SlideShare a Scribd company logo

Addressing Gaps in Your Cyber Security

NextLabs, Inc.
NextLabs, Inc.

Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing. Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data. Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand the goals and steps of data-centric solution design, as well as its potential benefits.

Technology
1 of 5
Download to read offline
Addressing Gaps in Your Cyber Security Solution Design at the Data Layer Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing. Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data. Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand the goals and steps of data-centric solution design, as well as its potential benefits. WHITE PAPER
2 INTRODUCTION With cyber threats on the rise, the biggest gap in your cyber security solution is most likely data protection. Conventional IT tools protect information by securing infrastructure from external attack and applying controls to“containers.”However, the biggest source of cyber threat is increasingly“business as usual,”that is, authorized users sharing sensitive data, increasingly outside controlled locations. Across every industry, business process is becoming more globalized, devices are proliferating, and new data storage and hosting models continue to emerge. Data is being shared more broadly than ever, and infrastructure-based IT controls simply cannot keep pace. Organizations are recognizing the need to go beyond infrastructure-centric controls to protect data directly, regardless of system, device, or application, and whether data is inside or outside the“traditional”perimeter. This is especially true for data that warrants extra protection, such as highly sensitive data or data regularly shared with external partners and organizations. What would it mean to design a cyber security solution to protect data based on business value and risk? How would an organization extend data protection beyond the container? This white paper presents an approach to solution design that takes data as its starting point. The goal is precision: to target sensitive data, identify data sharing use cases where risk is high, then apply uniform controls to protect data, no matter the system, application, or device. IMPLEMENTATION CHALLENGES: THE NIST EXAMPLE Frameworks for cyber security, like the one supplied by the National Institute for Standards and Technology (NIST), attempt to provide a top-down view of the functions of a comprehensive cyber security solution. How can an organization extend data protection beyond the container? In the early stages (the“Identify function,”in the NIST framework), Risk Assessors identify Vulnerabilities—meaning potential system weaknesses that can result in cyber breach. In the “Protect”function, these Vulnerabilities are translated into technical protections. After this“translation”process, an organization may not even know if vulnerabilities identified in the early stages of solution planning are even addressed at all. Different teams are typically responsible for applying controls to different systems. There is rarely any coordination or visibility into how different teams apply technical protections across layers of architecture.
3 In this approach, the lowest layer of protection (data) is assumed, rather than explicit. While initial vulnerabilities may be expressed in terms of data loss and leakage, protections themselves are not designed around data. None of the IT protections (trusted devices, application- specific ACLs, rules, and permissions), protect data directly. The result of these challenges is that data protections may or may not be“translated”adequately into system controls, and protection may not persist as data leaves the container. Standard solution design ends with containers. Data-centered solution design starts with data itself. One way to address these challenges is to understand the work that needs to occur in between the“Identify”and“Protect”functions of frameworks like NIST. An organization must have a method to: Track how initial data protection requirements are translated into technical controls Ensure protections are implemented consistently cross-system. One method is to maintain a central list of standard, system-agnostic controls that serve as the blueprint for all technical controls applied cross-system—what this white paper refers to as the“Uniform Control Model.” USING A UNIFORM CONTROL MODEL Developing a Uniform Control Model for data-centric security inverts the process of standard, infrastructure-centric security design. The standard process translates initial requirements into technical protections at various layers or architecture, assuming data underneath each layer will be protected. In contrast, a data-centered design starts with data itself. First, Data Vulnerabilities--which are data-related events that can result in cyber breach--are identified within a structured framework. Importantly, Data Vulnerabilities are not defined in terms of system weaknesses, flaws, or external attacks--but in terms of regular events that occur during“business as usual” data access, usage, and sharing. You then map each Data Vulnerability to a Control Type. Together, all the controls form the Uniform Control Model. Because there is a clear mapping from Data Vulnerability to Control Type in this method, there is better visibility into how each data protection requirement is being addressed. The Uniform Control Model is system-agnostic, meaning that while systems may be referenced in controls (file servers, line of business applications, and devices where data is stored), controls are not written in the proprietary logic of a particular application or system (for example, ACLs or permissions on file servers). The goal is to produce a highly auditable, centrally managed set of data controls that can be deployed cross-system.
4 Step-by-Step Perform the following three basic steps to produce a Uniform Control Model for data-centric cyber security: (1) Identify a set of data under threat, where the business value of the data warrants controls. (2) Identify specific Data Vulnerabilities as data moves through its standard process: creation, access, usage, and sharing. (3) Map each Data Vulnerability to a specific Control Type in the Uniform Control Model. The following sections describe these steps in more detail using a Uniform Control Model produced by NextLabs. This model accumulates standard data protection technologies and incorporates them into a comprehensive control framework. STEP 1. TARGET DATA BASED ON BUSINESS VALUE AND RISK When organizations attempt to design data-centric controls, they confront a sea of data, complex data sharing practices, over uncontrolled devices, and even with unknown users. Where to begin? The answer is simple: start small. Target a class of data that has high business value and is highly susceptible to cyber breach. A key guideline for data-centric protection: the level of protection should correspond to the business value of data and degree of risk. For much data, traditional, infrastructure-based controls may suffice. For highly sensitive and valuable data and/or data that is unusually susceptible to cyber breach, a data-level solution is likely warranted. The key for data-centric security: the level of protection should match the value of data and degree of risk.
Thank You! Thank you for viewing a preview of our White Paper - Addressing Gaps in Your Cyber Security. Request the full version of this White Paper to learn: - An approach to designing a cyber security solution directly around data - Understand why protecting just the infrastructure of where data is stored is not enough CLICK HERE to request a copy of this White Paper. -NextLabs www.nextlabs.com

