Ken Haertling, Chief Security Officer, TELUS
The Impact of Disruptive Technologies on Data Protection
In 2011, the industry witnessed an unprecedented year of security incidents and privacy breaches. In 2012, organizations are faced with the further proliferation of mobile devices/tablets and initiation of bring your own device (BYOD) policies. This will lead to the further co-mingling of personal and private data on joint-use devices. Meanwhile, with the addition of these devices and the erosion of the traditional network security perimeter, the enterprise network is no longer as trusted as it once was. Organizations cannot ignore other disruptors such as off-shoring, cloud computing, and virtualization that may further expose sensitive data. Ken will explore popular coping strategies and discuss which, if any, are likely to succeed.
Core to the disruptors is the movement of data outside the traditional geopolitical boundaries, outsourcing and offshoring. Commerce will drive work toward least cost providers, and businesses take an open view toward what is considered core.
Another core disruptive technology to security and privacy is employee mobility, and the advent of device mobility.
BYOD or tablet grows the concern of more personal information risking transport over potentially risky networks outside the workplace and being saved amongst personal data on a mobile device.
Last disruptor is the concept of cloud computing and storage. Centralising should provide economies of scale, but there is an increased loss of control over data and information.
All in all, data is moving outside of organisational control and into areas of greater exposure to risk of compromise.
You can't start your strategy with picking tools, but instead understand your data. Understand the threat, data, and people; this is data classification which helps understand what is critical data.
A surgical application of data security controls is key to success in this initiative. Pick the key systems and data flows, and focus on those. Use encryption, but also tokenization and obfuscation. The latter two can be more effective. Study internally by Telus indicated that 10% of the organisation needed 80% of the critical data, allowing a focus for policy and governance work.
Network segmentation and perimeter hardening is important from an architectural perspective. Most networks today are quite flat, and must be better segmented. Internal employee networks should not be fully trusted to allow unfettered access to core systems. The focus on privacy and security should be on the data centre first, and include an architectural philosophical extension beyond the network to the data and application layers.
The question was asked how many in attendance have some form of security solution enabled on their mobile device. The response was a very small percentage.
There are two approaches Telus uses to securing mobile devices.
Containerised and non-containerised. Containerised separates personal and corporate data, corporate data being in a secured container. Remote policy enforcement is leveraged, and device full capabilities are limited. Non means that the entire device is encrypted and managed centrally. In either case there is a strong push at the data and application layers to ensure that data is not pushed to the mobile device if at all possible.
A virtualised environment provides the ability to greater control where the data resides, and give views into the data for classification purposes. However, the risk is that much more importance needs to be placed on credentials and user identity, as the keys to the kingdom are more widely distributed, and the data is more centralised.
- Posted using BlogPress from my iPad
Location:13th Privacy & Security Conference