Data Security and the Hard Outer Shell

Editor's Notes

• #2: Introduction – Hi I’m Matt Turner, CTO of Media & Entertainment I’m here to talk about data security and, with some dramatic foreshadowing, the Hard Outer Shell
• #3: But first a bit about MarkLogic We are a database company creating the next generation of databases for the enterprise From the start we’ve looked at this as providing the flexibility to get data into the system easily Enable people to get access to that data And do it with the enterprise expectations you have for databases, including security We’ve had this focus from the start and are the only Enterprise NoSQL Database that combines all thress of these attributes
• #4: From the start our customers that took advantage of these features were in industries that valued information and data. These were the information industries – firms like Dow Jones and Lexis that deliver mission critical data And intelligence and defense agencies – that use information to support missions and make life or death decisions These may not appear to have much in common but they both needed to provide fleixible access to information: Information industry companies integrate wide variety of sources to provide the best possible answer to their customers Intelligence and defense systems need to also integrate diverse data for analysts to make critical decisions and support the mission And they BOTH need to accomplish this with the highest security. It may be obvious in a secret / top secret intelligence environment. But its also true for the core assets that are the actual product for information. And this is what MarkLogic has been able to provide – flexible access information with data integrity and security
• #5: Ad along the way we have learned a lot about the changing nature of security and threats This first point - Those that have been hacked … and those that don’t know they have been hacked – just points to the growing sophistication of external threats. Their capabilities continue to grow and for nearly every organization there is a real threat. Just as an example we work with the IEEE – well known to the NAB audience. In addition to the standards that help run this industry they also host and publish nuclear science journals. And they, just like the government agencies we work with, are under not just individual, but government sponsored cyber threats. This is all happening in the context of a rapidly changing workplace. With distributed teams, BYOD and collaboration and outsourcing, the workplace and the data that drives today’s information worker is spread over an increasingly diverse and wide landscape of technology And finally, the nature of the threats are not just external. This stat from the financial services industry was startling – 46% of data breaches were from the inside. These breached can be particularly damaging as internal resources know where the valuable data lies and also which system vulnerabilities to exploit.
• #6: In the context of this, let look at the traditional approach of guarding the perimeter. This is all focused on network security. Setting up and then maintaining an inside and then looking outwards from that to monitor and mange access and threats This means that you need to create boundaries and barriers between systems. When you stack this up against the changing threats, you can see that it just won’t cut it. Barriers can create problems in the sophisticated environment and it puts all the emphasis on looking outward and defending a perimeter against ever increasing threats This creates a big problem … that I am going to illustrate. Do you remember that dramatic foreshadowing from the start? The Hard Outer shell?
• #7: Well I’m going to illustrate this problem of the perimeter focus with that idea – that this is like having a Hard Outer Shell. We just had Easter and so everyone knows about the Cadbury Crème Egg. It has a hard outer shell of chocolate. But once you crack that shell you get to the gooey inside … and that is all your data and content when that perimeter approach break down! [Don’t let your content become the gooey inside!]