Recommended

Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
NextLabs, Inc.
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
NextLabs, Inc.
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
ALI ANWAR, OCP®
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Anton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data Centralization
Anton Chuvakin
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
Eryk Budi Pratama
 
Data protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionData protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protection
Aujas Networks Pvt. Ltd.
 

Recommended

Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
NextLabs, Inc.
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
NextLabs, Inc.
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
ALI ANWAR, OCP®
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Anton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data Centralization
Anton Chuvakin
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
Eryk Budi Pratama
 
Data protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionData protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protection
Aujas Networks Pvt. Ltd.
 
Sqrrl
SqrrlSqrrl
Sqrrl
Salman SH
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
Executive Summary_2016
Executive Summary_2016Executive Summary_2016
Executive Summary_2016
Annie Cute
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
Joey Jablonski
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access Intelligence
Tim Bell
 
6 aproaches
6 aproaches6 aproaches
6 aproaches
adeel hamid
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
Secure Islands - Data Security Policy
 
Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza
Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza
Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza
CloudExpoAsia
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Ahearn Cloud Presentation
Ahearn Cloud PresentationAhearn Cloud Presentation
Ahearn Cloud Presentation
johnjamesahearn
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
Jonathan Sinclair
 
Health Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesHealth Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehouses
Si Nahra
 
User access profiling model
User access profiling modelUser access profiling model
User access profiling model
Jose Guerrero
 
The Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessThe Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling Access
Kylie Dunn
 
Data Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightData Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data Insight
Symantec
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
andreasschuster
 
UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)
Samantha Pierre
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
Ulf Mattsson
 
The NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework
EMMAIntl
 

More Related Content

What's hot

Executive Summary_2016
Executive Summary_2016Executive Summary_2016
Executive Summary_2016
Annie Cute
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access Intelligence
Tim Bell
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
Jonathan Sinclair
 
UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)
Samantha Pierre
 

What's hot (20)

Sqrrl
SqrrlSqrrl
Sqrrl
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Executive Summary_2016
Executive Summary_2016Executive Summary_2016
Executive Summary_2016
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access Intelligence
 
