Scribd Logo
Upload

Welcome to Scribd!

  • Content Security For The Next Decade

    Uploaded by

    quocirca
    27 views31 pages
    Content security for the next decade Is your organisation ready to weather the storm? Agenda The need for content security the risk landscape security policy for the business Technology - problem and solution not a new problem 1980s Print and fax Corporate IT Firewall 2009 FTP email web IM Blogs, wikis, RSS Social networks / virtual worlds Percentage saying external users are provided access to internal systems 0% Finance Utility Telecomms and Media Public Sector Retail Industrial Healthcare Contractors Partners Suppliers Customers Percentage of employees working remotely at

    Original Description:

    Original Title

    Content security for the next decade

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Content security for the next decade Is your organisation ready to weather the storm? Agenda The need for content security the risk landscape security policy for the business Technology - problem and solution not a new problem 1980s Print and fax Corporate IT Firewall 2009 FTP email web IM Blogs, wikis, RSS Social networks / virtual worlds Percentage saying external users are provided access to internal systems 0% Finance Utility Telecomms and Media Public Sector Retail Industrial Healthcare Contractors Partners Suppliers Customers Percentage of employees working remotely at

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views31 pages

    Content Security For The Next Decade

    Uploaded by

    quocirca
    Content security for the next decade Is your organisation ready to weather the storm? Agenda The need for content security the risk landscape security policy for the business Technology - problem and solution not a new problem 1980s Print and fax Corporate IT Firewall 2009 FTP email web IM Blogs, wikis, RSS Social networks / virtual worlds Percentage saying external users are provided access to internal systems 0% Finance Utility Telecomms and Media Public Sector Retail Industrial Healthcare Contractors Partners Suppliers Customers Percentage of employees working remotely at

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 31

    Content security for the next decade

    Is your organisation ready to weather the storm?

    Bob Tarzey,
    Service Director
    Quocirca Ltd

    Dec 3rd 2009


    Agenda

     The need for content security


     The risk landscape
     Security policy for the business
     Technology - problem and solution

    © 2009 Quocirca Ltd 2


    Agenda

     The need for content security


     The risk landscape
     Security policy for the business
     Technology - problem and solution

    © 2009 Quocirca Ltd 3


    Not a new problem

    1980s
    Print and fax

    FTP

    Corporate IT Firewall
    Email

    Web

    IM

    Blogs, wikis, RSS

    Social networks/
    virtual worlds

    2009
    Percentage saying external users are
    provided access to internal systems

    0% 20% 40% 60% 80%

    Finance
    Utility
    Telecomms and Media
    Public Sector
    Retail
    Industrial
    Healthcare
    Contractors Partners Suppliers Customers

    Source, Quocirca, “The Distributed Business Index”, 2008

    © 2009 Quocirca Ltd 5


    Percentage of employees working
    remotely at some point during a week

    Source, Quocirca, “The Distributed Business Index”, 2008

    0% 20% 40% 60% 80% 100%

    Overall
    Utility
    Telecomms and Media
    Finance
    Industrial
    Public Sector
    Healthcare
    Retail
    > 75% 51%-75% 25%-50% <25%
    Agenda

     The need for content security


     The risk landscape
     Security policy for the business
     Technology - problem and solution

    © 2009 Quocirca Ltd 7


    Causes of data loss – mostly internal

    Employee oversight

    Poor business process

    Manager approved

    Malicious

    Other

    Source, Symantec, Risk


    Assessment Findings, 2008

    © 2009 Quocirca Ltd 8


    Self-reported data breaches - Nov 08 to Aug 09 -
    UK FOI request
    Stolen data/hardware
    Data disclosed in error
    Lost data/hardware
    Technical/procedural failure
    Lost in transit Total = 356 => 1 per day
    Non-secure disposal
    Other incidents

    0 20 40 60 80 100 120 140


    Number of incidents

    © 2009 Quocirca Ltd 9


    Ignoring the internal threat

    Desire to
    trust
    Need to
    provide Weak
    access policy
    Deny
    Avoid bad
    press

    © 2009 Quocirca Ltd 10


    Do employees implement back door solutions for
    IM, VoIP, web conferencing etc.