• #8: To put this into context I’m going to talk about some of the work that we’ve done in Media & Entertainment getting to the source of metadata with production data. This film ‘The Suitcase’ - which is now at the Tribeca Film Festival – was part of a series of experiments done by the ETC. Among its goals was to use cloud production and to generate descriptive metadata from the actual data created by the production tools. As part of this film we got a good look at a complex, diverse work environment
• #9: Today’s production is a diverse, flexible environment with lots of specialized tools, each performing specific tasks and most of them hosted in the cloud. On the left are the on set tools. On the right the editorial tools. And, for this production, in the middle, are some enterprise systems that collect and manage data. Where can we put the perimeter? Just around the enterprise tools? This wouldn’t work because everyone needs access to this data. It would be extracted and taken out of the perimeter and, in no time, be out of our security control. How about around all the tools? That would also never work. These tools are hosted by dfferent providers or locally run. They change from each production or even within the production. Putting on the same network or requiring a VPN would never work as not only are the tools diverse, so are the locations of the actual users with some productions spanning worldwide teams using whatever connectivity they can find. This example gets right to the problem of trying to secure a modern diverse workplace .. And its just one workflow
• #10: In today’s entertainment companies, there isn’t just one workflow. Or three. There are hundreds of different production workflows. And there are hundreds of enterprise systems that manage the data critical to them all. And thousands of outputs and interfaces where that data is shared and used by internal resources, external partners and, now, fans and consumers. Can we somehow put a perimeter around all of this? Its certainly hard and this illustrates why we need to do more than just think about perimeter or network security. What we need to do is to start looking inside the perimeter (at how to prevent our content from becoming the gooey inside)
• #11: The first step is to take a look at what is called situational awareness. This is not just the operation of the security systems, but the pattern of usage (and attacks). Today, this is largely focused on supporting the network security approach. Looking at logs and access patterns and then doing analysis and creating reports to understand the state of the security of the perimeter. This provides a picture of security, but its not enough to actually take action or get to a real-time reponse
• #12: Instead we need to move to real cyber situational awareness. This fills in that initial picture with a much bigger picture of that actual environment within the perimeter and taking a data centric approach to making it actionable. Its about collecting all the security and operational data – your systems, users, their authorizations and access rights And then getting the actual patterns of that usage and the status of those systems This picture, across the entire organization, can then provide you with the data you need to understand and take action on threats within the perimeter And its all accomplished with a data approach that can accommodate this complex and ever changing data -
• #13: It looks like this – a data hub … and Operational Data Hub … that can actually provide a view of Cyber Situational Awareness. The inputs are the security and operational systems already in place. Every system provides a valuable part of the view – from the active thread monitoring systems like packet inspection to system status and security bulletins. All this data needs to come together. Your readiness team and your analysis center can use it to understand the complete picture, create models for what is normal and then set alerts and triggers to identify threats and activity in real time. Real cyber situational awareness lets you go beyond the hard outer shell and provide protection and detection in addition and with much greater scope than just guarding the perimeter.
• #14: But the best approach to take is to identify the critical data in your systems and make sure that data itself is protected. But you need to do this in a way that still lets your users get the flexible access they need in today’s flexible work environments. To illustrate this, I want to take another production example that built on the lessons learned in The Suitcase project. This project, that we did with New Regency, Microsoft and Avanade, looked at production environement data with more of an enterprise approach. You can see some of the same systems like scheduling and script management that we worked with in The Suitcase. But we also have accounting and finance systems as well as the contract management systems. This sensitive data is critical to making a film, and, as you can see, its not centrally managed or connected. Instead users of each system simple shared or re-typed the data they need from each system. As an example of this, the contracts were often simple shared, via email, with everyone that needed that information. For instance the travel department would need to know just travel details, but would be sent the whole contract that included all the financial details. Data that is very sensitive with the stars (and really everyone) in a Hollywood movie. But getting access to that data is critical to the success of the production team … and getting it in the tools they want to use is also a requirement.
• #15: Working with Microsoft and Avanade, we created an Operational Data Hub for production data that leveraged all the factors that we have been talking about. It was able to bring together the complex and diverse data generated on the set. And it was able to make that data available to the other systems that needed it. For instance sharing contract data with the scheduling and set systems. The primary goal of this system was to then use that data to generate residual and product placement reports (that were previously generated by hand). But by being able to actually manage the data in a secure environment also meant that this new system provided real data security. Only people with the rights and permissions to see data could get to the data. But when they did have the rights, they were able to access it in the way they needed to and using the tools they wanted to use.
• #16: This is what we, at MarkLogic, have been working on. Providing the flexibility and access to data that is required in today’s complex work environments … but with real data security. Form the very start we’ve had first class data features with protection for data, documents and now sub-documents – really any entity you can define can be protected and accessed within the context of the users roles and permissions. And to make sure its secure even from any insiders (or threats that got inside) we have encryption at rest AND in transit. This means that users can only see the data they should see and that it is encrypted right up until it is delivered to that authorized user. MarkLogic is one of 6 databases that is common criteria certified and the only of the new generation or NoSQL databases that is certified.
• #17: By helping you with new approaches to security like Cyber Situational Awareness And by securing data while still providing flexibility and access We can help you go beyond just that hard outer shell … and avoid your content becoming that gooey inside
• #18: And take advantage of MarkLogic’s features just like our information and intelligence and defense customers, you can provide the flexibility and access your users need with the security they need!