6 aproaches
6 aproaches6 aproaches
6 aproaches
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
 
Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza
Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza
Keynote Theatre. Keynote Day 2. 16:30 Evelyn de Souza
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Ahearn Cloud Presentation
Ahearn Cloud PresentationAhearn Cloud Presentation
Ahearn Cloud Presentation
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
 
Health Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesHealth Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehouses
 
User access profiling model
User access profiling modelUser access profiling model
User access profiling model
 
The Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessThe Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling Access
 
Data Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightData Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data Insight
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
 

Similar to Addressing Gaps in Your Cyber Security

ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
Ulf Mattsson
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
Ulf Mattsson
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
Rodrigo Piovesana
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
Fahd Khan
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
cuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
salmonpybus
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
IlonaThornburg83
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
jenkinsmandie
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docx
jaggernaoma
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
Patty Buckley
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
Thomas Jones
 

Similar to Addressing Gaps in Your Cyber Security (20)

ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
 
The NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docx
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
 

More from NextLabs, Inc.

SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC
NextLabs, Inc.
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
NextLabs, Inc.
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
NextLabs, Inc.
 
Extensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarExtensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications Webinar
NextLabs, Inc.
 
Preview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 CommandmentsPreview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 Commandments
NextLabs, Inc.
 
Preview of Heaney On ITAR Controls
Preview of Heaney On ITAR ControlsPreview of Heaney On ITAR Controls
Preview of Heaney On ITAR Controls
NextLabs, Inc.
 

More from NextLabs, Inc. (17)

SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
 
Digital Rights Management
Digital Rights ManagementDigital Rights Management
Digital Rights Management
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
eGRC for Information Export Control
eGRC for Information Export ControleGRC for Information Export Control
eGRC for Information Export Control
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
 
NextLabs Internships
NextLabs InternshipsNextLabs Internships
NextLabs Internships
 
Extensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarExtensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications Webinar
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
 
Advanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIIAdvanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of III
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of III
 
Advanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of IIIAdvanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of III
 
Preview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 CommandmentsPreview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 Commandments
 
Preview of Heaney On ITAR Controls
Preview of Heaney On ITAR ControlsPreview of Heaney On ITAR Controls
Preview of Heaney On ITAR Controls
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Addressing Gaps in Your Cyber Security

