policies.  Enforcing generic policies that are identity-agnostic leaves organizations with users who are frustrated, as the intervention into their business processes often leads to interruptions and lower productivity.  And, IT's burden grows with the additional support calls and increased issue review queues.  An identity-centric DLP approach helps organizations not only locate and protect critical information, but also control who uses it and in what context.  To give an example, role management systems typically enforce separation of duty (SOD) policies by means of controlling access to corporate resources (e.g., access to applications).  However, this method cannot control what users can do with the data once they've accessed it (e.g., in case of bid rigging, once users legitimately access sensitive data from their eSourcing application, they can email it to the designated bidders).  Identity-centric DLP systems take this control an important step forward by enforcing SOD polices on a more granular level - on the data itself regardless of where it is located (e.g., users can access sensitive bid information and be able to email it to their external legal agency for example, but not to any of their bidders).  As such, identity-centric DLP systems can address many more use cases than conventional, content-only DLP systems.

Monitoring and Verifying

As we know, any good system needs to be designed with continuous improvement in mind.  With the proliferation of data sources and the accelerating need to mash up insightful information from private and public clouds, it becomes more challenging than ever to understand how we can better control our information assets on an ongoing basis.

DLP reporting and analysis capabilities are essential for tracking how information is being used, by whom, where, and in what context.  Identifying information usage patterns and spotting any major issues ultimately enables effective fine tuning and improvement of corporate information control policies. 

Conclusion

Today, information protection is equally about process as it is technology.  Moving to virtualization and cloud computing is a long-term journey, not a quick project.  It requires us to revisit our existing policies, processes and procedures to support the evolving IT landscape and secure our entire infrastructure wherever it is located.  Our refreshed strategies need to ensure that security is applied to the data itself to enable the efficient movement and effective usage of information.  At the same time, automation is a must, not an option, to be able to realize the true benefits of virtualization and cloud.  This makes DLP solutions a key ingredient in today's enabling technology stack.

Interested in summary of recent DLP research?

One of my recent blogs summarizes the results of a European study entitled "You sent what? - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness."

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

User Activity and Compliance Reporting – A Discussion from CA World 2010

Published: May 26 2010, 04:46 PM | no comments
by Gedeon Hombrebueno

Do you cringe when PCI and SOX auditors knock on your doors and ask questions like: "Who created that user?" "When was privileged access granted?" "Who accessed this data?" or "Who changed the configuration?"

At the Log Management Session at CA World 2010, panelists agreed that compliance reporting requirements cause enormous financial and operational burdens on organizations. They agreed that while requirements change every so often, the fundamentals in meeting compliance demands remain the same - implement controls and verify their effectiveness. An area of need and very challenging to many includes performing user activity analysis and reporting. As the panelists war-room stories unfolded, it was clear that reporting, investigating what users do with their access and identifying control weaknesses over time wear them out in more ways than one.

It was clear in the panel discussion that organizations today have "crossed the chasm" of rudimentary logging practices. They now demand better uses for the logs that they collect.  The 2010 SANS Log Management survey proves this point as organizations leverage logs for user activity analysis, compliance reporting and enhancing their security and IT operations.

User activity and compliance reporting for identity, access and data usage enable efficient controls validation. And the ability to provide report trends can expose emerging problems or control deficiencies that need to be proactively managed and controlled. User activity and compliance reporting turn siloed user activity data into consolidated reports and expedite root cause analysis. As a result, organizations get faster time-to-value and are able to simplify compliance and accelerate security investigations.

The audience pointed out that in today's tough economic climate organizations pay closer attention to cost savings and improved efficiencies. Predefined reports that are already mapped to PCI, SOX, FISMA, HIPAA, Basel II, ISO2700x and others can improve efficiencies and relieve organizations from doing mundane research and reporting tasks. Making reports accessible to CSOs alongside other security metrics in their custom portal provides greater decision support. While trend reporting and automatic report updates can help organizations verify controls over time and keep up with changing reporting requirements respectively.

