Presentation topic for Philippines SAP user group forum
-
Upload
william-ho- -
Category
Technology
-
view
67 -
download
0
Transcript of Presentation topic for Philippines SAP user group forum
Copyright 2013 FUJITSU LIMITED
Data Management & Security
“The Highly Overlooked
yet
Critical Part of your IT Operation”
William HoBCCE, BCCLA, CBCP, CCSK, CISA, CISM, CRISC, CITPM, MBCI, ITIL, VCP, TOGAF
Regional Senior Consultant
For Philippines uSAP forum – 22Feb
������
Mitigation ConsiderationsMitigation ConsiderationsMitigation ConsiderationsMitigation Considerations
4444. Data Security . Data Security . Data Security . Data Security –––– Examples and ApplicationExamples and ApplicationExamples and ApplicationExamples and Application
2. Data Security Life2. Data Security Life2. Data Security Life2. Data Security Life----Cycle Cycle Cycle Cycle
1
1. Data Management & Security 1. Data Management & Security 1. Data Management & Security 1. Data Management & Security ---- SituationSituationSituationSituation
5555. Questions and Discussions. Questions and Discussions. Questions and Discussions. Questions and Discussions
3333. Shaping Tomorrow With You . Shaping Tomorrow With You . Shaping Tomorrow With You . Shaping Tomorrow With You
Copyright 2013 FUJITSU LIMITED
Data Management & Security
Introduction & Situation
Copyright 2013 FUJITSU LIMITED
3
Data management is an overarching term that
refers to all aspects of creating, housing,
delivering, maintaining and retiring data with the
goal of valuing data as a corporate asset.
Copyright 2013 FUJITSU LIMITED
�����ABA�C
A data breach is a security incident in which
sensitive,
protected or confidential data is copied, transmitted,
viewed, stolen or used by an individual unauthorized
to do so.
Data breaches may involve financial information
such as credit card or bank details and/or
personal information.
DE���F�F�CF����
4
Your Data
Unstructured dataFile SystemsOffice documents,PDF, Vision, Audio & other
Fax/Print ServersFile Servers
Business Application Systems (SAP, PeopleSoft, Oracle Financials, In-house, CRM, eComm/eBiz, etc.)
Application Server
Structured data
Database Systems(SQL, Oracle, DB2,
Informix, MySQL)Database Server
Security & Other Systems(Event logs, Error logs
Cache, Encryption keys, & other secrets)Security Systems
Data CommunicationsEg. VoIP SystemsFTP/Dropbox ServerEmail Servers
Storage & Backup Systems
Eg. SAN/NASBackup Systems
������������A�B�CC�D�A��CEDF����AB��A�F�A��D��E��ED���AE��A������������������A��AB��E���E����D����������������D�������
Copyright 2013 FUJITSU LIMITED
��A��EF��A����A��
5
Have plenty of security implementation:
Firewalls, IPS, IDS, Proxies, Antivirus
SmartCards and authentication devices
Access control on your routers
VPN’s for secure communications….
Attackers are getting smarter, knowledgeable ,
resourceful and more bold.
Anyone, anywhere can be a potential attackers
Criminal activity becomes more profitable
Cyber-terrorism , cyber-security, etc are a real possibility ….
Copyright 2013 FUJITSU LIMITED
����F�����EF���FBA����
6 Copyright 2013 FUJITSU LIMITED
�����F���F�A����������
7
Data
Store
A
Data
Store
B
Data
Store
C,D
���������D�����D������
�D����DFC�� �E��A��
ED��A�����EA�EC��A������
The consequences can be serious.
Data breach/loss incur:
– legal fees
– disclosure expenses
– consulting fees
– remediation expenses
– credit monitoring expenses
Consequences
– Legal/statutory/regulatory
– Reputation/image impact
– Loss of customers/business
– Credibility
Copyright 2013 FUJITSU LIMITED
�EA��E�F��A����
� What data will be stored
� Where will it be stored
� What controls are in place
� Who is responsible for security
� Are there third party validations
� Process for removing data
8 Copyright 2013 FUJITSU LIMITED
Understanding
Data Security Life-Cycle
Copyright 2013 FUJITSU LIMITED
10
����F������CFB���C�B�
Source: Security Guidance for Critical Areas of Focusin Cloud Computing V3.0, Information Management & Data Security
Copyright 2013 FUJITSU LIMITED
11
This may also be known as Create/Update because it applies to
creating or changing a data/content element, not just a document
or database. Creation is the generation of new digital content, or
the alteration/updating of existing content.
Consideration (examples)
Ownership
Classification
Rights Management
����F������CFB���C�B�
Copyright 2013 FUJITSU LIMITED
12
Storing is the act committing the digital data to some sort of
storage repository, and typically occurs nearly simultaneously with
creation.
