ILP_withDataProtection_WP_(A4)_web

Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 1

Securing Information Throughout

Its Lifecycle with SafeNet Data

ProtectionWHITE PAPER

Executive Summary

The security frameworks implemented in most organizations aren’t cutting it today—and their shortcomings are only going to be exacerbated over time. This paper outlines why a new approach is needed, outlining the trends that are increasingly exposing the limitations of traditional security approaches. The paper then reveals how SafeNet’s comprehensive data protection solutions offer an effective, cohesive framework for protecting information throughout its lifecycle.

Introduction

Whether today, tomorrow, or in the coming months, leaders at many organizations are going to come to a single, tough, yet unassailable truth: The proliferation and mobility of their data has outpaced their businesses’ ability to protect it.

Sensitive assets are constantly at risk. Internal and external threats are persistent, pernicious, and pervasive. Critical assets are increasingly vulnerable—whether it is a company’s intellectual property, sensitive customer data, or core communications that underpin business processes.

The current security framework has been built using security controls that guard specifi c systems against specifi c threats. Quite simply, this framework isn’t sustainable. Furthermore, the very nature of this fractured, knitted framework is failing to deliver the integrated, comprehensive approach needed to protect information across its lifecycle.

To combat the threats of the future and guarantee the protection of data as it is actually used, organizations must move to a framework that is centered on the data itself. With a data-centric approach built around an information lifecycle model, organizations can build systems to better protect data, gain enhanced visibility and control, and realize signifi cant improvements in effi ciency and economies of scale.

Whether today, tomorrow, or in the

coming months, leaders at many

organizations are going to come

to a single, tough, yet unassailable

truth: The proliferation and

mobility of their data has outpaced

their businesses’ ability to protect

it.


THE FOUR CATEGORIES OF

The Information Lifecycle

In order to discuss information lifecycle protection, we have to start with a framework for understanding how data fl ows through an organization and how entities create, operate, and consume this data. From a high level perspective, we can break the use of data into four categories. Viewing information in this way is useful in both understanding the use of data as well as the threats to that data in different scenarios. Following is an overview of these four categories:

• Identities. Information feeds into the organization from both individuals and applications. In addition, many organizations’ business applications create sensitive data. This could include a card issuer application automatically generating a credit card PIN or a healthcare provider generating patient identifi ers.

• Transactions. Next, the business transforms and utilizes this data. Fundamentally, business systems and processes take discrete data elements (sometimes called structured data) and conduct transactions with this information, potentially involving multiple subsystems, in ways that add value to the organization. This information is ultimately transmitted into the form factors and consumption points needed by the rest of the business.

• Data. As data progresses throughout its lifecycle, information ends up being created, shared, and stored in a number of locations: Individual PCs, application and database servers, fi le shares, storage area networks, tape drives, etc.

• Communication. To make use of data, disparate systems need to communicate with each other. This can include the transmission of information across a complex mix of private, public, and semi-private networks. For years, this has been an area of clear security focus, as it was the one area that crossed perimeter and trust boundaries.

Under Pressure: The Evolving, Increasing Demands on Data Protection

Now that we’ve established a framework for viewing information across its lifecycle, we’ll turn to the issues organizations are confronting today. Following are a few of the most pressing:

• Ever-expanding data volumes. The explosive growth in data volumes in itself puts pressure on businesses. Whether a user is trying to fi nd a fi le on a laptop or a server administrator is trying to fi gure out how to enforce mailbox quotas, increasingly expansive amounts of digitized information put an ongoing strain on businesses. While physical and virtualized storage costs may drop, the costs and effort associated with deployment, maintenance, and protection of this expanding infrastructure does not.

• Digitization of intellectual property. The amount of intellectual property held within IT systems has increased, as well, as more business and operational models have gone digital and online. For example, an architecture fi rm that 20 years ago was having blueprints couriered between offi ces now shares proprietary CAD fi les with business partners and customers via secured Internet connections. Media and entertainment fi rms that once used fi lm now rely increasingly on the digital capture, editing, and distribution of content.

• Build-up of compliance mandates. For most companies, the challenge of ensuring compliance with external policies and standards is nothing new. As you can see in the graphic below, many mandates have been in effect for years. However, the challenges of maintaining compliance and adapting to changing threats and rules, continue to place a strain on businesses.