One thing was made clear: Compliance will continue to be a key business driver. Expect new regulatory controls and anticipate the directive for user activity and compliance reporting alongside these regulations. Additionally, technology trends like virtualization and the cloud will affect change at a faster pace going forward as organizations increasingly embrace these innovations and their security concerns subside.

The final word from the panel: Act now and put in place the right people, tools and processes to efficiently verify your security controls and take control of your users' activities across physical, virtualized and cloud environments.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Gedeon Hombrebueno
Gedeon Hombrebueno has been associated with the management and marketing of security software products for over 10 years. He has provided technical and business leadership as a product manager, developing product strategy and helping in the definition and delivery of integrated enterprise security management...
Read More..

The Gambler takes on securing identities

Published: May 25 2010, 04:20 PM | no comments
by Michelle Waugh

To quote Kenny Rogers, "You got to know when to hold ‘em, know when to fold ‘em..."

And last week in Las Vegas, a city that welcomes gamblers, several security executives shared their secret to winning at CA World 2010. CA World was host to a large group of CSOs and CISOs who networked and discussed how their organizations can increase the winnings and reduce potential losses associated with securing identities. One particularly good session was an executive panel discussion among IT security and governance leaders from Cardinal Health, CSG Systems, and Liverpool Victoria, facilitated by Mick Coady of CA Technologies. There was lively interaction and energy with the audience as the group delved into the "how," "what" and "why" questions related to practical implementations of identity management and governance.

The cards were placed on the table in the form of anecdotes shared among the panelists and attendees. Here are just a few:

  • Reduced staff from 25-30 full time to only 2 people to manage identities
  • Started with 400 title groups and reduced to 120 already - more expected
  • Described id mgmt workflow was a "god send" for approval control
  • Reduced password reset calls to help desk from 275 to 4 calls per month
  • Reduced access request calls to help desk from 400 to 30 calls per month
  • Shifted IT staff focus from fielding routine access requests to higher value work
  • Saved $200K in first 2 months related to SOX, HITRUST and PCI compliance

One key to making an identity management initiative a winner or a loser, according to this group, is buy-in from the highest level in the organization. The panelists agreed that the benefits of efficiency from automation, meeting regulatory compliance and not being victims of a security breach are real but hard to measure. With identity initiatives cutting across organizational business processes and IT systems, executive buy-in is required to make the budget stick and cross functional teams commit -- in advance of proven results.

Mick Coady, session moderator, referred to the ROI as "total cost of negligence or doing nothing." The risk of doing nothing includes compliance violations, fines and, worse case, security breach with loss of reputation and business. The group also discussed an interesting twist to ROI: turning the whole identity management paradigm on its head by using it to generate money by exposing key parts of the business to the marketplace, rather than just looking at it as a way to save money.

Share this post:  
Tags: , ,
Leave a comment

 

By: Michelle Waugh
As director of product marketing in CA’s Security business unit, Michelle is responsible for messaging, positioning, and go-to-market strategy for CA’s identity lifecycle management solution. Michelle has over 15 years experience in the enterprise software industry with 8+ years focusing on security...
Read More..

Securing Your Road to Virtualization & Cloud: Data Loss Prevention based on content, context and identity (Part 1 of 2)

Published: May 25 2010, 04:04 AM | 2 Comment(s)
by Shirief Nosseir

As security perimeters continue to blur and IT consumerization keeps fueling workforce mobilization, it is clear that security needs to be applied to the data throughout its lifecycle, rather than just to network assets.  This makes it essential for virtualization and cloud computing efforts to adopt an information-centric security strategy from the very start.  Following are some quick thoughts on how data loss prevention (DLP) solutions can help organization with transitioning to virtualization and cloud:

Planning the Move

We all know that not all data is created equal and some data types are more sensitive than others.  One common dilemma businesses face in virtualization and cloud projects today, in an effort to minimize their risk profile, is prioritizing which assets should be transitioned first -- starting out down the virtualization and cloud path by moving the most critical system that holds the most sensitive information might not be the wisest thing to do.  An increasing number of leading organizations are now leveraging DLP solutions to plan such a move.  DLP tools enable businesses to identify where sensitive data is located and understand how it is classified.  In turn, businesses are able to carry out risk vs value assessments and prioritize the most suitable candidates that maximize the value and minimize the risk of their transitioning efforts.

