Trends in Data Centric Security: Deployment Models

So far we have talked about the need for data centric security, what that means, and which tools fit the model. Now it is time to paint a more specific picture of how to implement and deploy data centric security, so here are some concrete examples of how the tools are deployed to support a data centric model. Gateways A gateway is typically an appliance that sits in-line with traffic and applies security as data passes. Data packets are inspected near line speed, and sensitive data is replaced or obfuscated before packets are passed on. Gateways are commonly used used by enterprises before data is moved off-premise, such as up to the cloud or to another third-party service provider. The gateway sits inside the corporate firewall, at the ‘edge’ of the infrastructure, discovering and filtering out sensitive data. For example some firms encrypt data before it is moved into cloud storage for backups. Others filter web-based transactions inline, replacing credit card data with tokens without disrupting the web server or commerce applications. Gateways offer high-performance substitution for data in motion; but they must be able to parse the data stream to encrypt, tokenize, or mask sensitive data. Another gateway deployment model puts appliances in front of “big data” (NoSQL databases such as Hadoop), replacing data before insertion into the cluster. But support for high “input velocity” is a key advantage of big data platforms. To avoid crippling performance at the security bottleneck, gateways must be able to perform data replacement while keeping up with the big data platform’s ingestion rate. It is not uncommon to see a cluster of appliances feeding a single NoSQL repository, or even spinning up hundreds of cloud servers on demand, to mask or tokenize data. These service must secure data very quickly, so they don’t provide deep analysis. Gateways may even need to be told the location of sensitive data within the stream to support substitution. Hub and Spoke ETL (Extract, Transform, and Load) has been around almost as long as relational databases. It describes a process for extracting data from one database, masking it to remove sensitive data, then loading the desensitized into another database. Over the last several years we have seen a huge resurgence of ETL, as firms look to populate test databases with non-sensitive data that still provides a reliable testbed for quality assurance efforts. A masking or tokenization ‘hub’ orchestrates data movement and implements security. Modeled on test data management systems, modern systems alter health care data and PII (Personally Identifiable Information) to support use in multiple locations with inconsistent or inadequate security. The hub-and-spoke model is typically used to create multiple data sets, rather than securing streams of data; to align with the hub-and-spoke model, encryption and tokenization are the most common methods of protection. Encryption enables trusted users to decrypt the data as needed, and masking supports analytics without providing the real (sensitive) data. The graphic above shows ETL in its most basic form, but the old platforms have evolved into much more sophisticated data management systems. They can now discover data stored in files and databases, morph together multiple sources to create new data sets, apply different masks for different audiences, and relocate the results – as files, as JSON streams, or even inserted into a data repository. It is a form of data orchestration, moving information automatically according to policy. Plummeting compute and storage costs have made it feasible to produce and propagate multiple data sets to various audiences. Reverse Proxy As with the gateways described above, in the reverse-proxy model an appliance – whether virtual or physical – is inserted inline into the data flow. But reverse proxies are used specifically between users and a database. Offering much more than simple positional substitution, proxies can alter what they return to users based on the recipient and the specifics of their request. They work by intercepting and masking query results on the fly, transparently substituting masked results for the user. For example if a user queries too many credit card numbers, or if a query originates from an unapproved location, the returned data might be redacted. The proxy effectively intelligently dynamically masks data. The proxy may be an application running on the database or an appliance deployed inline between users and data to force all communications through the proxy. The huge advantage of proxies is t hat they enable data protection without needing to alter the database — they avoid additional programming and quality assurance validation processes. This model is appropriate for PII/PHI data, when data can be managed from a central locations but external users may need access. Some firms have implemented tokenization this way, but masking and redaction are more common. The principal use case is to protect data dynamically, based on user identity and the request itself. Other Options Many of you have used data centric security before, and use it today, so it is worth mentioning two security platforms in wide use today which don’t quite fit our use cases. Data Loss Prevention systems (DLP), and Digital Rights Management (DRM) are forms of DCS which have each been in use over a decade. Data Loss Prevention systems are designed to detect sensitive data and ensure data usage complies with security policy – on the network, on the desktop, and in storage repositories. Digital Rights Management embeds ownership and usage rules into the data, with security policy (primarily read and write access) enforced by the applications that use the data. DLP protects at the infrastructure layer, and DRM at the application layer. Both use encryption to protect data. Both allow users to view and edit data depending on security policies. DLP can be effectively deployed in existing IT environments, helping organizations gain control over data that is already in use. DRM typically needs to be built into applications, with security controls (e.g.,: encryption and ownership rights) applied to data as it is created. These platforms are designed to expose data (making it available

