SlideShare une entreprise Scribd logo

Integrating Information Protection Into Data Architecture & SDLC

DATAVERSITY
DATAVERSITY
Technologie
1  sur  23
Télécharger pour lire hors ligne
Integrating Information Protection into Data Architecture and SDLC Closing hidden gaps in your Software Development Life Cycle where Data Governance is often absent David Schlesinger CISSP Senior Security Architect Dataversity Webinar Davids@metadatasecurity.com Author of The Hidden Corporation 11 December 2011 A Data Management Security Novel
Real Headline:“Protected Patient Data Increasingly Being Lost, Stolen” By Cole Petrochko, Associate Staff Writer, MedPage Today Published: December 01, 2011 • Nearly all healthcare organizations responding to a survey -- 96% -- reported that patient or related information has been lost, stolen, or otherwise compromised within the last two years. • The number of data breaches involving protected health information rose by 32% from 2010, according to data published by the independent privacy and data protection group the Ponemon Institute. • Three out of 10 respondents (29%) said a data breach resulted in medical identity theft -- up 26%. • Two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. http://www.medpagetoday.com/PracticeManagement/InformationTechnology/29962 Davids@metadatasecurity.com The Hidden Corporation 2
A Few Key Points from The Hidden Corporation • Many Software Development Life Cycles (SLCD): – Are designed sequentially when critical processes should occur in parallel – Skip all data information categorization steps until the end • This results in hidden governance gaps, inconsistent data protection, and reduced enterprise agility. • Correcting this problem: – saves money, – saves time, and – reduces corporate risk. Davids@metadatasecurity.com The Hidden Corporation 3
We are still in a Transition from a Legacy Data Environment 1. We only used “our” information within “our” department 2. Information lived in locked file cabinets in private offices. 3. Local control was the best way to safeguard information –even on the Mainframe. 4. External laws did not impact how we kept business information. 5. We were not continuously connected to the global Internet. Davids@metadatasecurity.com The Hidden Corporation 4
Data Sensitivity Ignorance Usually Creates Regulatory Problems and Data Loss CEO Finance Shipping Marketing Billing Mgr. Research Sales Mgr. Employees Sales Staff Private Ethnicity Private Data Data Data from Data Warehouse Consultant Data that is highly restricted in one department can sometimes be easily copied to laptops in another. Davids@metadatasecurity.com The Hidden Corporation 5
Typical Data Governance Gaps Business sees Data Access Security Legal team Data Analysts are Regulatory views Data defines “risk” to certain the Compliance as a Regulatory the business Business, the distraction from Compliance as a groups and Legal team, and their “real work” “business provides Access Security and depends on responsibility” and requirements to folks know which Access Security depends on the comply with data data content is and Legal to govern Business to govern regulations “supposed” to be sensitive data user data content in their local areas authorized to content of control each user Davids@metadatasecurity.com The Hidden Corporation 6
“Design for Compliance” = A Typical Data Governance Process Method* The data governance methodology shown below was presented at a large conference as a way to ensure secure application development and regulatory control. Map Design Assess Inventory Classify Design Manage Business & Operate Risks Controls Data Roles Change Process Controls *Note that it shows the project team classifying their data after they have assessed risks and put in controls. This assures re- work after product launch, failed compliance audits, and lost data later. (See slide 3) Davids@metadatasecurity.com The Hidden Corporation 7
The Missing Parallel SDLC Processes Most software methodologies assume that magic happens and everybody knows which data is sensitive to regulations Map Design Assess Inventory Classify Design Manage Business & Operate Risks Controls Data Roles Change Process Controls This step is local, informal, Data Architecture for Data Each Data Type and often the authorizing Protection Identifies Regulated Links to Laws and manager is uninformed of Information and maps its location Compliance Actions data sensitivity and policy Identify & Enforce user Define all Link Data to Link data Identify Perform Classify all Controls at Business Compliance Classification Sensitive User Compliance Data used Regulated Authorization Actions To Actions Entitlements Audits Data Decision time This Step often skipped due to lack of an inventory of the data actually exposed in each User Entitlement Davids@metadatasecurity.com The Hidden Corporation 8
Two Separate Steps + New Concept: Entitlement 1. A manager makes an Entitlement Decision about giving each user initial access Authorization. 2. The ability for a worker to access the data in a view thereafter is granted by an Authorization based on that Entitlement. Identify the sensitive data in each individual view to determine its sensitivity. That determines the Entitlement’s action requirements. Identify & Link data Enforce Define all Link Data to Classification Identify the Controls at Perform Classify Authorization Business Compliance To security Sensitive User Compliance Data used Regulated Entitlement Audits Actions Actions Entitlements Decision Data * A few data regulations require specifically defined controls for named data types. Davids@metadatasecurity.com The Hidden Corporation 9
Conceptual Process Model for Regulatory Compliance at User Entitlement Time Audit trail of actions Policies Actions fulfilling for data for data the policy Storage Storage Define your Link each Enterprise regulatory information Family to Manager and assign its corporate decides if Regulatory and compliance Policies Actions worker is policies for Entitled to Security for user user Sensitivity Access Access the data Audit trail Entitlement of actions Decision fulfilling becomes a user the policy Authorization Davids@metadatasecurity.com The Hidden Corporation 10
