Vulnerabilities / Threats
Guest Blog // Selected Security Content Provided By Intel
What's This?
04:11 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly

Identifying and Protecting Sensitive Data

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

How does Intel, a global enterprise with a lot of data to protect, overcome these challenges? I recently sat down with Chris Sellers, Intel's general manager of IT Information Security to learn how Intel deals with data protection. Not just the measures they use to keep information safe, but the philosophy, people, processes, and technology behind the measures.

Intel's security relies on data classification, education and training, and close observation to the metrics.

Tom Quillin (TQ): What is Intel's formula for successful data protection?

Chris Sellers (CS):Within Intel, we realized that data protection effectiveness could be improved if we classified the different types of information we had, ranging from "most valuable" to "publicly available." We brought our IT security, business units, and legal teams to the table to discuss how to label the data, and they came up with five classifications to start with. Once we had these classifications we started instituting policies and guidelines that would protect different kinds of information based on its classification.

TQ: Quite a bit has changed in the past 9 years, what challenges, obstacles or risks have you seen since you initially developed these classifications, and how are you dealing with them?

CS:There have been some challenges, of course. Moving targets are hard to hit and new risks are constantly emerging with the increased use of social media and mobile technologies, so we had to make sure that our policies and guidelines could account for that. Though we had technology solutions in mind, we had to think about the role that the employee plays in data protection also. We launched an ambitious awareness and training program to get employees to understand the data classifications – which we refined to four levels. Users need to know how they affect the system, the business, and they need to know how they can comply with policies to help protect data and the computing environment.

We found that it's absolutely necessary to take a proactive approach. Intel IT helps business units conduct collaborative risk assessments to show where improvement is needed. Then we work with the business units to highlight tools, processes, and training awareness that help users prevent data loss.

TQ: What are some of the specifics of your awareness campaign approach?

CS: First, we created an IT Awareness Team to execute marketing campaigns to communicate and train Intel employees. We use an internal website to post security-conscious messages from Intel executives and the CSO and CIO. The site is localized, so Intel employees can read relevant content no matter where they are or what language they speak. We also use external advisers to measure and track the effectiveness of our awareness campaigns.

TQ: What did Intel learn along the way through this education and awareness process?

CS: Users are smart and resourceful. As with any security measure that require the user to support, if it is too hard to use the effectiveness decreases as users will find a way to do their job, even if it means circumventing approved tools and processes. Intel fosters a culture of openness and inclusiveness, which means giving employees the tools they need to do their jobs. However these tools need to have a positive user experience and add value to the end user (in ease to accomplish their goal, or quick ability to share information securely, etc.). Then, it's a matter of educating users to be aware of the impact they can have on company security and to ensure that policies, processes, and tools are easy to remember and use.

Tom Quillin (TQ): Chris, tell me a little more about data classification and how Intel manages the complexity of that task.

Chris Sellers (CS):In general, Intel labels data and content at creation and these labels provide the expectations about how that data should and will be handled. We factor in the data's status--is it at rest, in transit, or in use? We look at access: who has it and are they inside or outside Intel's firewalls? And, finally, we account for the document's own lifecycle, whether it's a draft, published, archived, or in its last days. The labels serve another purpose, too. They're basically embedded key words that allow Intel IT the ability to help detect non-compliance and help prevent data leakage. This capability is important since the physical boundaries of our organization have been blurred by ever-increasing utilization of the cloud and ever growing collaboration needs.

Intel IT basically serves as the custodian of the data, but it's up to individual business units to apply classifications to the information. This is where we have to focus on education and awareness to ensure that data is properly classified. Classifying content is a largely manual endeavor, though we're working towards automating the process as much as possible as the tools in the market become more mature and capable.

TQ: As you highlight with Intel's use of the cloud, Chris, an organization's perimeters are not what they use to be. How do you track where the data's located and how do you keep it secure?

CS:Yes, corporate boundaries are rapidly changing with the emergence of the cloud and ever increasing external collaboration, so we employ a strategy, called "Defense in Depth" or D.I.D, to factor in all the variables needed to create multi-layered security. D.I.D factors in the type and maturity of technology, the level of sensitivity, the type of content, and the different types of access and control that are applied to different types of data. Then, we have to protect the data at the source, so where applicable we add embedded encryption and access-rights protection. The more sensitive the information, the more control layers in place to protect it.

TQ: How does Intel measure the effectiveness of its data protection approach?

CS:We evaluate a diverse set of criteria to make sure we can accommodate the current security threat model. As with any company, we can't measure what we don't know--like a data leak that we haven't discovered yet. We do employ data loss protection (DLP) and have ways to measure the usage and metrics of the tools. As the DLP footprint expands and the technology matures, we'll be able to see more areas where we might have employee behaviors that increase our risk of data leakage. Using these tools we can expose that to the user so they can utilize a more secure way of managing or sharing the data. We have found, similar to the industry, which most data loss comes from human error, not human maliciousness.

All in all, effectiveness depends on vigilance and constant improvement to the process. Intel IT security has to be flexible and adaptive without sacrificing security--and that's where Defense in Depth and our awareness campaigns really strengthen Intel's ability to protect its data. It's a give-and-take between Intel IT, legal, business units, and our end users. At Intel we balance this give-and-take relationship through our Security and Privacy Office, which is led by our CSO who has an independent reporting relationship from IT, legal, or the business units. This facilitates the setting of corporate policies and risk tolerances to be focused on the need of the corporation and provides an effective escalation point to manage conflicts and enable quick decision-making.

If you'd like to learn more detail about Intel's approach to protecting data, I encourage you to go to the IT@Intel: Enterprise Security website to find helpful blogs and whitepapers about how IT@Intel deals with a number of security issues. Or, you can provide your specific questions and comments here and I'll be happy to respond.

Follow me on Twitter: @TomQuillin

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/15/2014 | 7:25:53 AM
Data Protection
Great article, and it underscores the complexities of data protection and the various elements and types of data.  Creating a philosophy based on awareness and accountability seems to be quite effective. "Awareness" in that organizations know the types of data they have, how it needs to be protected, the classification level for that data, etc.  "Accountability" in that there are severe repercussions if such data is compromised, both for the data itself, and the employee(s) responsible. And much of this comes back to basic, sound security awareness and training for all employees. The more knowledgeable an employee is, the better prepared they are for helping ensure the safety and security of data. 
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-31
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...

Published: 2015-01-31
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

Published: 2015-01-31
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.

Published: 2015-01-31
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.

Published: 2015-01-31
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.