Safeguarding Customer Data while

Enabling Collaboration
“enabling collaboration while
mitigating risk”

Bruce Hicks
IBM ISS Data Security Services
 Agenda
• Are you prepared for the tough questions?
• Statistics, Importance and Costs
• Why a “Holistic Approach”
• An alternative approach
• Data Security is maturing
• Steps for success
• Best practices focus
• Goal for all
• Strategic directions
Are you prepared for the tough questions ?
Are you reporting
consistently across the
Do you know if
enterprise?
How do you prevent administrators
unauthorized are abusing
access? privileges?
How do you know only
How do you authorized users are
Do you know Can your given user accounts?
know your
if anyone auditors get
private
attempted an at the
customer
attack on the information How did you
data is
mainframe? they need? protect your
encrypted?
Web services
applications?

Platform Data Privacy Compliance Extended Enterprise

Infrastructure and Audit

*It is the customer's responsibility to identify, interpret and comply with any laws or regulatory requirements that affect its business.
IBM does not represent that its products or services will ensure that the customer is in compliance with the law.
 Data leak prevention: some statistics
• Business data is growing.*
• Data volume doubles approximately every three years.
• By 2010: zettabyte sizes (1 ZB = 1021 = 1 trillion GB)
• Approximately 80% of the world’s data is unstructured.
• More data is being lost/stolen.**
• 2006: 50 million records
• 2007: 160+ million records
• More powerful, and more risk-laden, endpoints
• For example, an 80MB mobile device holds 6,000 Word documents,
720,000 emails, or 360,000 personal records.

*Source: July 23, 2007, Forrester report “Data, Data Everywhere!”

**Attrition.org data loss archive and database
 Data protection is the leading business
objective
“How important to your IT security group will each of the
following business objectives be in the next 12 months?”
Very important Important

Protect customer data 56% 25%

Protect corporate IP
and sensitive internal data
39% 35%

Develop BC/DR
33% 42%
capabilities

Manage regulatory
28% 40%
compliance

Perform digital
13% 39%
investigations/eDiscovery

0% 20% 40% 60% 80% 100%

Base: 2,212 security decision-makers at North American and European companies

Teleconference: “Is Data Leak Prevention (DLP) A Vital Part of Your Data-Centric Security Strategy?”, Forrester Research, Inc., March 2008
Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2007
Failure to act brings substantial costs
• Direct costs – include Internal investigation, Notification / crisis management, and
Regulatory / Compliance
• Average cost for each compromised record is $186 *
• The average security breach can cost a company between $90 and $305 per lost
• record **
• Loss of future business
• 77% of 2,750 consumers polled said they would stop shopping at stores that suffer data
breaches. ***
• Class action lawsuits ****
Potential Class Seeking Damages of: Potential Financial
Action Against: Size: (rarely settle for full amount) Exposure:
Verizon 2,000,000 $21,000pp $42 B
AOL 500,000 $ 1,000pp $ .5 B
Hannaford Bros. <4,200,000 $ Unspecified but 2 suits $ Unknown potential
pending
•Average Data Breach Costs Companies $5M, Network World – 11/02/06
•** Calculating the Cost of a Security Breach”, Forrester Research, Inc., April 2007

• Decrease in stock value *** April 2007 report Javelin Strategy & Research
**** Tech//404® Data Loss Cost Calculator by Darwin
Why a “Holistic Approach” ?
• Unification of systems and reporting
• Complexity increases the need for proven expertise and cost
management (need to simplify)
• Need for architecture, classification, and lifecycle assessment
efforts to refine priorities and define direction.
• Regulatory requirements puts high demands on knowing, tracking
and proof.
• Various groups within pointing to where perceived problems exists.
• “Death by point products”, regulatory concerns, and need for
specialized skills and best practices with need to integrate security
management .
• Knowing the data within and it’s behavior in motion, at exit and at
rest.
• Resource constraints, understanding of much needed technology
 Businesses are requiring comprehensive unification of
system and data security, plus privacy with full coverage
spanning the network, server, and endpoint strategic
control points for flexibility of ever changing regulatory and
compliance requirements
• Vulnerability Management
• Network Protection
• Multifunction Security Threat
• Endpoint and Server Protection Compliance
• Data Security and Content
• Physical Security Data
• Privacy
…. enabled and enhanced
by partnering together to meet these challenges
“These kept intact as a whole can provide ongoing flexibility and proof for business enhancement”
 Collaboration brings Complexity
Trust
Risk, Threat, Management
Cost, Complexity

Core Business
Legend
Subsidiaries and
Joint Venture
Customer
Partner / Channel
Isolated Provider /
11 Operations
Outsourcer
Collaboration
Collaboration & Communication
 Collaboration brings Complexity
Trust
Risk, Threat, Management
Cost, Complexity

Legend
Core Business

Subsidiaries and
Joint Venture
Select ‘Trusted
22 Customer
Partners’
Partner / Channel
Isolated
11 Operations Provider / Outsourcer
Collaboration
Collaboration & Communication
 Collaboration brings Complexity
Trust
Risk, Threat, Management
Cost, Complexity

Legend

Value Chain Core Business

33 Visibility
Subsidiaries and
Joint Venture
Select ‘Trusted
22 Customer
Partners’
Partner / Channel
Isolated
11 Operations Provider / Outsourcer
Collaboration
Collaboration & Communication
 Collaboration brings Complexity
Trust
Risk, Threat, Management
Cost, Complexity

Industry-
Centric Value
44 Web Legend

Value Chain Core Business

33 Visibility
Subsidiaries and
Joint Venture
Select ‘Trusted
22 Customer
Partners’
Partner / Channel
Isolated
11 Operations Provider / Outsourcer
Collaboration
Collaboration & Communication
 Collaboration brings Complexity
“Valuable Complexity”
Trust
Risk, Threat, Management
Cost, Complexity

Cross-
Industry
55 Value
Industry- Coalition
Centric Value
44 Web Legend

Value Chain Core Business

33 Visibility
Subsidiaries and
Joint Venture
Select ‘Trusted
22 Customer
Partners’
Partner / Channel
Isolated
11 Operations Provider / Outsourcer
Collaboration
Collaboration & Communication

ISO 27001
Various groups point to where perceived problems exists.