Read Post

The Security Pro’s Guide to Cloud File Storage and Collaboration: Introduction

This is a new series on what security pros need to know about cloud file storage and collaboration (also called file sync and share). If you have feedback please leave a comment, or even track and edit the evolving paper over on GitHub. The rise of cloud file storage and collaboration Few technologies have invaded the enterprise as rapidly as cloud file storage and collaboration services. Typically called File Sync and Share, these tools originated as consumer cloud services to help people store, sync, and share files across computers and mobile devices. We hate to dip into hyperbole, but calling these tools groundbreaking is an understatement. Users can now access their files from any computer or device and share files with anyone, anywhere, with ease and simplicity never seen before. To many consumers, this is “the cloud”. These services so quickly proved their value that they inevitably made their way into the enterprise. Unfortunately few of them were architected to support the needs and security requirements of a business. In response, many organizations simply banned and blocked them, but as always happens when a tool provides demonstrable business benefit, use is inevitable – with or without support. In response, enterprise-class options emerged. But many security professionals still struggle to understand the implications of cloud storage and collaboration, and the differences between consumer and enterprise-grade services. Even though some of these services can offer superior security to traditional on-premise file storage. The market is evolving incredibly rapidly, with both new features and new competitors showing up constantly. We see continuous change as everyone scrambles for competitive advantage in this wide-open new market. The category is most often called file sync and share, but we prefer the term cloud file storage and collaboration because many of the services and tools offer much more than basic syncing and sharing. Cloud file storage and collaboration services are an unavoidable disruptive innovation. Security implications, but also significant benefits The risk is pretty obvious: pick the wrong service, or configure it incorrectly, and it is all too easy to effectively punch a hole in your firewall, allow all denizens of the Internet unfettered access to your files. Without centralized visibility and control, employees make mistakes and expose sensitive information. Choose an insecure service and you suffer the consequences of misplaced trust and exposed files. Practically speaking, file security is something most organizations have struggled with since long before the Internet. But cloud services enable us to extend our failures across the Internet. Tools vs. Services You will notice we tend to focus on cloud storage and collaboration services, rather than tools you implement yourself. While tools are available to create your own private file sync and share services, they don’t offer all the benefits of a true cloud service. Covering both would complicate this paper, and most of the concerns and questions we receive are about cloud-native services, not internal tools which offer similar functionality. But pick the right service and configure it properly, and you can realize security benefits that are impossible with traditional file storage. By centralizing all file storage security gains a choke point for complete control and visibility. You can track the full history of access to all files from all users and devices. You can set enterprise-wide policies for how files are managed and shared, both internally and externally. And unlike many other security approaches, you can do so while providing the business something they want and are highly likely to adopt. The alternative? Our existing troves of dozens, if not hundreds or thousands, of file repositories – all managed separately, with different policies, and usually without any real monitoring capabilities. This paper delves into the security implications of cloud file storage and collaboration services. It covers the security fundamentals (including risks and benefits), core security features, and some more advanced security features such as encryption options. We will separate out what you can expect from an enterprise-class service vs. a consumer offering – to help security professionals evaluate, select, and leverage the right options for their organizations. The trick is to ensure you understand the strengths and weaknesses of each service, and how best to enable security without disabling the business. Share:

Read Post

Incite 7/16/2014: Surprises

Every time I took a new job, on my first day I would tell the team that I hate surprises. What I really meant was a warning, not to screw something up and not tell me. That’s not really a surprise, per se. More a failure to communicate. But now that I’m a bit older I realize the importance of surprises. When you are surprised it really means you had no expectations. For example, if I really didn’t like surprises I wouldn’t have appreciated the fact that The Boy took a hip-hop dancing elective at camp. That’s right, hip-hop dancing. That’s nothing less than shocking. He’s a pretty shy kid, and definitely doesn’t like to be the center of attention. Or so I thought. So hearing about him getting onstage to do a hip-hop routine was an awesome surprise. The flip side of a pleasant surprise is disappointing surprise. Of course we all feel disappointment at some point. It happens when you enter a situation and expectations are unmet. This all comes back to managing expectations. I know what you’re thinking – who cares? I do. I spent a long time disappointed with almost everything, because my expectations were unrealistic and usually unmet. I was constantly surprised because I expected things to happen, and I got bent out of shape when they didn’t. One of the things I’ve been working on is having no expectations – or at least very limited expectations. For example, if I’m about to go out for the evening with friends I expect to end up back at home, and not naked in a crackhouse without any money. See how easy that was? Having realistic expectations is pretty straightforward. And if you do find yourself in that situation, there’s probably a great story to be told… once you get out of rehab. All kidding aside, the sooner you can release most of your expectations, the sooner you will have more pleasant surprises and much less disappointment. –Mike Photo credit: “Surprise” originally uploaded by Tom Rolfe The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Leveraging Threat Intelligence in Incident Response/Management Really Responding Faster Introduction Endpoint Security Management Buyer’s Guide (Update) Mobile Endpoint Security Management Trends in Data Centric Security Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Penetrating words about vulnerabilities: Daniel Miessler clarifies the distinctions between a vulnerability assessment and a penetration test. This is a good discussion – some organizations don’t know what they are buying when they select one or the other. Daniel offers a clean distinction: “The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation…” A vulnerability assessment should produce a comprehensive list, while a penetration test has a mission to accomplish. But in the end the definitions aren’t even that important. The key is to know what you are buying. You likely need both, but if you expect a comprehensive list of issues from penetration testers you will be disappointed. – MR iPhone as a political pawn: As discussed in this week’s Firestarter, state-run China Central Television called out Apple’s iPhone as a national security concern because of fears that iOS “frequent location” data could leak and compromise state secrets. Apple responded succinctly yesterday: Apple does not have access to Frequent Locations or the location cache on any user’s iPhone at any time. Obviously the iPhone uses location data, and users can share geolocation data with individual apps as desired. We assume China Central Television’s coverage is politically motivated national posturing, laying out ground rules on surveillance and data collection. After all, the iPhone is made in China so it’s hard to imagine how much of a threat to national security it really is. The real issue is not being discussed: In response to legal demands from nation such as the USA and China for iPhone user location data, what will Apple provide (what has Apple provided) and who will be notified, if anyone. – AL Trees don’t grow to the sky: Just in case you thought any of these megacapitalized technology giants would grow to the stratosphere… forget it. It looks like the German government is looking to more heavily regulate the large web advertising businesses and treat them like utilities to make sure pricing doesn’t get out of hand. The Europeans in general are far more egalitarian than on

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.