Considerations (Examples)
Access Controls
Encryption
Rights Management
Isolation
����F������CFB���C�B�
Copyright 2013 FUJITSU LIMITED
rmt/0- Utilization
0
5
10
15
20
25
30
35
40
45
2:00
2:03
2:10
2:25
2:40
2:55
3:10
3:25
3:40
3:55
4:10
4:25
4:40
4:55
5:10
5:25
5:40
5:55
6:10
6:25
6:40
6:55
7:10
7:25
7:40
7:55
8:10
8:25
8:40
8:55
9:10
9:25
9:40
9:55
27/03/01 - 28/03/01
Pe
rce
nta
ge
(%
)
%wait
%busy
13
Data is viewed, processed, or otherwise used in some
sort of activity
Considerations (Example)
Internal/External
Third Parties
Appropriateness
Compliance
����F������CFB���C�B�
Copyright 2013 FUJITSU LIMITED
14
Data is exchanged between users, organisations, groups and
individual.
Considerations (Examples)
Internal/External
Third Parties
Purposes
Compliance
Locations
����F������CFB���C�B�
Local Mirroring (RAID 1)
Remote(Offsite) Replication
�������������
Server Server
Primary Replica
Copyright 2013 FUJITSU LIMITED
15
Data leaves active use and enters long-term storage.
Considerations (Examples)
Legal/Law
Sites/Locations
Media type
Retention
Ownership
����F������CFB���C�B�
Copyright 2013 FUJITSU LIMITED
16
Data is permanently destroyed using physical or digital means
(e.g., cryptoshredding).
����F������CFB���C�B�
Considerations (Examples)
Secure
Complete
Assurance
Proof
Content Discovery
Copyright 2013 FUJITSU LIMITED
Copyright 2013 FUJITSU LIMITED
Shaping Tomorrow With You
18
SAPCloud
Certified
OnDemandOnDemandOnDemandOnDemand, Elastic infrastructure consumption, Elastic infrastructure consumption, Elastic infrastructure consumption, Elastic infrastructure consumption
@ Enterprise Class Service Levels@ Enterprise Class Service Levels@ Enterprise Class Service Levels@ Enterprise Class Service Levels
���F���F
Copyright 2013 FUJITSU LIMITED
��F���������F���� ����F��!F�"#$����$
19
Network
Solutions
Storage & Backup
Database & Oracle System
Cloud & Virtualisation
Cloud ConsultingServices
Private Cloud Solutions
Virtual Client Computing
Messaging & Collaboration
UNIX SPARC Servers
Oracle Exadata
Database (Oracle/MSSQL)
Database Security
Infrastructure Consolidation
Services
Relocation & Migration Services
Unified Storage
Efficient Data Protection
Network Consulting & Integration
Unified Communications & Collaboration
ApplicationPrioritization
Network Audit & Health Check
Infrastructure Services & Solutions
Industry Solutions
Bed Management
Operating Theatre Management
Outpatient Management
Telco Solutions
RFID Solutions
IT IT IT IT
ManagementManagementManagementManagement
System/Network Management
IT Service Management
Security Analytic Platform
BCDR &
Risk Vulnerability Assessment
Cloud Infrastructure
Management Software
PRIMERGY/PRIMEQUEST Servers
Hadoop(HDFS) & SAP HANA Servers
ETERNUS
Storage Systems
Biometric
Solutions
Scanners
Printers
Zero Clients &
Thin Clients
IT Consuting Services & Project Managment
Infrastructure & Industry SolutionsInfrastructure & Industry SolutionsInfrastructure & Industry SolutionsInfrastructure & Industry Solutions
Consulting and Strategic Planning, Architect and Design, Assessment, Project Management
Fujitsu Fujitsu Fujitsu Fujitsu ProductsProductsProductsProducts
Copyright 2013 FUJITSU LIMITED
Application Data Security
Examples
Copyright 2013 FUJITSU LIMITED
Contractor
Customer
(Agency A)
Vendor
(Authorised by A)
Customer of A
Central Services Portal(Catalogue)S3 Staff A accessAgency A
Staff A
Resource poolServers, storage, networks, OS imagesVirtual ResourcesS6 Request S7 resources Allocate
S9 resources Allocate S8 requestAuthenticationAuthorisationServer
S4. Vendor authenticationAuthorisation
B�%������F& ����F�BADF
21 Copyright 2013 FUJITSU LIMITED
22
���B���A� '�(���B��)
These are the templates that would be use for the case study:
Data-Impact (useful for Data Classification)
Data Security Lifecycle (useful for RACI)
Copyright 2013 FUJITSU LIMITED
23
����F����CF����B���F'�(���B�)
Copyright 2013 FUJITSU LIMITED
24
����F����CF����B���F'�(���B�)
Copyright 2013 FUJITSU LIMITED
�����A���