• No results found

Securing Content Management Systems

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Securing Content Management Systems"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Securing Content Management Systems

The Next Frontier in

Data Leakage Prevention

(2)
(3)

Data Leakage/Loss Prevention (DLP)

• Technology, products, or services that prevent sensitive information from being exposed

• Types of DLP Systems:

 Network DLP – Typically installed on network egress points to monitor and enforce (if needed) on traffic leaving a perimeter

 Endpoint DLP - Scanning and enforcement on end-user devices, such as, Laptops, servers, mobile devices, …

 SMTP DLP – Scanning and enforcement on Mail Gateways targeting inbound/outbound mail inspection

(4)

Unstructured Data

• Information that either does not have a pre-defined data model and/or does not fit well into relational tables.

Typically text-heavy, but may contain data such as dates, numbers, and facts as well. (source: Wikipedia)

• Examples: Excel, Power Point, PDF, Open Document Format (ODF), plain text, …

(5)

Content Management Systems (CMS)

• Computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Such systems of content management provide procedures to manage workflow in a collaborative

environment. (source: Wikipedia)

• Can also be referred to as Data Repositories

• Examples: Wikis, web based file storage (documentation, …), etc…

(6)
(7)

Typical DLP Coverage

Enterprise Content Management Systems

Data repository A Data repository B Data repository C Internet Mail Server Mail Server Organizations Intranet

External facing traffic

e.g. Google search

Endpoint DLP Network DLP

SMTP (mail) DLP

Employees and Applications share files

(8)

Internet

Typical DLP Coverage

Enterprise Content Management Systems

Data repository A Data repository B Data repository C Mail Server Mail Server Organizations Intranet

External facing traffic

e.g. Google search

Endpoint DLP Network DLP

SMTP (mail) DLP

Employees and Applications share files

Is there a problem with this picture?

(9)

Is There Something Still Exposed?

Enterprise Content Management Systems

Data repository A Data repository B Data repository C Internet Mail Server Mail Server Organizations Intranet

External facing traffic

e.g. Google search

Endpoint DLP Network DLP SMTP (mail) DLP Employees and Applications share files Data repositories

(10)

What Would a Hacker or Malicious Person Do?

Enterprise Content Management Systems

Data repository B Data repository C Internet Mail Server Mail Server Organizations Intranet

External facing traffic

e.g. Google search

Endpoint DLP Network DLP SMTP (mail) DLP Employees and Applications share files

Export SPI, Confidential, …

Data repository A

public Private

PII SPI Confidential

(11)

Latest Themes in Data Protection

• Move security closer to data (source: IDC DLP Report 12/2011)

• Involve data owners in DLP Strategy (source: Aberdeen Group 05/2012)

(12)

Properties of Content Management System

• Owner centric – each file has one or more owner(s)

• Each file has Access Controls List (ACL), such as, Public, Private, or Controlled share

• APIs to CRUD file meta data, access controls, and file content (REST, SOAP, …)

(13)
(14)

1. Automated centralized file content scanning/classification

• Multiple scanners per data repository

• Use Data Repository APIs to access data/files SPI PII Confidential Classifiers Data repository A Data repository B Data repository C Enterprise Data Repositories

(15)

2. Engage Content Owners in Violation Remediation

• Engage content owner(s) to handle any content found in violation

e.g. email owner if Business

Sensitive file is found without

Access Controls; avoid IT

security guy chasing them

File Name File

Owner(s)

Classification Access

Controls

MyFile1.ppt Bob Sensitive Public

MyFile2.ppt Alice Sensitive Public

Bob

Jack Judy

manages

(16)

3. Automated Risk Remediation

• There will always be delinquent users

• Let the system close the gap using Data Repository APIs

e.g. public file with violation(s), the system can make it

(17)

The Result

: Secured Content Management Systems

Enterprise Content Management Systems

Data repository B Data repository C Internet Mail Server Mail Server Organizations Intranet

External facing traffic

e.g. Google search

Endpoint DLP Network DLP SMTP (mail) DLP Employees and Applications share files Data repository A public Private PII SPI Confidential Non-sensitive data

(18)

Proper Ways to Secure Unstructured Data Repositories

• Tell employees about data repository scanning and why you are implementing it

• Central content classification to be used for all data repositories

• Automated remediation

• Involving content owners in the remediation process, even as simple as email notification or escalation

• Empower content owner

 Provide violation evidence (e.g. you put “Company Confidential” in this file)

(19)

It is important in social collaborative

environment not to threaten collaborators

(users) and cause them to stop sharing.

A delicate balance between user sharing and

(20)

References

Download now ( PDF - 20 Page - 725.27 KB )

Related documents

Exploring the Costs and Values of the Household Model in Long Term Care

Under the Supervision of Professor Gerald Weisman, Ph.D. and Brian Schermer, Ph.D. As part of the culture change movement in long term care, nursing homes are.. transforming

Magic Quadrant for Endpoint Protection Platforms

It does not provide any data protection capabilities, such as encryption or DLP or port/device control, nor does it provide application control or endpoint management utilities, such

D. Grzetich 6/26/2013. The Problem We Face Today

Data that could highlight the level of access users have to applications and data, and in conjunction with the application logs (usage), DLP (sensitivity of the data), network data

Does substance use during youth cause lasting changes in resting-state neurophysiology and brain functional connectivity? A co-twin control investigation

We examined individual differences in VST functional connectivity related to quantitative measures of alcohol, cannabis, and tobacco use in a community sample of young adults,

Manual (9)

7) To warn the personnel working in GPFSB area about the weekly run test for fire water pumps. 8) To start a fire water pump to pressurize fire water system. For the detail to

Business Software for Retailers

Sage SalesLogix provides a complete account centric CRM solution designed to enable your sales, marketing, customer service and support teams to improve the management of

TELEHEALTH TECHNOLOGY SUPPORT SERVICES

CDW Healthcare can conduct a data loss prevention (DLP) risk assessment to see where a healthcare organization’s data and network are vulnerable, and then install the right

Protecting Regulated Information in Cloud Storage with DLP

An appropriate DLP Discovery solution will include the ability to remediate potentially sensitive data both during and after the discovery scan.  These include: moving files to