Each business owner

Executive represents an interest
group and line of
Leadership business within the
organization and
makes policy
decisions on behalf of
Direction Making Input
the interests and the
enterprise.
Business owners
This ensures clear
Policy Decisions accountability for all
Requirements Definition aspects of any type
governance within
End point each line of business
as well as across the
consumers entire organization.
User Acceptance
Testing

You get a feeling that the entire

company problems are yours IT
instead of everyone collaborating
together to ensure success!
 Taking the right angle turn

Alternative approach is required to solve the security

conundrum

Point Products Control Systems

Risk Management Business Enablement

Siloed Solutions Heterogeneous networks

Technical Innovation Process + Technology

Use a holistic framework to unify the Who,
What, When, Where, and How to protect across
the information lifecycle
Captured > Stored > Transmitted > Used > Archived > Modified
A holistic framework unifies the Who, What,
When, and Where to protect data every step
of the way
An alternative approach
From Silos to an Integrated Security Platform
Automated Control system /
Security Backplane
1. Continuous monitoring at sensors
ensures responsiveness
2. Individual security “blades” are
specialized to key tasks
3. Security backplane is key for sharing
information vertically and horizontally
4. Information quality is the key for
efficient enterprise & network
performance
5. Informed from the bottom up
6. Controlled from the top down
7. Extensible, adaptable to address
evolving threats and evolving
business needs
Data security is maturing with policy-driven
content inspection and data protection
enforcement automation
• Encryption
• Full Disk (protect data when device lost or stolen)
• File / folder / vdisk / removable media, shared media
• Removable Media Port Control
• Fine grain control of external I/O ports used by external removable storage
devices
• Secure email
• Encryption and digital signing of email
• Integrate with user email client on endpoint
• Privileged User Monitoring
• Database vulnerability and log analysis management (Who did What and When…)
• Enterprise Data Loss Prevention (DLP)
• Automated discovery of sensitive content, classifying / tagging of files,
• Policy-based enforcement of data protection policy (encryption, remove / relocate)
• Close the gap between user action and automated policy enforced action
• Endpoint – Network – Server / Data Center
 Steps for success

• Work with your trusted Industry SME

• Develop a high level GAP analysis for current position
• Detailing current shortfalls
• Build a roadmap focusing on tactical and strategic needs
• High Level executive’s focusing on tactical pain points
• Deliver sustainable results on those current needs
• Determine appropriate mix of HW/SW/SVC to close gap
• Work with a trusted solution component expert to address
strategic comprehensive direction
• Ensuring protection and reporting available when required to
support new business availability
• Focus is on fastest path to protect, report, remediate and certify
• Goal:
• Environment Simplification without compromising security
protection
Business Sustainability is the Goal
for all of us!
Best practices focus on the full lifecycle
and a holistic approach
Watch Assess
1. Build and maintain a program to identify
7. Monitor and measure significant threats and vulnerabilities
effectiveness of controls, management
investigate and respond to
significant failures

Defend
2. Build and maintain a
Access secure network.
5. Define and maintain an 3. Build and maintain a
Acceptable Use Policy program to manage
(information security policy) application or infrastructure
6. Implement a program to release, change, and
manage identity and access configuration.
4. Protect critical data in
transit, at rest, in use
 Summary: Strategic Directions for
Security and Privacy
• Emerging Capabilities
• Comprehensive Data Protection / Information Lifecycle Mgmt
• Digital Video Surveillance / Video Analytics
• Identity & Access Management / Privileged User Monitoring and Auditing
• Trends
• Logical and Physical Security Convergence
• Security as a Service (On Demand)
• Expanded Scope of Managed Services
• Managed Identity and Access
• Managed Digital Video Surveillance
• Integrated Security
• Managed governance and simplified frameworks
• Comprehensive System and Data Protection
• Unified Policy Management
… powered by leading edge, world class assets
 Additional References
• IBM Acts to Transform Risk Management for Businesses
• http://www-03.ibm.com/press/us/en/pressrelease/22534.wss
• IBM Data Security Services
• http://www-935.ibm.com/services/us/index.wss/offerfamily/gts/a1027705

PDF’s available:
• IBM Data Security Services for endpoint data protection
• http://www-01.ibm.com/cgi-bin/common/ssi/ssialias?infotype=an&subtype=ca&htmlfid=897/ENUS608-
017&appname=usn&language=enus
• IBM Data Security Services for enterprise content protection
• http://www-01.ibm.com/cgi-bin/common/ssi/ssialias?infotype=an&subtype=ca&htmlfid=897/ENUS608-
018&appname=usn&language=enus
• IBM Data Security Services for activity compliance monitoring and reporting
• http://www-01.ibm.com/cgi-bin/common/ssi/ssialias?infotype=an&subtype=ca&htmlfid=897/ENUS608-
019&appname=usn&language=enus

• IBM ISS related Products and Services

• http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1029097
• http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1029098

Links also available on the ISACA BrightTalk web site for this presentation
 Thank You !

Bruce Hicks: bhicks@us.ibm.com

 Questions?
Click on the questions tab on your screen, type in your question
(and name if you wish) and hit submit.