CO

MM

UN

ICATIO N S

DATA

INFORMATION

LIFECYCLE

IDEN

TITIES TRANSACTIO

NS


• Increased visibility and scrutiny of security. Thanks in no small part to the increased visibility and severity of breaches, executives, governing boards, and the general public have gained an increased understanding of the importance of, and issues relating to, data—the growing amount and need for it, the critical role it plays in business performance, and the risks to which it is exposed. For better or worse, and sometimes both, awareness of the importance of data protection has reached the C-level suite and the boardroom.

The Cloud as Tipping Point

The challenges above are daunting in and of themselves, but the emerging cloud paradigm threatens to throw a new and very big monkey wrench into the fundamental underpinnings of information protection. Most assumptions about trust, ownership, and risk to information were based on an understanding of a physical world with distinct (albeit continually fracturing) perimeters. Now, virtualization and cloud-based computing throw these basic assumptions into question.

Organizations have been utilizing software as a service (SaaS) or platform as a service (PaaS) as the ultimate way to enjoy unparalleled resource elasticity while signifi cantly minimizing cost structures, as resources are shared in cloud-based architectures with other tenants. However, the externally hosted, shared nature of these external cloud services raises a host of security questions.

Virtualization of applications and platforms has created an unprecedented level of data portability. Sensitive data and application processing can be migrated across server farms with dozens of physical machines and hundreds of virtualized servers. Consequently, risks that were once associated with someone walking off with an entire server are now potentially realized through a hijacked password or a stolen fl ash drive.

As enterprise executives continue to chart their cloud strategies, security considerations will need to weigh heavily in the criteria, along with the potential benefi ts in fl exibility, cost savings, and scalability.

The challenges of maintaining

compliance and adapting to

changing threats and rules,

continue to place a strain on

businesses.

Current trends, including the

emerging cloud paradigm, are

placing increased demands and

pressures on each of the four

categories of the data lifecycle.

Computer Security Act of 1987

EU Data ProtectionPrivacy Act of 1974

GLBACLERP 9

EC Data Privacy Directive

NERC 1200 (2003)

COPPA

Basel II

CIPA 2002

USA Patriot Act 2001

CAN-SPAM Act

C6 - Canada

FDA 21CFR Part11

HIPAA

Foreign Corrupt Practice Act of 1977

1970 1980 1990 2000FISMA 2002

Sarbanes-Oxley


The Implications

How do these challenges really impact your business? What problems are being presented as a result of these trends? Following is an overview of some of the specifi c implications IT and business leaders are now confronted with.

Security Islands

The task of ensuring the security of data has grown signifi cantly more diffi cult. The overall footprint of data that must be secured has grown tremendously. Practically speaking, the complicating factor of this growth is not its sheer size (which is daunting enough), but how it has grown. Rather than an expanding set of core data around which security requirements have grown, IT and security teams fi nd themselves managing islands of data and silos of data security. These security silos grew out of specifi c needs: The particular nature of certain types of data, the policies of a specifi c business unit, the localized efforts to comply with a specifi c regulatory mandate, and so on. An organization’s history of mergers, acquisitions, geographic expansion, and technology deployments can also further isolate the reach of a given security deployment.

Weak Links

This disparate and silo-ed nature of the data protection structure poses threats. In the security fi eld, it’s well known that it’s easier to attack the links between systems than to attack specifi c security systems directly, which are typically secure as a stand-alone entity. The mythical Trojan Horse that used a type of social engineering to breach the perimeter defenses of Troy and the breaking of the German Enigma code in WWII as a result of its insecure use by fi eld soldiers are both well-known examples of this truism: It’s not the strength of the gate or the code that’s vulnerable, but rather weakness in associated processes.

More recently, an attack known as Operation Aurora affl icted more than 30 companies. The attacks exploited a zero-day vulnerability in Internet Explorer to compromise internal systems. In spite of the “gates” that were in place, users were lured to click a link to a malicious server, which initiated the attacks. This further illustrates the concept that weaknesses in associated processes can undo even the best security.

Sophisticated Attacks

At a high level, it’s important to understand that the specifi c model of a modern attack is one consideration, but it’s even more important to consder the sophistication and amount of automation that can be employed in generating these attacks. Gone are the days when all you had to worry about were simple ping sweeps and port scans. Now, your security team has to explore all the intricacies across the entire network stack to look for a weakness. Powerful tools like Google hacking make anonymous profi ling easy, fi ngerprinting tools make it easy to customize attacks, and automated scripts and tools enable the plundering of mass amounts of data once an exploit is found.

