![InfoSec
Innovations
Unstructured Data
Source: The Human Element– Creative Commons
eMail
Memos & Documents
Spreadsheets
Images, Videos & Sounds
Presentations
Generated by every employee
Contains Intellectual Property
Business Records [IANAL]
Images courtesy Microsoft by Unknown Author, licensed under CC BY-SA](https://image.slidesharecdn.com/thehiddenenemywithin-final-feb2018-250222043307-209b6683/85/The-Hidden-Enemy-Within-Why-Ungoverned-Data-is-Such-a-Big-Problem-9-320.jpg)
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
- 1. InfoSec Innovations The Hidden enemy within DAN HOUSER CISSP-ISSAP CISA CISM SECURITY STRATEGY & ARCHITECTURE LEAD INFOSEC INNOVATIONS IANAL © 2018 - InfoSec Innovations LLC, Trogdor Heavy Industries LLC
- 2. InfoSec Innovations About me Information Security Practitioner in Ohio since 2000 Focus on Identity, Privacy, Crypto, Architecture & Supply Chain Practice Lead, Security Strategy & Architecture, InfoSec Innovations Fortune 500 Banking, Finance, Insurance, Retail, Healthcare, Logistics + Higher Ed, NGO Board of Directors, (ISC)² for 6 years
- 4. InfoSec Innovations With your forgiveness… To frame our discussion, several slides of things you likely already know. Mea culpa
- 5. InfoSec Innovations Hidden dangers Gaps In Knowledge Endpoints & Network CIS Top 20 1 & 2 – Hardware & Software Inventory Insular IT CIO mission in conflict with CISO’s Unsupported / unpatched software IoT, Shadow IT & Cloud Digital Certificates Distance – Field offices, stores, pharmacies Hidden Vulnerabilities Insider Threat Information Explosion Eclipsing Data Management Unstructured Data Risks Exceed ROI
- 6. InfoSec Innovations Knowledge of self: Not a new concept “If you know the enemy and know yourself, you need not fear the result of a hundred battles… If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War
- 7. InfoSec Innovations Knowledge of self You can’t manage what you can’t measure. - Peter Drucker You cannot manage what you do not know. - Anon
- 8. InfoSec Innovations Data Explosion Corporate Data Doubles Every 18 Months -IDC Data Growth is the Largest Datacenter Challenge – Gartner The Buildout of the Internet of Things will cause a doubling of human information every 12 hours. - IBM Entering the era of the digital industrial economy – Peter Sondergaard
- 9. InfoSec Innovations Unstructured Data Source: The Human Element– Creative Commons eMail Memos & Documents Spreadsheets Images, Videos & Sounds Presentations Generated by every employee Contains Intellectual Property Business Records [IANAL] Images courtesy Microsoft by Unknown Author, licensed under CC BY-SA
- 10. InfoSec Innovations Unstructured Data Difficult to Classify & Manage Difficult to Govern No set structure What is in your unstructured data repository? Trash or Treasure? Source: BigRedCloud – Creative Commons
- 11. InfoSec Innovations Information explosion Data without ability to analyze is data without forseeable value All the risk & cost Likely zero benefit AI / Big Data/ Machine Learning… Will it close the gap?
- 12. InfoSec Innovations Unstructured data risk & data value Time Bomb Intellectual Property Waste Corporate Execution Value High Risk Low Risk Risk ¢ $$$$
- 13. InfoSec Innovations DATA DUPLICATION A Parable Widget-tech enters market to manage healthcare data Determines ROI, Determines Risk Launches business Gathers & Manages Data RISK REWARD
- 14. InfoSec Innovations DATA DUPLICATION A Structured data Parable PHI REVENUE
- 15. InfoSec Innovations Janet sees a new market opportunity By enriching the data, more reward! PHI REVENUE PHI REVENUE DATA DUPLICATION A STRUCTURED DATA PARABLE
- 16. InfoSec Innovations Gary sees even more opportunity! By enriching the data, more reward! PHI REVENUE PHI REVENUE PHI REVENUE DATA DUPLICATION A STRUCTURED DATA PARABLE
- 17. InfoSec Innovations DATA DUPLICATION Sure more revenue, but at what risk?
