Vulnerabilities / Threats
Guest Blog // Selected Security Content Provided By Intel
What's This?
1/31/2014
04:11 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Identifying and Protecting Sensitive Data

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

How does Intel, a global enterprise with a lot of data to protect, overcome these challenges? I recently sat down with Chris Sellers, Intel's general manager of IT Information Security to learn how Intel deals with data protection. Not just the measures they use to keep information safe, but the philosophy, people, processes, and technology behind the measures.

Intel's security relies on data classification, education and training, and close observation to the metrics.

Tom Quillin (TQ): What is Intel's formula for successful data protection?

Chris Sellers (CS):Within Intel, we realized that data protection effectiveness could be improved if we classified the different types of information we had, ranging from "most valuable" to "publicly available." We brought our IT security, business units, and legal teams to the table to discuss how to label the data, and they came up with five classifications to start with. Once we had these classifications we started instituting policies and guidelines that would protect different kinds of information based on its classification.

TQ: Quite a bit has changed in the past 9 years, what challenges, obstacles or risks have you seen since you initially developed these classifications, and how are you dealing with them?

CS:There have been some challenges, of course. Moving targets are hard to hit and new risks are constantly emerging with the increased use of social media and mobile technologies, so we had to make sure that our policies and guidelines could account for that. Though we had technology solutions in mind, we had to think about the role that the employee plays in data protection also. We launched an ambitious awareness and training program to get employees to understand the data classifications – which we refined to four levels. Users need to know how they affect the system, the business, and they need to know how they can comply with policies to help protect data and the computing environment.

We found that it's absolutely necessary to take a proactive approach. Intel IT helps business units conduct collaborative risk assessments to show where improvement is needed. Then we work with the business units to highlight tools, processes, and training awareness that help users prevent data loss.

TQ: What are some of the specifics of your awareness campaign approach?

CS: First, we created an IT Awareness Team to execute marketing campaigns to communicate and train Intel employees. We use an internal website to post security-conscious messages from Intel executives and the CSO and CIO. The site is localized, so Intel employees can read relevant content no matter where they are or what language they speak. We also use external advisers to measure and track the effectiveness of our awareness campaigns.

TQ: What did Intel learn along the way through this education and awareness process?

CS: Users are smart and resourceful. As with any security measure that require the user to support, if it is too hard to use the effectiveness decreases as users will find a way to do their job, even if it means circumventing approved tools and processes. Intel fosters a culture of openness and inclusiveness, which means giving employees the tools they need to do their jobs. However these tools need to have a positive user experience and add value to the end user (in ease to accomplish their goal, or quick ability to share information securely, etc.). Then, it's a matter of educating users to be aware of the impact they can have on company security and to ensure that policies, processes, and tools are easy to remember and use.

Tom Quillin (TQ): Chris, tell me a little more about data classification and how Intel manages the complexity of that task.

Chris Sellers (CS):In general, Intel labels data and content at creation and these labels provide the expectations about how that data should and will be handled. We factor in the data's status--is it at rest, in transit, or in use? We look at access: who has it and are they inside or outside Intel's firewalls? And, finally, we account for the document's own lifecycle, whether it's a draft, published, archived, or in its last days. The labels serve another purpose, too. They're basically embedded key words that allow Intel IT the ability to help detect non-compliance and help prevent data leakage. This capability is important since the physical boundaries of our organization have been blurred by ever-increasing utilization of the cloud and ever growing collaboration needs.

Intel IT basically serves as the custodian of the data, but it's up to individual business units to apply classifications to the information. This is where we have to focus on education and awareness to ensure that data is properly classified. Classifying content is a largely manual endeavor, though we're working towards automating the process as much as possible as the tools in the market become more mature and capable.

TQ: As you highlight with Intel's use of the cloud, Chris, an organization's perimeters are not what they use to be. How do you track where the data's located and how do you keep it secure?

CS:Yes, corporate boundaries are rapidly changing with the emergence of the cloud and ever increasing external collaboration, so we employ a strategy, called "Defense in Depth" or D.I.D, to factor in all the variables needed to create multi-layered security. D.I.D factors in the type and maturity of technology, the level of sensitivity, the type of content, and the different types of access and control that are applied to different types of data. Then, we have to protect the data at the source, so where applicable we add embedded encryption and access-rights protection. The more sensitive the information, the more control layers in place to protect it.

TQ: How does Intel measure the effectiveness of its data protection approach?

CS:We evaluate a diverse set of criteria to make sure we can accommodate the current security threat model. As with any company, we can't measure what we don't know--like a data leak that we haven't discovered yet. We do employ data loss protection (DLP) and have ways to measure the usage and metrics of the tools. As the DLP footprint expands and the technology matures, we'll be able to see more areas where we might have employee behaviors that increase our risk of data leakage. Using these tools we can expose that to the user so they can utilize a more secure way of managing or sharing the data. We have found, similar to the industry, which most data loss comes from human error, not human maliciousness.

All in all, effectiveness depends on vigilance and constant improvement to the process. Intel IT security has to be flexible and adaptive without sacrificing security--and that's where Defense in Depth and our awareness campaigns really strengthen Intel's ability to protect its data. It's a give-and-take between Intel IT, legal, business units, and our end users. At Intel we balance this give-and-take relationship through our Security and Privacy Office, which is led by our CSO who has an independent reporting relationship from IT, legal, or the business units. This facilitates the setting of corporate policies and risk tolerances to be focused on the need of the corporation and provides an effective escalation point to manage conflicts and enable quick decision-making.

If you'd like to learn more detail about Intel's approach to protecting data, I encourage you to go to the IT@Intel: Enterprise Security website to find helpful blogs and whitepapers about how IT@Intel deals with a number of security issues. Or, you can provide your specific questions and comments here and I'll be happy to respond.

Follow me on Twitter: @TomQuillin

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/15/2014 | 7:25:53 AM
Data Protection
Great article, and it underscores the complexities of data protection and the various elements and types of data.  Creating a philosophy based on awareness and accountability seems to be quite effective. "Awareness" in that organizations know the types of data they have, how it needs to be protected, the classification level for that data, etc.  "Accountability" in that there are severe repercussions if such data is compromised, both for the data itself, and the employee(s) responsible. And much of this comes back to basic, sound security awareness and training for all employees. The more knowledgeable an employee is, the better prepared they are for helping ensure the safety and security of data. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report