data at rest - bitpipedocs.media.bitpipe.com/io_13x/io_130766/item_1347390...anton huvakin of...
TRANSCRIPT
Identify Threats. Secure data. Reduce risk.
www.stealthbits.com | 201-447-9300
White Paper
Data At Rest: The Pragmatic Approach to Data Security
Table of Contents
Introduction .......................................................................................................... 3
Finding File Threats: Finding Needles in the Needle Stack .................................... 3
Where to Set Your Sights for Data Security ........................................................... 5
About StealthSEEK® ............................................................................................... 6
About STEALTHbits................................................................................................ 7
Learn More ........................................................................................................... 7
Data At Rest: The Pragmatic Approach to Data Security 2
Introduction
Data explosion is a fact of life now. We are creating more data with every step we take and
every time we click or press. What’s slightly surprising is that a huge amount of this data still
ends up in unstructured form.1 It sits in files like spreadsheets
and documents stored in traditional folders. People are still
attaching these files to emails, and at the same time they are
sharing the files via instant messaging, collaboration platforms,
cloud based file sharing, and in even more ways. It’s good that
people are creating information and sharing it. That process is
creating a ton of value for organizations. New ideas translate
directly into new revenues. But there are also risks associated to having all that data spread
throughout the IT ecosystem. Every file is a potential threat. What we will discuss here is how
to understand the risks associated with your data, how people have approached those risks,
and why we feel that getting a handle on your data at rest can get you the security results you
desire.
Finding File Threats: Finding Needles in the Needle Stack
With so much unstructured data in the organization, simply finding a place to start can be
very daunting. Regulations like PCI DSS and HIPPA place organizations in the position of being
responsible if bad things happen with data they are supposed to be handling. Of course,
regulations aren’t the only motivation. Most businesses are creating data in service of
building and leveraging their intellectual property. They may also be handling the IP of others.
Protecting themselves against losses through exposing their own IP and damages if they
expose the IP of others is also very motivating. In large part, these concerns drove the growth
of DLP (Data Leak Protection/Prevention). Instead of targeting controls on data, DLP promised
to post guards at the gates so that the important stuff couldn’t get out regardless of what
form it took. The idea is sound. Even if we assume that DLP could do the job, though, our
experience talking to our customers is that most DLP deployments are severely delayed or
stalled, and they have been unable to keep up with the mobile and cloud technologies people
are using today. The other problem is that DLP has been very focused on the compliance task
and not well applied to the task of protecting IP. Anton Chuvakin of Gartner found the same
In 2010, Gartner reported
that enterprise data growth
will be 650 percent over the
next five years, and that 80
percent of that will be
unstructured.1
3 Data At Rest: The Pragmatic Approach to Data Security
________________________________
1 “Technology Trends You Can’t Afford to Ignore,” Gartner Webinar, January 2010, slide 8, http://www.gartner.com/it/content/1258400/1258425/january_6_techtrends_rpaquet.pdf
and goes further stating that when it comes to IP protection “content-aware DLP simply
cannot do this job on its own without encryption, access control, log monitoring, application
security, etc.”2 What we would like to suggest is that getting your arms around your
unstructured data at rest can be a very good starting point for meeting these regulatory and
IP protection concerns.
There are several advantages to starting your data protection strategy with data at rest. The
simplest is right in the name. Data at rest isn’t moving. A lot of the complexities in data in
motion approaches come from the fact that there are so many moving parts and so many
new places for data to move appearing every day. Now, that’s not meant to imply data at rest
isn’t dynamic. It’s growing, being shifted around, being spread out over multiple data stores,
being copied into hundreds of places and altered slightly in every one of those places, and
doing a lot of things that defy the label “at rest”. But it’s ultimately stored in places where you
can get to it. That makes it a lot easier to target than stuff being transferred to a hundred
iPhones via Dropbox. Another advantage is that data at rest can still be locked down. If you
find the data as get proper controls around it before it had a chance to make it out the door,
then you cut many major risks off at the pass. Data at rest is also still likely well oriented in
your security model. The permissions on the files will be set using systems your IT security
controls and the access to the files will be controlled via systems where you make the rules.
Lastly, data at rest will sit still long enough for you to get a look at it and understand its
content. This is a key factor. If you can effectively scan and understand the contents of files,
then you can correctly control access to those filed based on proper understanding of
context.