Nancy Discovers that “Regulatory Family” is Not the Same as a “Security Classification” • A Security Classification tells people how sensitive the data is to the company. The approver needs to trust the employee; and the worker must have a “Need to Know”. • A Regulation has nothing to do with trusting people. It tells the company how to protect the information and to which workers it may be legally exposed – little more. • Regulations add the new rule of “Allowed to Know” • Information can have only one security classification but may belong to several regulatory families. – Apples and Oranges. Davids@metadatasecurity.com The Hidden Corporation 11
Key Learning: Most Data Regulations have Similar Requirements and fall into a Few Families Personally Sarbanes- Private Oxley & Information Insider US & EU Industry Data Specific, FDA, GLB, Trade Ctech, etc. Secrets & Business Competitive Private - PCI Data Future Information Legal and and Plans – Contractual California Mergers & Statutes Divestitures Regulations often overlap, are redundant, give the same instructions, tell you to do the identical actions each time, and are redundant. Davids@metadatasecurity.com The Hidden Corporation 12
The Regulatory Family is Sufficient for Identifying Most Aggregated Data Collections FLAMMABLE! How much more information do you need to know about the contents of the tanker in order to manage your risk properly? Davids@metadatasecurity.com The Hidden Corporation 13
You know this database contains Private Data sensitive to PCI, and the Calif. & EU Statutes and must be Protected Accordingly DB Contains tables with Personally Private and PCI Data “ What you cannot identify, you cannot manage.” - Chief Information Security Officer of large defense firm. Davids@metadatasecurity.com The Hidden Corporation 14
Today, Data Moves Fast but Data Regulatory Sensitivity Knowledge Often Remains In Local Business Groups Marketing Sales Finance Orders Delivery Research Production & Product & Planning Design Data Warehouse Products Customers Access HR Raw materials Control And suppliers Market Research There is no specific group or system that captures information regulatory sensitivity and maintains it across the Enterprise Davids@metadatasecurity.com The Hidden Corporation 15
Metadata must Capture all the data about Your Data that the Enterprise Needs to Know • Technical Metadata includes character type, field length, decimal places, field name, etc. • Data Quality Metadata often includes source system, bounds checking, refresh rate, the formula of a derived field, and currency type used in a transaction. • Security Metadata is often left out, but is the Security Classification. • Regulatory Metadata is almost always left out, but would include the families of all regulations that direct the storage and exposure of this Regulated Information. -Not an inclusive list. Davids@metadatasecurity.com The Hidden Corporation 16
Collect Regulatory Metadata in your Central Data Directory to Link the Knowledge Silos “Insider” Business Private Information PCI & Calif. Information Requirements Security Policies Central Metadata Directory Data Retention HIPAA Personal Data Privacy: Trade Sarbanes US and EU Secrets Oxley Davids@metadatasecurity.com The Hidden Corporation 17
Actions are Required For Regulatory Compliance to Be Functional • In the book, Nancy shows why you must distill each regulation down into specific physical actions (work assignments) that satisfy regulatory requirements and company policy • Inform business managers who determine user authorizations about the information protection actions required for each User Entitlement • Design your process so that when specific actions are taken, they leave an audit trail. Davids@metadatasecurity.com The Hidden Corporation 18
Nancy’s Iron Law of Action No Regulatory Compliance Can Be Proven to Have Happened Unless There is The Audit Trail of An Action. Davids@metadatasecurity.com The Hidden Corporation 19
Data Protection Up Front Encourages Agility • Putting regulatory data risk analysis at the design stage of a new software acquisition project lets the project team build regulatory safeguards into the architecture and system design from the start. • Without the worry of having to stop and change their work at the end for “security reasons,” the project team can design the data processing in a way that naturally protects the Regulated Information as part of its normal function. Davids@metadatasecurity.com The Hidden Corporation 20
Engage All Your Corporate Partners 1. Introduce information definition and regulatory policy enforcement as initial design requirements for all new applications, web systems, and databases (DBMS) 2. Help Data Analysts and Data Architects define the data’s sensitivity by leveraging your business leaders’ knowledge 3. Get the existing data policies from Information Security regarding actions protecting classified information 4. Interview Corporate Counsel to learn their data protection polices and actions (“Guidelines” will usually be forgotten) 5. Engage data governance stewards and tell them you feel their pain and want their policies that require actions Davids@metadatasecurity.com The Hidden Corporation 21
Stop Playing “Whack-A-Mole ” ® Sarbanes-Oxley Act, Personal Privacy, PCI, HIPAA, FISMA, PIPEDA, Gramm- Leach, SB 1386, GAAP, and the U.S. Patriot Act ALL affect your data and their instructions greatly overlap! Multiple, single-regulation governance initiatives design multiple, redundant data compliance solutions. Isolated response to each new information law assures inconsistent compliance, and is the corporate ® equivalent of playing Whack-A-Mole . Davids@metadatasecurity.com The Hidden Corporation 22
for Attending Closing hidden gaps in your Software Development Life Cycle where Data Governance is often absent David Schlesinger CISSP Senior Security Architect Metadata Security LLC davids@metadatasecurity.com 602-697-4954 Author of The Hidden Corporation Perhaps the world’s first Data Management Security Novel Discount Code for Attendees: HiddenCorp20 at amazon.com Davids@metadatasecurity.com The Hidden Corporation 23

