Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
Over the weekend, three stories crossed my desk that got me thinking about the challenge that Art Coviello issued to the security industry in his RSA Conference 2012 keynote: to forge a “collective resolve” to stand together against “a host of adversaries who threaten our very trust in the world’s digital economy”. The first of [...]
Whether its data that’s governed by regulations or vital to a company’s competitive advantage, every organization has information they’d like to protect from outsiders. One logical place to start when looking to protect this information is with a Data Loss Prevention (DLP) tool. But, what many companies struggle with is how to figure out what information is sensitive for different groups and how it should be handled. Everyone knows that there is highly sensitive data across the organization that needs to be protected, but how do business managers let the IT security team know what specific data needs to be protected?
In case you missed it last week, VMware announced their latest version of vShield App with Data Security, which has RSA’s DLP technology embedded to help discover and classify sensitive data in virtual machines. One of the key points here is that data discovery and classification capabilities are now built-in to the virtual infrastructure, making the virtual infrastructure content-aware for the first time. So you may ask, what’s the big deal about being built-in instead of bolted-on?
I’ll start with the bottom line: for eGRC to work it has to be true at all Human and system levels of abstraction in an organization and it must have common elements across all function in a company. With the release of the most recent study by the Ponemon Institute (with EMC) , there are some clear pointers to the need for more strategic and, frankly, systemic mechanisms for managing enterprise governance, risk and compliance. Let’s cover a few ideas before coming back to those.
The first principle I think is important to convey is that complexity and scale are inherent in many of the systems we build, and they carry with them risk that grows with size, complexity and scope. In fact, many systems grow to such an extent that they rapidly outstrip the initial design considerations, as is evidenced by obvious examples like Y2K and the need for IPv6.
There has been a great deal of talk about making business processes more transparent. While I think gaining visibility across complex business operations or complicated IT infrastructures is a very important concept, I think there is another concept that is just as important yet is sometimes overlooked. When it comes to truly seeing something for what it is, the dimensions of an object allow us to more clearly define it.
It’s been a year now, or a little more, since To The Heart of the Matter, and this year we’re stepping up the governance, risk and compliance (GRC) stakes in a big way with a new EMC/RSA initiative around enterprise GRC. At the same time, the race to the cloud continues; so it’s time to look at enterprise GRC in the context of Trust and in context of the Cloud anew for 2011. Before we dive into that subject, let’s start with a little more on tools and tasks though by looking at innovation in historical Japan.
RSA announced the availability of Authentication Manager Express. This is a breakthrough for SMBs for simplicity, affordability and efficiency. Get the results with an optimal use of resources and little to no overkill*.
In any system, the feedback loop is essential to governing the process, whether that’s done through manual inspection or automated feeds. In security, the SIEM performs this essential role of collecting and correlating information on what is happening across the security controls. Building out the set of collection points and strengthening the correlation across those elements to deliver real intelligence about the system is key to an effective SIEM in particular and to security management in general.
Earlier this Fall, I was a panelist on a CFO Magazine webcast on “Data Security and Liability”. One of my colleagues on that panel, David Allred from Zurich Technology Insurance Services, remarked towards the end of the webcast that over the next 10 years, insurance policies against liabilities and losses resulting from a data breach will become as common as fire and other standard insurance offerings. That got me to thinking about the complementary and conflicting roles of insuring and ensuring against data breaches.