Exposure to Internal Threats

Compounding matters is the fact that internal staff may pose a risk, whether due to not following policies or through their susceptibility to social engineering. Here again, it can be the weak links between systems that prove vulnerable. For example a user can save sensitive customer data to their laptop in order to complete a project at home, in spite of the fact that this act may run counter to corporate policies. If that laptop were subsequently stolen, the organization would then be subject to disclosure laws and the negative publicity that follow.

Further, malicious insiders continue to pose a very serious threat to organizations. Whether motivated by revenge or money, inside users can exploit authorized access to conduct a broad range of attacks, including theft and sales of corporate intellectual property, deletion of assets, and sabotage of existing business processes.


Expensive and Ineffi cient

Furthermore, security is becoming more expensive—and not just from the top line perspective (such as capital equipment cost), but also from the standpoint of architectural ineffi ciencies. An organization may have overlapping identity and authentication schemes as a result of uncoordinated projects. When it comes to cryptography, even if a common set of algorithms (AES, RSA, etc.) is employed, an enterprise may have dozens if not hundreds of different systems in place. There may be a distinct set of key handling systems for laptops, servers, databases, mainframes, and storage systems—and one department or business unit may have a completely different set of systems than another. Beyond the upfront costs, each of these systems exacts the costs of the associated manpower required for set up, and ongoing maintenance, training, and troubleshooting.

Cloudy Future

And lastly, the cloud adds more complexity and even more unknowns. With current systems, even when security administrators are managing an increasing number of trust models and deployments, at least there is a common understanding of the architecture and the means to secure it. The cloud paradigm, the pace of innovation, the lack of common architectures, the relative lack of visibility and oversight, all conspire to make it diffi cult to understand, let alone mitigate threats. Ultimately, security teams and management need to evaluate, deploy, and manage each cloud architecture individually, which is neither sustainable, nor likely to create a solid security foundation.

Time for a Change

Whether it comes to regulatory mandates, security cost and complexity, the implications of the cloud, or explosive data volumes, these distinct issues share a common, fundamental reality: The challenges they present will only be growing, not shrinking, in the days and months ahead. These myriad challenges and trends point to a single, fundamental truth: The old way of doing information protection isn’t sustainable. It’s time to change the model, from one concerned with the trust of the systems that handle the data to the fundamental security of that data, regardless of the system on which it happens to reside.

Today’s Requirements: Strategic, Comprehensive Data Protection

To address the challenges outlined above, organizations need to take a fundamentally different approach to information protection across its lifecycle. To do so, they need to employ security approaches that meet the following characteristics:

• Persistence. Data must be protected from its creation through its modifi cation, distribution, and deletion. Organizations must move beyond traditional perimeter and device security, employing constant and intelligent protection to the data itself. Security policies should accompany protected data, allowing it to move freely and be accessed as needed so information can be shared and used to ensure optimal user productivity.

• Trust. For digital processes to function, trust needs to be an integral, unassailable attribute throughout the workfl ow. This means ensuring users are who they claim to be and having consistently enforced policies based on users and groups, so users can get the information they need, while prohibiting access to the resources they’re not authorized to see.

• Transparency. In today’s competitive environment, organizations can’t afford not to implement robust security measures, but they also can’t afford to have these measures hamper end user productivity. Toward that end, security mechanisms such as encryption must be employed in a manner that is automated and seamless, essentially invisible to the end user as they go about their daily work.

• Control. Organizations need comprehensive, centralized control over their security. That starts with a centralized platform that can be integrated with a broad range of systems and environments, including enterprise fi le servers, databases, applications, laptops, and mobile devices. Policies and keys must be administered centrally, and then applied globally. Reporting and auditing mechanisms likewise need to be centralized to offer the highest levels of security and effi ciency.


New IT Security Realities

As Threats Change, Approaches Must Change.

Traditional Approaches Data Lifecycle Approaches

Perimeter focused security Persistent data-centric protection—intelligence to protect the data itself throughout its lifecycle

All-or-nothing encryption Granular, selective protection over subset of unstructured or structured data (fi les, fi elds and columns)

Keep bad guys out, authorized users get full access

Granular privileges for authorized users, assure compartmentalization

Multiple products to meet business and security needs

Centrally managed solution that addresses business, compliance, data governance and security

High level or very specifi c policy onlyNo proper central policy management

Centralized policy and lifecycle key management for optimum visibility and data control

The Solution: SafeNet Data Protection

To address today’s challenges, including explosive data volumes, disparate security silos, evolving cloud initiatives, and more, organizations need a long-term solution that acts as a nexus for data control and business innovation. This is exactly what SafeNet data protection solutions deliver:

• Gain enterprise wide visibility and control. SafeNet delivers comprehensive, centrally managed solutions that enable organizations to eliminate patchwork islands of defense and instead start governing enterprise-wide security in a cohesive, centralized manner.