There is another reason mastering data at rest is important. It has to do with a core
assumption that too many people make – even people who are security professionals. People
assume threats only live outside the walls. The rise of insider threats is gaining attention and,
more importantly, racking up huge numbers in costs due to damages. If you need evidence of
this, just look at the headlines. Starts with Snowden giving us the example of the ultimate
insider job, move to Target showing how improper access can be leveraged by bad guys from
the outside to turn your insider issues against you, and finish up with Barclays to show how a
rogue insider can go pro and make a fortune on lax IT security. The Barclays case is
particularly interesting since the perpetrator, who sold off private financial details about
4 Data At Rest: The Pragmatic Approach to Data Security
________________________________
2 “On DLP and IP Theft” by Anton Chuvakin, November 9, 2012 http://blogs.gartner.com/anton-chuvakin/2012/11/09/on-dlp-and-ip-theft/
customers, found all the data he needed to build this profitable venture simply using the
access he had to unstructured data. That data was sitting on the network for the taking; it
only took the right – or maybe the wrong – person to come along and find it.
How can you effectively protect against that insider threat? How can you meet all your data
security goals? It takes a concert of efforts to do it right, of course. One key piece is making
sure you control access to data on the inside. People can’t do the wrong thing with data they
can’t access. This is easy enough to say, but it returns us to where we began: where to start?
Even if you know you will start with your data at rest, that’s no small task either. Data at rest
lives in every nook and cranny of your infrastructure from the lowliest desktop to the beefiest
data center. You can scan and analyze it all, but how to you prioritize where to turn your
attention first? This is where understanding content comes in. In each case we find, data
breaches are a concern because the data itself was sensitive in some way. Sensitive data can
be obvious, e.g. PII (Personally Identifiable Information like a Social Security Number), but
sensitive data can be very specific to your business as well (e.g. the exact chemical formula
for your new drug or the exact combination of supplier part numbers for your upcoming
product). Every organization can easily make a list of what data they know they don’t want
getting into the wrong hands. If while you scan all your data you’re also looking for that kind
of content, you’ll immediately have the criteria you need to assess relative risk, and make a
prioritized list of where you should focus your time and attention.
Where to Set Your Sights for Data Security
Hopefully it’s now clear that data at rest is a pragmatic starting point for your data security
efforts. You can approach it in a number of ways, and you can use the content of the data
itself to prioritize your efforts. If data at rest is a starting point, where does that get you in
terms of your overall goals? Getting data at rest right means that you reap many benefits
down the road. Well organized and secure data at rest is less likely to become the source of a
leak. Controlling where your sensitive data lives and who has access to it means you will need
less of the burdensome data in motion controls. Data at rest solutions also tend to have a
much less complex implementation cycle. You can achieve results faster that way and make
progress on data security goals rather than simply sitting and watching projects drag on in the
deployment phase while your IP exits stage left. Your ultimate goal should be to have
effective, context sensitive controls applied to all settings where your data is in the hands of
users for any purpose. Understanding the nature of your data from content scans while that
5 Data At Rest: The Pragmatic Approach to Data Security
data is at rest can help make that a reality. Because your controls are only effective when they
are properly applied. How do you know when to apply DRM or use DLP to block things when
you don’t have a full understanding of the context content can provide? Having a solid
understanding of your content and a well-defined approach to access gives you these
practical answers down the line. That is why mastering your data at rest is a pragmatic start to
all of your data security efforts.
About StealthSEEK®
StealthSEEK® is the missing piece in any organization’s DLP tool arsenal, providing high-scale,
light-weight sensitive data discovery capabilities for unstructured data. With no agents to
provision, dozens of built-in and customizable criteria sets, and surgical accuracy, StealthSEEK
is able to identify and secure sensitive content across desktops, servers, and network file
shares in minutes, proactively safeguarding data subject to compliance scrutiny and security
breach.
6 Data At Rest: The Pragmatic Approach to Data Security
©2015 STEALTHbits Technologies, Inc. | STEALTHbits is a registered trademark of STEALTHbits
Technologies, Inc. All other product and company names are property of their respective
owners. All rights reserved. WP-DAR-0615
STEALTHbits Technologies, Inc.
200 Central Avenue
Hawthorne, NJ 07506
P: 1.201.447.9300 | F: 1.201.447.1818
[email protected] | [email protected]
www.stealthbits.com
About STEALTHbits Technologies, Inc.
Identify threats. Secure Data. Reduce Risk.
STEALTHbits is a data security software company. We help organizations ensure the right
people have the right access to the right information. By giving our customers insight into
who has access and ownership of their unstructured data, and protecting against malicious
access, we reduce security risk, fulfill compliance requirements and decrease operations
expense.
Learn More
Attend a Demo - http://www.stealthbits.com/events
Browse the Resource Library - http://www.stealthbits.com/resources
Ask us a Question - http://www.stealthbits.com/company/contact-us
Request a Free Trial - http://www.stealthbits.com/free-trial
Visit the Official STEALTHbits Blog - http://www.stealthbits.com/blog
7 Data At Rest: The Pragmatic Approach to Data Security