Unless controlled properly, data sprawl can cause a serious headache in a virtual or cloud set up.  This makes regulated data particularly harder to move over to the new model.  For example, service providers will find that meeting each customer's particular compliance requirements takes away some of the economies of scale that allow them to offer more competitively priced and attractive services.  However, it's a capability they must offer if they need to capture large, heavily regulated customers.  Also, it's the enterprise, not the cloud provider, that is ultimately accountable for data compliance; all legal and regulatory obligations are the same as if the data were stored on its own premises.  Enterprises must ensure the protection and compliance of their data no matter where it physically resides.  Data location can be quite tricky, especially when it spans international borders.  This is particularly true in Europe, where the European Union privacy directives do not allow movement and cross-border access of certain data types.  Again, DLP plays a central role in identifying and classifying regulated data to enable building a corporate information map that helps rationalize these compliance efforts.

Actually, DLP tools are essential for enabling organizations to map their data landscape into different information zones and, in turn, each zone can be assigned to a risk category (naturally, mapping data into information zones is a continuous job rather than a one-off exercise - new data types are introduced all the time and risk postures easily change).  For example, highly sensitive data might be restricted to virtual servers managed behind the corporate firewall (i.e., possibly private clouds) and only data of low sensitivity is allowed on shared infrastructure from a cloud service provider (i.e., public cloud).  This approach also helps organizations better understand the most suitable contracts and service level agreements they need to negotiate with their cloud providers.  Since not all data is created equal, not all should be treated equal.  This gives scope to have various agreements with cloud providers that offer varying levels of costs, transparency and availability (etc) that are tailored and optimized for the characteristics of each information zone.

In my next blog post, I'll continue to touch on how DLP can help with "Enforcing Information Control" and "Monitoring and Verifying" corporate policies in virtual and cloud environments.

Interested in summary of recent DLP research?

My previous blog summarizes the results of a European study entitled "You sent what? - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness."

Share this post:  
Tags: , , , , , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

CA World: Highlights on CA Technologies’ IAM Security Opening Sessions

Published: May 20 2010, 03:18 PM | no comments
by Sumner Blount

CA World was in full swing in Las Vegas this week.  It's been very exciting...lots of new things to announce, getting a chance to talk in detail with customers, plus some occasional fun.

I attended an important session Monday - The CA IAM Roadmap and Strategy presented by Bill Mann, the VP of identity and access management products and strategy at CA Technologies.  He gave some useful information about our strategy and the product roadmap to implement this strategy.

He described the history of CA Technologies' product evolution, starting with the Netegrity acquisition, which is one of the leading IAM products into the CA Technologies fold.  The latest major step, of course, was the acquisition of Orchestria, which rounded out the CA Technologies product suite with DLP.   CA DLP was critical to the evolution of the CA Technologies' content-aware IAM capability, because it enabled the IAM suite to control not only identities and access, but also how the information is actually used.  As an example of the power of this approach, think about being able to prevent access to certain information based on the sensitivity of the resource as determined dynamically by the DLP Classification Service.  This significantly improves the granularity of access and usage policies, and makes it easier to protect sensitive corporate or customer information.

Bill also went over the strategy for extending our security products to cloud-based environments.  He discussed the approach of providing security:

  • TO the cloud - extend enterprise security to cloud services
  • FOR the cloud - providing strong IAM security for cloud providers
  • FROM the cloud - providing security as a service from the cloud (e.g., strong authentication, federation, SSO, etc)

He also gave a quick demo of some of these capabilities, based on some advanced development work and is being extended to our core IAM products.  It's an exciting area, and all of us on the CA Technologies' IAM team are psyched about the feedback that we've been getting from our customers on it.

Share this post:  
Tags: , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

More Posts Next page »