Recommandé

Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
Identity & Access Governance
Identity & Access GovernanceIdentity & Access Governance
Identity & Access GovernanceHorst Walther
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - OverviewHitachi ID Systems, Inc.
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyNetwork Intelligence India
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
kvkk sunum
kvkk sunumkvkk sunum
kvkk sunumBilgi İşlem
 

Recommandé

Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
Identity & Access Governance
Identity & Access GovernanceIdentity & Access Governance
Identity & Access GovernanceHorst Walther
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - OverviewHitachi ID Systems, Inc.
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyNetwork Intelligence India
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
kvkk sunum
kvkk sunumkvkk sunum
kvkk sunumBilgi İşlem
 
Fraud Detection and Prevention on AWS using Machine Learning
Fraud Detection and Prevention on AWS using Machine LearningFraud Detection and Prevention on AWS using Machine Learning
Fraud Detection and Prevention on AWS using Machine LearningAmazon Web Services
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMAdrian Dumitrescu
 
PACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPace IT at Edmonds Community College
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Information classification
Information classificationInformation classification
Information classificationHoward Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSPLukas Weichselbaum
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
LGPD Implementando no seu Escritorio
LGPD Implementando no seu EscritorioLGPD Implementando no seu Escritorio
LGPD Implementando no seu EscritorioRosalia Ometto
 
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAININGDATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAININGDatawarehouse Trainings
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementGovernment Technology Exhibition and Conference
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015Priyanka Aash
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Lei Geral de Proteção de Dados - LGPD
Lei Geral de Proteção de Dados - LGPDLei Geral de Proteção de Dados - LGPD
Lei Geral de Proteção de Dados - LGPDStefan Horochovec
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
LGPD Privacy by Design 30nov2022.pdf
LGPD Privacy by Design 30nov2022.pdfLGPD Privacy by Design 30nov2022.pdf
LGPD Privacy by Design 30nov2022.pdfFernando Nery
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
How to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMHow to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMImperva
 