  • 1. Addressing Gaps in Your Cyber Security Solution Design at the Data Layer Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing. Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data. Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand the goals and steps of data-centric solution design, as well as its potential benefits. WHITE PAPER
  • 2. 2 INTRODUCTION With cyber threats on the rise, the biggest gap in your cyber security solution is most likely data protection. Conventional IT tools protect information by securing infrastructure from external attack and applying controls to“containers.”However, the biggest source of cyber threat is increasingly“business as usual,”that is, authorized users sharing sensitive data, increasingly outside controlled locations. Across every industry, business process is becoming more globalized, devices are proliferating, and new data storage and hosting models continue to emerge. Data is being shared more broadly than ever, and infrastructure-based IT controls simply cannot keep pace. Organizations are recognizing the need to go beyond infrastructure-centric controls to protect data directly, regardless of system, device, or application, and whether data is inside or outside the“traditional”perimeter. This is especially true for data that warrants extra protection, such as highly sensitive data or data regularly shared with external partners and organizations. What would it mean to design a cyber security solution to protect data based on business value and risk? How would an organization extend data protection beyond the container? This white paper presents an approach to solution design that takes data as its starting point. The goal is precision: to target sensitive data, identify data sharing use cases where risk is high, then apply uniform controls to protect data, no matter the system, application, or device. IMPLEMENTATION CHALLENGES: THE NIST EXAMPLE Frameworks for cyber security, like the one supplied by the National Institute for Standards and Technology (NIST), attempt to provide a top-down view of the functions of a comprehensive cyber security solution. How can an organization extend data protection beyond the container? In the early stages (the“Identify function,”in the NIST framework), Risk Assessors identify Vulnerabilities—meaning potential system weaknesses that can result in cyber breach. In the “Protect”function, these Vulnerabilities are translated into technical protections. After this“translation”process, an organization may not even know if vulnerabilities identified in the early stages of solution planning are even addressed at all. Different teams are typically responsible for applying controls to different systems. There is rarely any coordination or visibility into how different teams apply technical protections across layers of architecture.
  • 3. 3 In this approach, the lowest layer of protection (data) is assumed, rather than explicit. While initial vulnerabilities may be expressed in terms of data loss and leakage, protections themselves are not designed around data. None of the IT protections (trusted devices, application- specific ACLs, rules, and permissions), protect data directly. The result of these challenges is that data protections may or may not be“translated”adequately into system controls, and protection may not persist as data leaves the container. Standard solution design ends with containers. Data-centered solution design starts with data itself. One way to address these challenges is to understand the work that needs to occur in between the“Identify”and“Protect”functions of frameworks like NIST. An organization must have a method to: Track how initial data protection requirements are translated into technical controls Ensure protections are implemented consistently cross-system. One method is to maintain a central list of standard, system-agnostic controls that serve as the blueprint for all technical controls applied cross-system—what this white paper refers to as the“Uniform Control Model.” USING A UNIFORM CONTROL MODEL Developing a Uniform Control Model for data-centric security inverts the process of standard, infrastructure-centric security design. The standard process translates initial requirements into technical protections at various layers or architecture, assuming data underneath each layer will be protected. In contrast, a data-centered design starts with data itself. First, Data Vulnerabilities--which are data-related events that can result in cyber breach--are identified within a structured framework. Importantly, Data Vulnerabilities are not defined in terms of system weaknesses, flaws, or external attacks--but in terms of regular events that occur during“business as usual” data access, usage, and sharing. You then map each Data Vulnerability to a Control Type. Together, all the controls form the Uniform Control Model. Because there is a clear mapping from Data Vulnerability to Control Type in this method, there is better visibility into how each data protection requirement is being addressed. The Uniform Control Model is system-agnostic, meaning that while systems may be referenced in controls (file servers, line of business applications, and devices where data is stored), controls are not written in the proprietary logic of a particular application or system (for example, ACLs or permissions on file servers). The goal is to produce a highly auditable, centrally managed set of data controls that can be deployed cross-system.
  • 4. 4 Step-by-Step Perform the following three basic steps to produce a Uniform Control Model for data-centric cyber security: (1) Identify a set of data under threat, where the business value of the data warrants controls. (2) Identify specific Data Vulnerabilities as data moves through its standard process: creation, access, usage, and sharing. (3) Map each Data Vulnerability to a specific Control Type in the Uniform Control Model. The following sections describe these steps in more detail using a Uniform Control Model produced by NextLabs. This model accumulates standard data protection technologies and incorporates them into a comprehensive control framework. STEP 1. TARGET DATA BASED ON BUSINESS VALUE AND RISK When organizations attempt to design data-centric controls, they confront a sea of data, complex data sharing practices, over uncontrolled devices, and even with unknown users. Where to begin? The answer is simple: start small. Target a class of data that has high business value and is highly susceptible to cyber breach. A key guideline for data-centric protection: the level of protection should correspond to the business value of data and degree of risk. For much data, traditional, infrastructure-based controls may suffice. For highly sensitive and valuable data and/or data that is unusually susceptible to cyber breach, a data-level solution is likely warranted. The key for data-centric security: the level of protection should match the value of data and degree of risk.
  • 5. Thank You! Thank you for viewing a preview of our White Paper - Addressing Gaps in Your Cyber Security. Request the full version of this White Paper to learn: - An approach to designing a cyber security solution directly around data - Understand why protecting just the infrastructure of where data is stored is not enough CLICK HERE to request a copy of this White Paper. -NextLabs www.nextlabs.com