- 18. InfoSec Innovations PHI DATA DUPLICATION AN UNSTRUCTURED DATA RESULT
- 19. InfoSec Innovations PHI DATA DUPLICATION AN UNSTRUCTURED DATA RESULT PHI
- 20. InfoSec Innovations PHI DATA DUPLICATION AN UNSTRUCTURED DATA RESULT PHI PHI
- 21. InfoSec Innovations Database extracts reused many times, giving excess PII downstream Database spreadsheet database spreadsheet report Single source 53 extracts hundreds of further extracts Local & snapshot databases used instead of authoritative references Data sync & freshness errors Results: Risk Upset customers Bad Decisions $$$$ DATA DUPLICATION ASSESSMENT
- 22. InfoSec Innovations Data Knowledge Where is the Data? Who has access to it? How is the business using it? What is Important? Private? Sensitive? Public? What makes it important / private / sensitive? What has integrity? What is stale? Who is accessing it the most? Least? What is the value of the data? What is the governing data retention policy? Is the data storage in compliance with data retention policy? Is it authoritatively sourced? Is it a system of reference? System of record? How are conflicts resolved? How is it governed? Is the cost and risk of the data worth more than the value of the data? Do we know where all our Intellectual Property is, and are we protecting it?
- 23. InfoSec Innovations GDPR Bringing Focus Six Principles of GDPR Lawfulness, fairness and transparency Purpose limitations Data minimization Accuracy Storage limitations Integrity and confidentiality
- 24. InfoSec Innovations Chasing the same data dragon 2002: Where are all the places we’re displaying SSN? 2003: Where is all our financial reporting data for SOX? 2004: Do we have EU privacy data? Where is it? Is it protected? 2008: Where is all our payment card information? 2009: How are we protecting our payment card information? (Repeat annually) 2010: Do we have HIPAA data? Where? Is it protected? 2011: What do you mean a breach grabbed account data? Where? What? 2012: Wait, we have to protect Employee ID just like SSN? OMG that’s everywhere! 2013: Is all our payment card data encrypted? 2014: Shoot, what do you mean we have mag stripe data? Tokenize it! 2015: Wait, we found more healthcare data? 2016: Our 3rd party was breached? What data are we sending to third parties?!? 2017: GDPR is coming, what!? 4% of revenue!?!? Find the EU data! How many times are we going to go through the same process, looking for specific types of data, before we start creating a generalized practice for data mapping and governance?
- 25. InfoSec Innovations Knowledge of self & Data Breach You cannot manage what you do not know You cannot lose what you do not have
- 26. InfoSec Innovations Gaining control of the hidden data • Scan for privacy data and intellectual property • Map & classify the data • Normalize metadata • Gain insights to data storage, use, data flows & provenance • Legal & Privacy evaluation Insights • Evaluate storage compliance & access controls • Live the retention & privacy policy • Enact information classification • Tokenize, redact, delete, encrypt • Migrate data from unsafe zones and into safe harbor Protect
- 27. InfoSec Innovations Gaining control of the hidden data • Engage data owners and data guardians with data insights & classification • Establish processes for data governance • Attestation & validation by data owners • Establish KPIs Operate • Reporting • Periodic Re-scan • Event Monitoring • Feedback loop to drive process improvements Govern
- 28. InfoSec Innovations Getting started There is no magic bullet, it’s hard work. Knowledge of self always pays, ask the hard questions to find the hidden risks in your network, apps, data flows, processes, facilities Create a plan & roadmap Where are we? Knowledge of Self Where are we going? Vision How are we going to get there? Roadmap & series of projects How do we define success so we will know we’ve arrived? KPIs Find and map data flows, determine how data moves Scan for private data in unstructured sources and rogue databases Create tactical data protection methods & capabilities
- 29. InfoSec Innovations Questions? Contact info: Dan.houser@gmail.com @SecWonk © 2017 InfoSec Innovations LLC