Contenu connexe

Tendances

Fraud Detection and Prevention on AWS using Machine Learning
Fraud Detection and Prevention on AWS using Machine LearningFraud Detection and Prevention on AWS using Machine Learning
Fraud Detection and Prevention on AWS using Machine LearningAmazon Web Services
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMAdrian Dumitrescu
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
LGPD Implementando no seu Escritorio
LGPD Implementando no seu EscritorioLGPD Implementando no seu Escritorio
LGPD Implementando no seu EscritorioRosalia Ometto
 
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAININGDATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAININGDatawarehouse Trainings
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015Priyanka Aash
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Lei Geral de Proteção de Dados - LGPD
Lei Geral de Proteção de Dados - LGPDLei Geral de Proteção de Dados - LGPD
Lei Geral de Proteção de Dados - LGPDStefan Horochovec
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
LGPD Privacy by Design 30nov2022.pdf
LGPD Privacy by Design 30nov2022.pdfLGPD Privacy by Design 30nov2022.pdf
LGPD Privacy by Design 30nov2022.pdfFernando Nery
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 

Tendances (20)

Fraud Detection and Prevention on AWS using Machine Learning
Fraud Detection and Prevention on AWS using Machine LearningFraud Detection and Prevention on AWS using Machine Learning
Fraud Detection and Prevention on AWS using Machine Learning
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAM
 
PACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network Segmentation
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 
Information classification
Information classificationInformation classification
Information classification
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
 
LGPD Implementando no seu Escritorio
LGPD Implementando no seu EscritorioLGPD Implementando no seu Escritorio
LGPD Implementando no seu Escritorio
 
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAININGDATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
DATASTAGE AND QUALITY STAGE 9.1 ONLINE TRAINING
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Lei Geral de Proteção de Dados - LGPD
Lei Geral de Proteção de Dados - LGPDLei Geral de Proteção de Dados - LGPD
Lei Geral de Proteção de Dados - LGPD
 
Application Security
Application SecurityApplication Security
Application Security
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
LGPD Privacy by Design 30nov2022.pdf
LGPD Privacy by Design 30nov2022.pdfLGPD Privacy by Design 30nov2022.pdf
LGPD Privacy by Design 30nov2022.pdf
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 

Similaire à Integrating Information Protection Into Data Architecture & SDLC

Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
How to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMHow to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMImperva
 
Jazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceJazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceNetcetera
 
2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity RoadmapRaleigh ISSA
 
Consumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and SecurityConsumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and SecurityMarie-Michelle Strah, PhD
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect stormUlf Mattsson
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinalAlan Hartman
 
Metadata Use Cases
Metadata Use CasesMetadata Use Cases
Metadata Use Casesdmurph4
 
Metadata Use Cases You Can Use
Metadata Use Cases You Can UseMetadata Use Cases You Can Use
Metadata Use Cases You Can Usedmurph4
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraORACLE USER GROUP ESTONIA
 
Black Watch Data
Black Watch DataBlack Watch Data
Black Watch Datawellerjg
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxalex hincapie
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
RSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceRSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceEMC
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentialsCraig Mullins
 

Similaire à Integrating Information Protection Into Data Architecture & SDLC (20)

Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
How to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMHow to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAM
 
Jazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceJazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud Governance
 
2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap
 
Consumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and SecurityConsumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and Security
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
 
Information builders gartner mdm - barcelona 2-7-2013
Information builders gartner mdm - barcelona 2-7-2013Information builders gartner mdm - barcelona 2-7-2013
Information builders gartner mdm - barcelona 2-7-2013
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinal
 
Metadata Use Cases
Metadata Use CasesMetadata Use Cases
Metadata Use Cases
 
Metadata Use Cases You Can Use
Metadata Use Cases You Can UseMetadata Use Cases You Can Use
Metadata Use Cases You Can Use
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi Tara
 
Black Watch Data
Black Watch DataBlack Watch Data
Black Watch Data
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptx
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
RSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceRSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI Compliance
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
 

Plus de DATAVERSITY

Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...DATAVERSITY
 
Data at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceData at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceDATAVERSITY
 
Exploring Levels of Data Literacy
Exploring Levels of Data LiteracyExploring Levels of Data Literacy
Exploring Levels of Data LiteracyDATAVERSITY
 
Building a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsBuilding a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsDATAVERSITY
 
Make Data Work for You
Make Data Work for YouMake Data Work for You
Make Data Work for YouDATAVERSITY
 
Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?DATAVERSITY
 
Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?DATAVERSITY
 
Data Modeling Fundamentals
Data Modeling FundamentalsData Modeling Fundamentals
Data Modeling FundamentalsDATAVERSITY
 
Showing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectShowing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectDATAVERSITY
 
How a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleHow a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleDATAVERSITY
 
Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?DATAVERSITY
 
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...DATAVERSITY
 
Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?DATAVERSITY
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsDATAVERSITY
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayDATAVERSITY
 
2023 Trends in Enterprise Analytics
2023 Trends in Enterprise Analytics2023 Trends in Enterprise Analytics
2023 Trends in Enterprise AnalyticsDATAVERSITY
 
Data Strategy Best Practices
Data Strategy Best PracticesData Strategy Best Practices
Data Strategy Best PracticesDATAVERSITY
 
Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?DATAVERSITY
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best PracticesDATAVERSITY
 
MLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive AdvantageMLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive AdvantageDATAVERSITY
 

Plus de DATAVERSITY (20)

Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
 
Data at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceData at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and Governance
 
Exploring Levels of Data Literacy
Exploring Levels of Data LiteracyExploring Levels of Data Literacy
Exploring Levels of Data Literacy
 
Building a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsBuilding a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business Goals
 
Make Data Work for You
Make Data Work for YouMake Data Work for You
Make Data Work for You
 
Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?
 
Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?
 
Data Modeling Fundamentals
Data Modeling FundamentalsData Modeling Fundamentals
Data Modeling Fundamentals
 
Showing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectShowing ROI for Your Analytic Project
Showing ROI for Your Analytic Project
 
How a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleHow a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at Scale
 
Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?
 
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
 
Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and Forwards
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement Today
 
2023 Trends in Enterprise Analytics
2023 Trends in Enterprise Analytics2023 Trends in Enterprise Analytics
2023 Trends in Enterprise Analytics
 
Data Strategy Best Practices
Data Strategy Best PracticesData Strategy Best Practices
Data Strategy Best Practices
 
Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best Practices
 
MLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive AdvantageMLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive Advantage
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Integrating Information Protection Into Data Architecture & SDLC