• Boost effi ciency. With a more cohesive, comprehensive security framework in place, organizations can eliminate the complexity, duplication of efforts, and high cost of employing and maintaining overlapping, disparately managed systems.

• Eliminate weak links. SafeNet helps organizations eliminate security islands—so they can eliminate the exposure presented by the links between disparate systems. In this way, they can better guard against increasingly sophisticated external threats and minimize the exposure posed by malicious insiders.

• Enhance agility. SafeNet’s effi cient, comprehensive, and fl exible framework equips organizations with the capabilities they need to more quickly adapt to changing business, technological, and security challenges and opportunities.

• Embrace the cloud. By offering capabilities for granular, persistent control of information, SafeNet enables organizations to more fully leverage the business benefi ts of the cloud—while simultaneously strengthening security. In this way, the cloud can become a more strategic business asset rather than a security liability.

As security threats evolve, so too

must the tactics and strategies

employed to guard against them.


COMPREHENSIVE INFORMATION PROTECTION

Across the Lifecycle

SafeNet solutions provide persistent protection of information at critical points in its lifecycle, wherever and however that information gets used. SafeNet solutions give your business the agility needed to adapt to change and act on opportunity, while securing information across all four stages of its lifecycle:

• Identities. SafeNet offers strong authentication and identity management solutions that protect identities for users and servers.

• Transactions. SafeNet delivers industry-validated, hardware-based encryption platforms that protect transactions, ensure data integrity, and maintain an audit trail.

• Data. SafeNet’s data encryption and control solutions protect and maintain ownership of data throughout its lifecycle, from the data center to the endpoint and into the cloud.

• Communications. SafeNet provides high-performance communication encryption solutions that persistently protect information, ensure control beyond location or boundary, streamline operations, and reduce compliance costs.

CO

MM

UN

ICATIO N S

DATA share protect a

nd cont

rol

access

perform

INFORMATION

LIFECYCLEPROTECTION

IDEN

TITIES TRANSACTIO

NS

Learn more about SafeNet solutions for each stage of the information

lifecycle in the following pages.

SafeNet offers a

comprehensive set of

offerings that enable

organizations to protect

information across its

lifecycle.


SafeNet for Identities: TRUSTED USERS, SERVERS, AND SERVICES

SafeNet offers the broadest range of strong, multi-factor authentication solutions and hardware security modules that ensure only authorized individuals can access your organization’s sensitive information. In addition, it secures identities—enabling trust. With SafeNet, organizations gain the access controls that enable business, lower IT costs, and boost user productivity.

Designed to adapt with your evolving business needs, SafeNet’s trusted authentication solutions secure remote access, enhance network access security, simplify password management, and enable new online services with the industry’s broadest range of authenticators, management platforms, and security applications. SafeNet authentication and HSM solutions can be combined to ensure the strongest levels of digital signature security. As a result, organizations can protect the identities connected to business transactions while allowing for faster time to market and lower operational costs.

HARDWARE

SECURITY MODULE

MULTI-FACTOR

AUTHENTICATION

AUTHORIZED

ACCESS

SafeNet for Transactions: ASSURED PROTECTION OF HIGH-VALUE KEYS

SafeNet HSMs provide reliable protection for transactions, identities, and applications by securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services.

SafeNet HSMs provide the highest performing, most secure, and easiest to integrate application and transaction security solutions. SafeNet HSMs are highly tamper resistant, featuring FIPS and Common Criteria validation. With a broad range of HSM offerings and a full range of API support, SafeNet HSMs enable application developers to easily integrate security into custom applications. In partnership with leading application solution providers, SafeNet has produced HSMs that offer end-to-end protection for organizations, helping them achieve regulatory compliance, streamline business processes, reduce legal liabilities, and improve profi tability.

SafeNet offers both multi-factor

authentication solutions and

hardware security modules that

ensure only authorized users can

access sensitive information.

