Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Guest Blog // Selected Security Content Provided By Intel
What's This?
04:11 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly

Identifying and Protecting Sensitive Data

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

How does Intel, a global enterprise with a lot of data to protect, overcome these challenges? I recently sat down with Chris Sellers, Intel's general manager of IT Information Security to learn how Intel deals with data protection. Not just the measures they use to keep information safe, but the philosophy, people, processes, and technology behind the measures.

Intel's security relies on data classification, education and training, and close observation to the metrics.

Tom Quillin (TQ): What is Intel's formula for successful data protection?

Chris Sellers (CS):Within Intel, we realized that data protection effectiveness could be improved if we classified the different types of information we had, ranging from "most valuable" to "publicly available." We brought our IT security, business units, and legal teams to the table to discuss how to label the data, and they came up with five classifications to start with. Once we had these classifications we started instituting policies and guidelines that would protect different kinds of information based on its classification.

TQ: Quite a bit has changed in the past 9 years, what challenges, obstacles or risks have you seen since you initially developed these classifications, and how are you dealing with them?

CS:There have been some challenges, of course. Moving targets are hard to hit and new risks are constantly emerging with the increased use of social media and mobile technologies, so we had to make sure that our policies and guidelines could account for that. Though we had technology solutions in mind, we had to think about the role that the employee plays in data protection also. We launched an ambitious awareness and training program to get employees to understand the data classifications – which we refined to four levels. Users need to know how they affect the system, the business, and they need to know how they can comply with policies to help protect data and the computing environment.

We found that it's absolutely necessary to take a proactive approach. Intel IT helps business units conduct collaborative risk assessments to show where improvement is needed. Then we work with the business units to highlight tools, processes, and training awareness that help users prevent data loss.

TQ: What are some of the specifics of your awareness campaign approach?

CS: First, we created an IT Awareness Team to execute marketing campaigns to communicate and train Intel employees. We use an internal website to post security-conscious messages from Intel executives and the CSO and CIO. The site is localized, so Intel employees can read relevant content no matter where they are or what language they speak. We also use external advisers to measure and track the effectiveness of our awareness campaigns.

TQ: What did Intel learn along the way through this education and awareness process?

CS: Users are smart and resourceful. As with any security measure that require the user to support, if it is too hard to use the effectiveness decreases as users will find a way to do their job, even if it means circumventing approved tools and processes. Intel fosters a culture of openness and inclusiveness, which means giving employees the tools they need to do their jobs. However these tools need to have a positive user experience and add value to the end user (in ease to accomplish their goal, or quick ability to share information securely, etc.). Then, it's a matter of educating users to be aware of the impact they can have on company security and to ensure that policies, processes, and tools are easy to remember and use.

Tom Quillin (TQ): Chris, tell me a little more about data classification and how Intel manages the complexity of that task.

Chris Sellers (CS):In general, Intel labels data and content at creation and these labels provide the expectations about how that data should and will be handled. We factor in the data's status--is it at rest, in transit, or in use? We look at access: who has it and are they inside or outside Intel's firewalls? And, finally, we account for the document's own lifecycle, whether it's a draft, published, archived, or in its last days. The labels serve another purpose, too. They're basically embedded key words that allow Intel IT the ability to help detect non-compliance and help prevent data leakage. This capability is important since the physical boundaries of our organization have been blurred by ever-increasing utilization of the cloud and ever growing collaboration needs.

Intel IT basically serves as the custodian of the data, but it's up to individual business units to apply classifications to the information. This is where we have to focus on education and awareness to ensure that data is properly classified. Classifying content is a largely manual endeavor, though we're working towards automating the process as much as possible as the tools in the market become more mature and capable.

TQ: As you highlight with Intel's use of the cloud, Chris, an organization's perimeters are not what they use to be. How do you track where the data's located and how do you keep it secure?

CS:Yes, corporate boundaries are rapidly changing with the emergence of the cloud and ever increasing external collaboration, so we employ a strategy, called "Defense in Depth" or D.I.D, to factor in all the variables needed to create multi-layered security. D.I.D factors in the type and maturity of technology, the level of sensitivity, the type of content, and the different types of access and control that are applied to different types of data. Then, we have to protect the data at the source, so where applicable we add embedded encryption and access-rights protection. The more sensitive the information, the more control layers in place to protect it.

TQ: How does Intel measure the effectiveness of its data protection approach?

CS:We evaluate a diverse set of criteria to make sure we can accommodate the current security threat model. As with any company, we can't measure what we don't know--like a data leak that we haven't discovered yet. We do employ data loss protection (DLP) and have ways to measure the usage and metrics of the tools. As the DLP footprint expands and the technology matures, we'll be able to see more areas where we might have employee behaviors that increase our risk of data leakage. Using these tools we can expose that to the user so they can utilize a more secure way of managing or sharing the data. We have found, similar to the industry, which most data loss comes from human error, not human maliciousness.

All in all, effectiveness depends on vigilance and constant improvement to the process. Intel IT security has to be flexible and adaptive without sacrificing security--and that's where Defense in Depth and our awareness campaigns really strengthen Intel's ability to protect its data. It's a give-and-take between Intel IT, legal, business units, and our end users. At Intel we balance this give-and-take relationship through our Security and Privacy Office, which is led by our CSO who has an independent reporting relationship from IT, legal, or the business units. This facilitates the setting of corporate policies and risk tolerances to be focused on the need of the corporation and provides an effective escalation point to manage conflicts and enable quick decision-making.

If you'd like to learn more detail about Intel's approach to protecting data, I encourage you to go to the [email protected]: Enterprise Security website to find helpful blogs and whitepapers about how [email protected] deals with a number of security issues. Or, you can provide your specific questions and comments here and I'll be happy to respond.

Follow me on Twitter: @TomQuillin

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/15/2014 | 7:25:53 AM
Data Protection
Great article, and it underscores the complexities of data protection and the various elements and types of data.  Creating a philosophy based on awareness and accountability seems to be quite effective. "Awareness" in that organizations know the types of data they have, how it needs to be protected, the classification level for that data, etc.  "Accountability" in that there are severe repercussions if such data is compromised, both for the data itself, and the employee(s) responsible. And much of this comes back to basic, sound security awareness and training for all employees. The more knowledgeable an employee is, the better prepared they are for helping ensure the safety and security of data. 
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-01-27
Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log
PUBLISHED: 2022-01-27
From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variab...
PUBLISHED: 2022-01-27
There is a front-end sql injection vulnerability in cszcms 1.2.9 via cszcms/controllers/Member.php#viewUser
PUBLISHED: 2022-01-27
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
PUBLISHED: 2022-01-27
Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user.