  • 1. Integrating Information Protection into Data Architecture and SDLC Closing hidden gaps in your Software Development Life Cycle where Data Governance is often absent David Schlesinger CISSP Senior Security Architect Dataversity Webinar Davids@metadatasecurity.com Author of The Hidden Corporation 11 December 2011 A Data Management Security Novel
  • 2. Real Headline:“Protected Patient Data Increasingly Being Lost, Stolen” By Cole Petrochko, Associate Staff Writer, MedPage Today Published: December 01, 2011 • Nearly all healthcare organizations responding to a survey -- 96% -- reported that patient or related information has been lost, stolen, or otherwise compromised within the last two years. • The number of data breaches involving protected health information rose by 32% from 2010, according to data published by the independent privacy and data protection group the Ponemon Institute. • Three out of 10 respondents (29%) said a data breach resulted in medical identity theft -- up 26%. • Two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. http://www.medpagetoday.com/PracticeManagement/InformationTechnology/29962 Davids@metadatasecurity.com The Hidden Corporation 2
  • 3. A Few Key Points from The Hidden Corporation • Many Software Development Life Cycles (SLCD): – Are designed sequentially when critical processes should occur in parallel – Skip all data information categorization steps until the end • This results in hidden governance gaps, inconsistent data protection, and reduced enterprise agility. • Correcting this problem: – saves money, – saves time, and – reduces corporate risk. Davids@metadatasecurity.com The Hidden Corporation 3
  • 4. We are still in a Transition from a Legacy Data Environment 1. We only used “our” information within “our” department 2. Information lived in locked file cabinets in private offices. 3. Local control was the best way to safeguard information –even on the Mainframe. 4. External laws did not impact how we kept business information. 5. We were not continuously connected to the global Internet. Davids@metadatasecurity.com The Hidden Corporation 4
  • 5. Data Sensitivity Ignorance Usually Creates Regulatory Problems and Data Loss CEO Finance Shipping Marketing Billing Mgr. Research Sales Mgr. Employees Sales Staff Private Ethnicity Private Data Data Data from Data Warehouse Consultant Data that is highly restricted in one department can sometimes be easily copied to laptops in another. Davids@metadatasecurity.com The Hidden Corporation 5
  • 6. Typical Data Governance Gaps Business sees Data Access Security Legal team Data Analysts are Regulatory views Data defines “risk” to certain the Compliance as a Regulatory the business Business, the distraction from Compliance as a groups and Legal team, and their “real work” “business provides Access Security and depends on responsibility” and requirements to folks know which Access Security depends on the comply with data data content is and Legal to govern Business to govern regulations “supposed” to be sensitive data user data content in their local areas authorized to content of control each user Davids@metadatasecurity.com The Hidden Corporation 6
  • 7. “Design for Compliance” = A Typical Data Governance Process Method* The data governance methodology shown below was presented at a large conference as a way to ensure secure application development and regulatory control. Map Design Assess Inventory Classify Design Manage Business & Operate Risks Controls Data Roles Change Process Controls *Note that it shows the project team classifying their data after they have assessed risks and put in controls. This assures re- work after product launch, failed compliance audits, and lost data later. (See slide 3) Davids@metadatasecurity.com The Hidden Corporation 7
  • 8. The Missing Parallel SDLC Processes Most software methodologies assume that magic happens and everybody knows which data is sensitive to regulations Map Design Assess Inventory Classify Design Manage Business & Operate Risks Controls Data Roles Change Process Controls This step is local, informal, Data Architecture for Data Each Data Type and often the authorizing Protection Identifies Regulated Links to Laws and manager is uninformed of Information and maps its location Compliance Actions data sensitivity and policy Identify & Enforce user Define all Link Data to Link data Identify Perform Classify all Controls at Business Compliance Classification Sensitive User Compliance Data used Regulated Authorization Actions To Actions Entitlements Audits Data Decision time This Step often skipped due to lack of an inventory of the data actually exposed in each User Entitlement Davids@metadatasecurity.com The Hidden Corporation 8
  • 9. Two Separate Steps + New Concept: Entitlement 1. A manager makes an Entitlement Decision about giving each user initial access Authorization. 2. The ability for a worker to access the data in a view thereafter is granted by an Authorization based on that Entitlement. Identify the sensitive data in each individual view to determine its sensitivity. That determines the Entitlement’s action requirements. Identify & Link data Enforce Define all Link Data to Classification Identify the Controls at Perform Classify Authorization Business Compliance To security Sensitive User Compliance Data used Regulated Entitlement Audits Actions Actions Entitlements Decision Data * A few data regulations require specifically defined controls for named data types. Davids@metadatasecurity.com The Hidden Corporation 9
  • 10. Conceptual Process Model for Regulatory Compliance at User Entitlement Time Audit trail of actions Policies Actions fulfilling for data for data the policy Storage Storage Define your Link each Enterprise regulatory information Family to Manager and assign its corporate decides if Regulatory and compliance Policies Actions worker is policies for Entitled to Security for user user Sensitivity Access Access the data Audit trail Entitlement of actions Decision fulfilling becomes a user the policy Authorization Davids@metadatasecurity.com The Hidden Corporation 10