CO

MM

UN

ICATIO N S

DATA

share protect and c

ontro

l

access

perform

INFORMATION

LIFECYCLEPROTECTION

IDEN

TITIES TRANSACTIO

NS

CO

MM

UN

ICATIO N S

DATA

share protect and c

ontro

l

access

perform

INFORMATION

LIFECYCLEPROTECTION

IDEN

TITIES TRANSACTIO

NS


For example, SafeNet HSMs are used in a host of digital workfl ows where ensuring trust throughout the process is critical, such as e-invoicing, electronic mortgage processing, online credit card PIN issuance, and more. Digital signatures, powered by encryption and public key infrastructure (PKI), represent the means for establishing trust in these digital processes. SafeNet HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures.

SECURES

CRYPTO-GRAPHIC

KEYS TRANSACTIONS IDENTITIES APPLICATIONS

SafeNet for Data: DELIVERING PERSISTENT ENCRYPTION AND CONTROL

SafeNet delivers comprehensive data encryption and control solutions that enable you to maintain ownership of your data throughout its lifecycle—as it is created, shared, stored, and moved within and beyond your organization. With SafeNet, protection extends from the data center to the endpoint and into the cloud.

SafeNet delivers secure and easy to manage key lifecycle and policy management capabilities, offering the following solution suites:

• The Data Center Suite secures customer information, cardholder data, and social security numbers stored as structured data in databases, applications, and mainframes—as well as unstructured data kept in fi le servers.

• The Endpoint Suite protects and controls documents, pictures, patents, and designs stored as unstructured data on laptops and mobile devices, while also offering full-disk encryption and content security for data loss prevention.

Data Center Suite Endpoint Suite

• DataSecure• ProtectDB • ProtectApp• ProtectZ• Protect File

Server

• Tokenization Manager

• eSafe SmartSuite• MDeX

• ProtectFile• ProtectDrive

SafeNet delivers comprehensive solutions that offer granular, persistent controls

to ensure data is protected throughout its lifecycle—from the data center to the

endpoint and into the cloud.

SafeNet HSMs secure the

cryptographic keys that protect

transactions, identities, and

applications.

share protect and c

ontro

l

access

perform

INFORMATION

LIFECYCLEPROTECTION

IDEN

TITIES TRANSACTIO

NS

CO

MM

UN

ICATIO N S

DATA


Contact Us: For all offi ce locations and contact information, please visit www.safenet-inc.com

Follow Us: www.safenet-inc.com/connected

©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (A4)-09.07.10

SafeNet for Communications: TRUSTED AND TRANSPARENT TRANSMISSION OF SENSITIVE INFORMATION

Enterprise network and security engineering groups must reach an appropriate balance between enabling communication and securing corporate information. Maintaining this balance becomes trickier as organizations expand and become more geographically dispersed; they need secure and transparent high-speed communications across the network to facilitate global collaboration among partners, suppliers, and customers.

SafeNet high-speed WAN encryptors provide the fastest, simplest, and easiest way for organizations to implement network security solutions that protect mission-critical data. Designed to integrate seamlessly into a network topology, SafeNet encryptors deliver proven reliability and scalability. With high throughput and low latency, SafeNet network security devices are the ideal solution for protecting massive amounts of data, including applications in which quality of service and continuous availability are vital, such as voice and video conferencing streams.

Communication Protection - High-Speed Network Encryption

Ethernet Encryptor

SONET Encryptor

Space Encryption

Link Encryption

Voice Encryption

Security Management Center (SMC)

Conclusion

In many organizations, today’s security deployments are fragmented, fractured, and ineffi cient—hardly a recipe for success in contending with the challenges of the immediate future. Long term security—as well as business success—will hinge on an organization’s ability to more comprehensively and strategically manage its security efforts. By enabling organizations to take a data-centric approach that secures sensitive information across its entire lifecycle, SafeNet enables customers to both optimize security and business performance.

About SafeNet

SafeNet is a global leader in information security, founded more than 25 years ago. The company protects identities, transactions, communications, data and software licensing through a full spectrum of encryption technologies, including hardware, software, and chips. More than 25,000 corporate and government customers in 100 countries trust their security needs to SafeNet. In 2007, SafeNet was acquired by Vector Capital, a private equity fi rm specializing in the technology sector. For more information, visit www.safenet-inc.com.

With SafeNet high-speed WAN

encryptors, organizations

can enjoy secure, high-speed

communications across

distributed sites.

share protect and c

ontro

l

access

perform

INFORMATION

LIFECYCLEPROTECTION

IDEN

TITIES TRANSACTIO

NS

CO

MM

UN

ICATIO N S

DATA

ILP_withDataProtection_WP_(A4)_web

Documents

Transcript of ILP_withDataProtection_WP_(A4)_web