Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Guest Blog // Selected Security Content Provided By Intel
What's This?
04:11 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly

Identifying and Protecting Sensitive Data

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

You already know the story: enterprises need strong security to keep their secrets secret, but data protection is a tough beast to tame. There are countless variables to consider, and different data types require different treatment. Add the constant x factor of human unpredictability and you have a potentially feral pack of valuable data, complexity, and fallibility.

How does Intel, a global enterprise with a lot of data to protect, overcome these challenges? I recently sat down with Chris Sellers, Intel's general manager of IT Information Security to learn how Intel deals with data protection. Not just the measures they use to keep information safe, but the philosophy, people, processes, and technology behind the measures.

Intel's security relies on data classification, education and training, and close observation to the metrics.

Tom Quillin (TQ): What is Intel's formula for successful data protection?

Chris Sellers (CS):Within Intel, we realized that data protection effectiveness could be improved if we classified the different types of information we had, ranging from "most valuable" to "publicly available." We brought our IT security, business units, and legal teams to the table to discuss how to label the data, and they came up with five classifications to start with. Once we had these classifications we started instituting policies and guidelines that would protect different kinds of information based on its classification.

TQ: Quite a bit has changed in the past 9 years, what challenges, obstacles or risks have you seen since you initially developed these classifications, and how are you dealing with them?

CS:There have been some challenges, of course. Moving targets are hard to hit and new risks are constantly emerging with the increased use of social media and mobile technologies, so we had to make sure that our policies and guidelines could account for that. Though we had technology solutions in mind, we had to think about the role that the employee plays in data protection also. We launched an ambitious awareness and training program to get employees to understand the data classifications – which we refined to four levels. Users need to know how they affect the system, the business, and they need to know how they can comply with policies to help protect data and the computing environment.

We found that it's absolutely necessary to take a proactive approach. Intel IT helps business units conduct collaborative risk assessments to show where improvement is needed. Then we work with the business units to highlight tools, processes, and training awareness that help users prevent data loss.

TQ: What are some of the specifics of your awareness campaign approach?

CS: First, we created an IT Awareness Team to execute marketing campaigns to communicate and train Intel employees. We use an internal website to post security-conscious messages from Intel executives and the CSO and CIO. The site is localized, so Intel employees can read relevant content no matter where they are or what language they speak. We also use external advisers to measure and track the effectiveness of our awareness campaigns.

TQ: What did Intel learn along the way through this education and awareness process?

CS: Users are smart and resourceful. As with any security measure that require the user to support, if it is too hard to use the effectiveness decreases as users will find a way to do their job, even if it means circumventing approved tools and processes. Intel fosters a culture of openness and inclusiveness, which means giving employees the tools they need to do their jobs. However these tools need to have a positive user experience and add value to the end user (in ease to accomplish their goal, or quick ability to share information securely, etc.). Then, it's a matter of educating users to be aware of the impact they can have on company security and to ensure that policies, processes, and tools are easy to remember and use.

Tom Quillin (TQ): Chris, tell me a little more about data classification and how Intel manages the complexity of that task.

Chris Sellers (CS):In general, Intel labels data and content at creation and these labels provide the expectations about how that data should and will be handled. We factor in the data's status--is it at rest, in transit, or in use? We look at access: who has it and are they inside or outside Intel's firewalls? And, finally, we account for the document's own lifecycle, whether it's a draft, published, archived, or in its last days. The labels serve another purpose, too. They're basically embedded key words that allow Intel IT the ability to help detect non-compliance and help prevent data leakage. This capability is important since the physical boundaries of our organization have been blurred by ever-increasing utilization of the cloud and ever growing collaboration needs.

Intel IT basically serves as the custodian of the data, but it's up to individual business units to apply classifications to the information. This is where we have to focus on education and awareness to ensure that data is properly classified. Classifying content is a largely manual endeavor, though we're working towards automating the process as much as possible as the tools in the market become more mature and capable.

TQ: As you highlight with Intel's use of the cloud, Chris, an organization's perimeters are not what they use to be. How do you track where the data's located and how do you keep it secure?

CS:Yes, corporate boundaries are rapidly changing with the emergence of the cloud and ever increasing external collaboration, so we employ a strategy, called "Defense in Depth" or D.I.D, to factor in all the variables needed to create multi-layered security. D.I.D factors in the type and maturity of technology, the level of sensitivity, the type of content, and the different types of access and control that are applied to different types of data. Then, we have to protect the data at the source, so where applicable we add embedded encryption and access-rights protection. The more sensitive the information, the more control layers in place to protect it.

TQ: How does Intel measure the effectiveness of its data protection approach?

CS:We evaluate a diverse set of criteria to make sure we can accommodate the current security threat model. As with any company, we can't measure what we don't know--like a data leak that we haven't discovered yet. We do employ data loss protection (DLP) and have ways to measure the usage and metrics of the tools. As the DLP footprint expands and the technology matures, we'll be able to see more areas where we might have employee behaviors that increase our risk of data leakage. Using these tools we can expose that to the user so they can utilize a more secure way of managing or sharing the data. We have found, similar to the industry, which most data loss comes from human error, not human maliciousness.

All in all, effectiveness depends on vigilance and constant improvement to the process. Intel IT security has to be flexible and adaptive without sacrificing security--and that's where Defense in Depth and our awareness campaigns really strengthen Intel's ability to protect its data. It's a give-and-take between Intel IT, legal, business units, and our end users. At Intel we balance this give-and-take relationship through our Security and Privacy Office, which is led by our CSO who has an independent reporting relationship from IT, legal, or the business units. This facilitates the setting of corporate policies and risk tolerances to be focused on the need of the corporation and provides an effective escalation point to manage conflicts and enable quick decision-making.

If you'd like to learn more detail about Intel's approach to protecting data, I encourage you to go to the [email protected]: Enterprise Security website to find helpful blogs and whitepapers about how [email protected] deals with a number of security issues. Or, you can provide your specific questions and comments here and I'll be happy to respond.

Follow me on Twitter: @TomQuillin

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/15/2014 | 7:25:53 AM
Data Protection
Great article, and it underscores the complexities of data protection and the various elements and types of data.  Creating a philosophy based on awareness and accountability seems to be quite effective. "Awareness" in that organizations know the types of data they have, how it needs to be protected, the classification level for that data, etc.  "Accountability" in that there are severe repercussions if such data is compromised, both for the data itself, and the employee(s) responsible. And much of this comes back to basic, sound security awareness and training for all employees. The more knowledgeable an employee is, the better prepared they are for helping ensure the safety and security of data. 
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-08-03
Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest.
PUBLISHED: 2021-08-03
Dell EMC PowerScale OneFS contains an untrusted search path vulnerability. This vulnerability allows a user with (ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE) and (ISI_PRIV_SYS_UPGRADE or ISI_PRIV_AUDIT) to provide an untrusted path which can lead to run resources that are not under the application...
PUBLISHED: 2021-08-03
Dell EMC PowerScale OneFS versions 8.1.2-9.1.0.x contain an Improper Check for Unusual or Exceptional Conditions in its auditing component.This can lead to an authenticated user with low-privileges to trigger a denial of service event.
PUBLISHED: 2021-08-03
Dell PowerScale OneFS versions and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
PUBLISHED: 2021-08-03
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.