  • 11. Nancy Discovers that “Regulatory Family” is Not the Same as a “Security Classification” • A Security Classification tells people how sensitive the data is to the company. The approver needs to trust the employee; and the worker must have a “Need to Know”. • A Regulation has nothing to do with trusting people. It tells the company how to protect the information and to which workers it may be legally exposed – little more. • Regulations add the new rule of “Allowed to Know” • Information can have only one security classification but may belong to several regulatory families. – Apples and Oranges. Davids@metadatasecurity.com The Hidden Corporation 11
  • 12. Key Learning: Most Data Regulations have Similar Requirements and fall into a Few Families Personally Sarbanes- Private Oxley & Information Insider US & EU Industry Data Specific, FDA, GLB, Trade Ctech, etc. Secrets & Business Competitive Private - PCI Data Future Information Legal and and Plans – Contractual California Mergers & Statutes Divestitures Regulations often overlap, are redundant, give the same instructions, tell you to do the identical actions each time, and are redundant. Davids@metadatasecurity.com The Hidden Corporation 12
  • 13. The Regulatory Family is Sufficient for Identifying Most Aggregated Data Collections FLAMMABLE! How much more information do you need to know about the contents of the tanker in order to manage your risk properly? Davids@metadatasecurity.com The Hidden Corporation 13
  • 14. You know this database contains Private Data sensitive to PCI, and the Calif. & EU Statutes and must be Protected Accordingly DB Contains tables with Personally Private and PCI Data “ What you cannot identify, you cannot manage.” - Chief Information Security Officer of large defense firm. Davids@metadatasecurity.com The Hidden Corporation 14
  • 15. Today, Data Moves Fast but Data Regulatory Sensitivity Knowledge Often Remains In Local Business Groups Marketing Sales Finance Orders Delivery Research Production & Product & Planning Design Data Warehouse Products Customers Access HR Raw materials Control And suppliers Market Research There is no specific group or system that captures information regulatory sensitivity and maintains it across the Enterprise Davids@metadatasecurity.com The Hidden Corporation 15
  • 16. Metadata must Capture all the data about Your Data that the Enterprise Needs to Know • Technical Metadata includes character type, field length, decimal places, field name, etc. • Data Quality Metadata often includes source system, bounds checking, refresh rate, the formula of a derived field, and currency type used in a transaction. • Security Metadata is often left out, but is the Security Classification. • Regulatory Metadata is almost always left out, but would include the families of all regulations that direct the storage and exposure of this Regulated Information. -Not an inclusive list. Davids@metadatasecurity.com The Hidden Corporation 16
  • 17. Collect Regulatory Metadata in your Central Data Directory to Link the Knowledge Silos “Insider” Business Private Information PCI & Calif. Information Requirements Security Policies Central Metadata Directory Data Retention HIPAA Personal Data Privacy: Trade Sarbanes US and EU Secrets Oxley Davids@metadatasecurity.com The Hidden Corporation 17
  • 18. Actions are Required For Regulatory Compliance to Be Functional • In the book, Nancy shows why you must distill each regulation down into specific physical actions (work assignments) that satisfy regulatory requirements and company policy • Inform business managers who determine user authorizations about the information protection actions required for each User Entitlement • Design your process so that when specific actions are taken, they leave an audit trail. Davids@metadatasecurity.com The Hidden Corporation 18
  • 19. Nancy’s Iron Law of Action No Regulatory Compliance Can Be Proven to Have Happened Unless There is The Audit Trail of An Action. Davids@metadatasecurity.com The Hidden Corporation 19
  • 20. Data Protection Up Front Encourages Agility • Putting regulatory data risk analysis at the design stage of a new software acquisition project lets the project team build regulatory safeguards into the architecture and system design from the start. • Without the worry of having to stop and change their work at the end for “security reasons,” the project team can design the data processing in a way that naturally protects the Regulated Information as part of its normal function. Davids@metadatasecurity.com The Hidden Corporation 20
  • 21. Engage All Your Corporate Partners 1. Introduce information definition and regulatory policy enforcement as initial design requirements for all new applications, web systems, and databases (DBMS) 2. Help Data Analysts and Data Architects define the data’s sensitivity by leveraging your business leaders’ knowledge 3. Get the existing data policies from Information Security regarding actions protecting classified information 4. Interview Corporate Counsel to learn their data protection polices and actions (“Guidelines” will usually be forgotten) 5. Engage data governance stewards and tell them you feel their pain and want their policies that require actions Davids@metadatasecurity.com The Hidden Corporation 21
  • 22. Stop Playing “Whack-A-Mole ” ® Sarbanes-Oxley Act, Personal Privacy, PCI, HIPAA, FISMA, PIPEDA, Gramm- Leach, SB 1386, GAAP, and the U.S. Patriot Act ALL affect your data and their instructions greatly overlap! Multiple, single-regulation governance initiatives design multiple, redundant data compliance solutions. Isolated response to each new information law assures inconsistent compliance, and is the corporate ® equivalent of playing Whack-A-Mole . Davids@metadatasecurity.com The Hidden Corporation 22
  • 23. for Attending Closing hidden gaps in your Software Development Life Cycle where Data Governance is often absent David Schlesinger CISSP Senior Security Architect Metadata Security LLC davids@metadatasecurity.com 602-697-4954 Author of The Hidden Corporation Perhaps the world’s first Data Management Security Novel Discount Code for Attendees: HiddenCorp20 at amazon.com Davids@metadatasecurity.com The Hidden Corporation 23