    0% 10% 20% 30% 40%

    Definitely

    Probably

    Possibly

    No

    Don't know

    Source, Superhighway at the Crossroads –Quocirca, September 2008


    © 2009 Quocirca Ltd 11
    Confidence to protect data when used
    legitimately in the following ways

    Send by corporate email


    Send by web mail
    Print
    Transfer it to memory sticks
    Post on the web
    Scale from 1 = “not
    Share with unauthorised internal users confident at all” to 5 =
    Copy to mobile device
    “very confident”

    Share with unauthorised external users

    2.7 3.2 3.7

    From forthcoming Quocirca DLP report to


    be published in 2010
    Cost of data breach

    Direct Indirect

    Fines Reputation
    Disclosure Customer loss
    Asset loss Share price

    © 2009 Quocirca Ltd 13


    Compliance and disclosure

    Government and EU regulations Industry regulations

    US and other non-EU regulations Miscellaneous


    Non-Disclosure
    Agreement
    Software Licence
    Agreement
    © 2009 Quocirca Ltd 14
    Expected increase in regulation

    National government
    Data privacy
    National security
    Industry specific
    EU
    International trading
    Environmental
    Securities trading
    Axis: 5 = will
    Credit card handling
    increase a lot to 1 =
    Financial transparency will decrease a lot
    Health care

    2 2.5 3 3.5

    From Quocirca report, “Privileged user


    management”, Oct 2009
    Expected increase in regulation
    Industry variation
    Axis: 5 = will
    increase a lot a
    to 1 = will
    decrease a lot k 3.5
    b Regulation type
    (dotted line =
    stable) a National government
    b EU
    j c Financial
    transparency/reporti
    c ng
    1.5 d Data privacy
    i d Credit card handling
    regulations (e.g. PCI
    e DSS)
    f Environmental
    g Securities trading
    h e h International trading
    i National security
    Industry
    Finance g f j
    Those specific to
    your industry
    Government
    Maunfacturing k Health care
    Telcoms and media
    Agenda

     The need for content security


     The risk landscape
     Security policy for the business
     Technology - problem and solution

    © 2009 Quocirca Ltd 17


    Nationwide – just a laptop theft?

    FSA fine: £980K

    © 2009 Quocirca Ltd 18


    The need for policy

    Policy should:
    1. Define how data is used
    2. Aim to prevent breaches
    3. Detail how breaches are handled
    4. Be reviewed date in light off
    • New technology
    • New legislation
    • New business processes

    © 2009 Quocirca Ltd 19


    Linking people and content with policy

    Print Blogs

    USB SMTP
    Policy
    FTP Web 2.0

    Web Mail HTTP

    © 2009 Quocirca Ltd 20


    Agenda

     The need for content security


     The risk landscape
     Security policy for the business
     Technology - problem and solution

    © 2009 Quocirca Ltd 21


    Consequences for IT security

    Security

    People

    Content

    Servers and end points

    Network
    Time
    © 2009 Quocirca Ltd 22
    Managing end-points

    User access devices USB Mania

    © 2008 Quocirca Ltd 23


    End of life

    © 2008 Quocirca Ltd 24


    The encryption conundrum

    The right data needs to easy to share, with


    the right people and at the right time

    © 2009 Quocirca Ltd 25


    Using technology to ensure
    the safe use of data

    End point End point


    security security
    Print Blogs

    USB SMTP
    Data loss
    prevention

    FTP Web 2.0

    Web Mail HTTP


    End point End point
    security security

    © 2009 Quocirca Ltd 26


    Deployment of DLP technology

    Telecoms &
    Media

    Finance

    Government

    Manufacturing

    In place Planned for next 12 months


    Delayed plans No plans/don't know

    From forthcoming Quocirca DLP report to


    be published in 2010
    Factors limiting IT spending

    Limited budget

    Business has low awareness of threats

    Priority given to other IT investments


    Axis: 5 = very big
    Lack of in-house expertise influence to 1 = no
    influence at all
    IT security not seen as a business
    enabler

    2 3 4
    From Quocirca report, “Privileged user
    management”, Oct 2009
    Change in relative IT security spend

    Manufacturing

    Finance

    Telecoms & Media

    Government

    A. Increasing B. Stable C. Decreasing D. Don’t know

    From Quocirca report, “Privileged user


    management”, Oct 2009
    Conclusion

    The imperative for content security


    • Aim to enable open communications
    • Recognise threats of poor content
    security
    • Clear policy for communications and
    content security
    • Technology to enforce in the context of
    a given business’s requirements

    © 2009 Quocirca Ltd 30


    Thanks, this presentation will be available on
    www.quocirca.com

    Thank you
    Bob Tarzey
    Quocirca
    www.quocirca.com

    © 2009 Quocirca Ltd 31

    You might also like