Vulnerabilities / Threats
Guest Blog // Selected Security Content Provided By Intel
What's This?
1/31/2014
04:11 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Identifying and Protecting Sensitive Data

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

How does Intel, a global enterprise with a lot of data to protect, overcome these challenges? I recently sat down with Chris Sellers, Intel's general manager of IT Information Security to learn how Intel deals with data protection. Not just the measures they use to keep information safe, but the philosophy, people, processes, and technology behind the measures.

Intel's security relies on data classification, education and training, and close observation to the metrics.

Tom Quillin (TQ): What is Intel's formula for successful data protection?

Chris Sellers (CS):Within Intel, we realized that data protection effectiveness could be improved if we classified the different types of information we had, ranging from "most valuable" to "publicly available." We brought our IT security, business units, and legal teams to the table to discuss how to label the data, and they came up with five classifications to start with. Once we had these classifications we started instituting policies and guidelines that would protect different kinds of information based on its classification.

TQ: Quite a bit has changed in the past 9 years, what challenges, obstacles or risks have you seen since you initially developed these classifications, and how are you dealing with them?

CS:There have been some challenges, of course. Moving targets are hard to hit and new risks are constantly emerging with the increased use of social media and mobile technologies, so we had to make sure that our policies and guidelines could account for that. Though we had technology solutions in mind, we had to think about the role that the employee plays in data protection also. We launched an ambitious awareness and training program to get employees to understand the data classifications – which we refined to four levels. Users need to know how they affect the system, the business, and they need to know how they can comply with policies to help protect data and the computing environment.

We found that it's absolutely necessary to take a proactive approach. Intel IT helps business units conduct collaborative risk assessments to show where improvement is needed. Then we work with the business units to highlight tools, processes, and training awareness that help users prevent data loss.

TQ: What are some of the specifics of your awareness campaign approach?

CS: First, we created an IT Awareness Team to execute marketing campaigns to communicate and train Intel employees. We use an internal website to post security-conscious messages from Intel executives and the CSO and CIO. The site is localized, so Intel employees can read relevant content no matter where they are or what language they speak. We also use external advisers to measure and track the effectiveness of our awareness campaigns.

TQ: What did Intel learn along the way through this education and awareness process?

CS: Users are smart and resourceful. As with any security measure that require the user to support, if it is too hard to use the effectiveness decreases as users will find a way to do their job, even if it means circumventing approved tools and processes. Intel fosters a culture of openness and inclusiveness, which means giving employees the tools they need to do their jobs. However these tools need to have a positive user experience and add value to the end user (in ease to accomplish their goal, or quick ability to share information securely, etc.). Then, it's a matter of educating users to be aware of the impact they can have on company security and to ensure that policies, processes, and tools are easy to remember and use.

Tom Quillin (TQ): Chris, tell me a little more about data classification and how Intel manages the complexity of that task.

Chris Sellers (CS):In general, Intel labels data and content at creation and these labels provide the expectations about how that data should and will be handled. We factor in the data's status--is it at rest, in transit, or in use? We look at access: who has it and are they inside or outside Intel's firewalls? And, finally, we account for the document's own lifecycle, whether it's a draft, published, archived, or in its last days. The labels serve another purpose, too. They're basically embedded key words that allow Intel IT the ability to help detect non-compliance and help prevent data leakage. This capability is important since the physical boundaries of our organization have been blurred by ever-increasing utilization of the cloud and ever growing collaboration needs.

Intel IT basically serves as the custodian of the data, but it's up to individual business units to apply classifications to the information. This is where we have to focus on education and awareness to ensure that data is properly classified. Classifying content is a largely manual endeavor, though we're working towards automating the process as much as possible as the tools in the market become more mature and capable.

TQ: As you highlight with Intel's use of the cloud, Chris, an organization's perimeters are not what they use to be. How do you track where the data's located and how do you keep it secure?

CS:Yes, corporate boundaries are rapidly changing with the emergence of the cloud and ever increasing external collaboration, so we employ a strategy, called "Defense in Depth" or D.I.D, to factor in all the variables needed to create multi-layered security. D.I.D factors in the type and maturity of technology, the level of sensitivity, the type of content, and the different types of access and control that are applied to different types of data. Then, we have to protect the data at the source, so where applicable we add embedded encryption and access-rights protection. The more sensitive the information, the more control layers in place to protect it.

TQ: How does Intel measure the effectiveness of its data protection approach?

CS:We evaluate a diverse set of criteria to make sure we can accommodate the current security threat model. As with any company, we can't measure what we don't know--like a data leak that we haven't discovered yet. We do employ data loss protection (DLP) and have ways to measure the usage and metrics of the tools. As the DLP footprint expands and the technology matures, we'll be able to see more areas where we might have employee behaviors that increase our risk of data leakage. Using these tools we can expose that to the user so they can utilize a more secure way of managing or sharing the data. We have found, similar to the industry, which most data loss comes from human error, not human maliciousness.

All in all, effectiveness depends on vigilance and constant improvement to the process. Intel IT security has to be flexible and adaptive without sacrificing security--and that's where Defense in Depth and our awareness campaigns really strengthen Intel's ability to protect its data. It's a give-and-take between Intel IT, legal, business units, and our end users. At Intel we balance this give-and-take relationship through our Security and Privacy Office, which is led by our CSO who has an independent reporting relationship from IT, legal, or the business units. This facilitates the setting of corporate policies and risk tolerances to be focused on the need of the corporation and provides an effective escalation point to manage conflicts and enable quick decision-making.

If you'd like to learn more detail about Intel's approach to protecting data, I encourage you to go to the IT@Intel: Enterprise Security website to find helpful blogs and whitepapers about how IT@Intel deals with a number of security issues. Or, you can provide your specific questions and comments here and I'll be happy to respond.

Follow me on Twitter: @TomQuillin

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/15/2014 | 7:25:53 AM
Data Protection
Great article, and it underscores the complexities of data protection and the various elements and types of data.  Creating a philosophy based on awareness and accountability seems to be quite effective. "Awareness" in that organizations know the types of data they have, how it needs to be protected, the classification level for that data, etc.  "Accountability" in that there are severe repercussions if such data is compromised, both for the data itself, and the employee(s) responsible. And much of this comes back to basic, sound security awareness and training for all employees. The more knowledgeable an employee is, the better prepared they are for helping ensure the safety and security of data. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.