SafeNet

Home » The Art of Data Protection

While RSA Conference 2015 is now a thing of the past, it’s important not to lose sight of the key takeaways from the event and the action items they can inspire. Whether you were at the show or not, I think every IT decision maker and security professional will find the below assets useful as they speak to what we need to recognize: the rapid change of data hosting and how and where that data is accessed has made a “business as usual” outlook on security too dangerous to tolerate.

Why Saying YES is Changing Information Security – Podcast with Tsion Gonen

In his podcast recorded by Help Net Security at RSA this year, Tsion Gonen, Chief Strategy Officer at Gemalto, reviews how the data security changes in the last 5 years have led the industry to where it is today.

“One of the first things that changed for us, for example, as a vendor on the security side is you don’t have to scare anyone anymore. Now that is a huge change. … People that have been in the security industry on the vendor side have been very busy scaring people. This thing can happen, and this thing can happen. You have to buy my thing; otherwise, something bad can happen,” Tsion says to open the podcast.

“I think that the people that are still scaring people, trying to scare people, are totally wasting their time. They’re living five years ago. You don’t need to scare anyone. They’re already totally scared. They’re probably confused about how did they get to that point, because they’ve actually been investing in security. They’ve been putting money into firewalls, IDSs, next-generation firewalls, super next-generation firewalls, but still obviously it’s not working. They’re job is on the line. And people are still trying to scare them. I think it’s a waste of time. Honestly, walking through the RSA show, where we are right now, you’re still seeing scaring being done. Such a waste. …What people are really into is trying to understand why is this happening, what’s different now, and what can I do about it”

Listen to the full podcast at net-security.org to hear all of Tsion’s candid and insightful talk about where the infosec industry is today, how it got there, and where it’s going.

Why Saying YES is Changing Information Security

 

Whose Cloud is It Anyway? – Video with David Etue + Slides

In a new video with journalist Ericka Chickowski speaks with David Etue, VP of Corporate Development Strategy, Identity & Data Protection, Gemalto, about his session “Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control” from RSA Conference 2015 in San Francisco.

“[The] cloud is fundamentally changing how we manage IT, and in some very, very good ways. And security has to change with that,” David explains. “And we look at how we’re traditionally spending in security, our spending is very network, host security centric. We look at how we consume cloud and manage cloud, those controls don’t transfer well. The big message is we need to step back and look at what is our long term security strategy… how do we apply security controls to protect our data in these new environments as the infrastructure changes?”

Check out the video to hear David’s insights on the best way of approaching data security in the cloud. Plus, the SlideShare presentation below presents the slides from his original presentation.

Sessions Recap:

Presentation Slides:

read more »

4 Stages of Breach Trauma

Breaches happen; of course they do. Over the years I have seen organizations suffer both internal and external attacks – from naive misuse of computer systems or contraventions of what constitutes acceptable use, right up to fully fledged attempts at data hacking, fraud or extortion.

Sometimes CIOs respond quickly and effectively, accepting responsibility and taking immediate steps to ensure the lightning doesn’t strike twice. Equally they, and their executive peers, can follow a version of the four stages of trauma before acting. That is, moving from denial to anger, and then bargaining before reaching a level of acceptance.

They’re not denying a breach has happened of course. What I often see, however, are organizations acting (or trying to act) as if there was nothing more to be done. “We had preventative measures in place. Could have happened to anyone,” is often the attitude. The answer is that not every breach can be prevented, particularly given how complex IT has become.

When the dust fails to settle, the anger sets in. A realization that the knock-on effects are going to be more profound that expected — that regulators (or indeed, customers) need to be informed, that disciplinary action really does need to be taken, that worst of all, money has been lost or needs to be spent. Such realities start to focus the corporate consciousness.

At this point, many conversations turn to bargaining — in a nutshell, “How much will it cost to put things right?” Questions about whether the scenario could have been avoided turn to proposals for improvements: these sometimes involve security products but equally aim at softer targets, such as funding for better operator training for administrators or improving staff awareness.

Acceptance can quickly follow. For security professionals a common scenario is for budget to become magically available in a matter of days or weeks following a security incident. While this is frustrating, it can also result in a feeling of blessed relief from the security team, as a much-needed capability finally gains the attention it deserves.

Does this sound familiar at all? The bottom line is, CIOs need to accept their company will be breached and shift their security strategy from ‘breach prevention’ to ‘breach acceptance’. This means deploying mechanisms and procedures to deal with the consequences of breaches as well as pre-emptive measures — for example by securing the data itself, whether it’s in the cloud, virtual, hybrid or mobile environments, rather than relying on access mechanisms.

In the meantime a broader, corporate attitude of responsiveness goes a long way towards keeping risks in check and reducing the potential for damage. This may be vested in an individual such as a CSO or security manager, but sharing such a perspective across the executive team is the best way to prevent the stages of breach trauma from getting in the way of an appropriate response.

For more about the breach acceptance stage and how to prepare for a breach, check out securethebreach.com.

read more »

Keep Calm and Change Your MindsetIf there is one thing we can take away from this year’s RSA Conference it’s this: We do not have a technology problem, we have a mindset problem.

There are plenty of very good security technologies available today, and walking around the RSA Conference show floor you really got a sense of the sheer volume of vendors in the security industry.  The problem is that most them offer pretty much the same thing and are primarily focused on one aspect of data security: the perimeter.  Unfortunately, the way we are accessing, creating, consuming and managing data and information has made this approach totally obsolete, and the hackers know it.

Every company has a Plan A for how to stop cyber criminals from getting into the network and stealing data.  Build a wall around the data with next generation super-duper firewalls, throw in some AV and IDS, and sprinkle it all with some SIEM.  It is a plan that has not changed much in the past 10 years.  But even with newer APT and UTM security technologies, the bad guys continue to win.  In fact, the problem is only getting worse because when it comes to data security, Plan A is often the only plan companies have.

What is really needed is a Plan B when Plan A fails.  That way, there is backup plan to contain the damage once hackers get past the perimeter defenses. Today’s security professionals must shift their mindset from a focus on breach prevention to a mindset that accepts that breaches are inevitable and focus more on placing security controls closer to the data itself with encryption and the individuals accessing the data with stronger user authentication and identity management controls.  At Gemalto, we call this Secure the Breach, and it is a message we have been promoting for several years.

We recently released the results of our Data Security Confidence Index which confirms there is a need for a mindset change.  According to the results, while 87% IT security professional feel their perimeter security is effective at keeping our security threats, 34% are not confident in the security of their data should a breach occur and 33% think unauthorized users are still able to access their networks.  Obviously there is a very, very big gap between the perceived effectiveness of perimeter security and the reality of what is actually happening.

No vendor can claim to offer the silver bullet to stopping data breaches, and any company that does is not being honest to itself or its customers.  The biggest challenge is not technology; it is how we approach data security by putting all of our eggs in one basket. There are of course other challenges, such as having the right expertise and resources, but the most important thing is to approach this problem with a new mindset by having a Plan B.

If you need help building a Plan B, contact us, check out securethebreach.com, and/or tweet us via @SafeNetInc using #PlanB. Good luck, and see you next year at RSA.

Encryption Games Presentation at RSA

read more »

If you missed our experts’ sessions and SafeNet and Gemalto booth activities, check out this new batch of tweets capturing great moments from RSA Conference 2015.

You can see everything we’re doing throughout the show by following us on Twitter. Also check us out on Periscope, Twitter’s new live streaming app, to watch some RSA highlights in real time.

Check out RSA Conference 2015 in Tweets – Part 1 to see more.

read more »

We’ve already had a great time at the SafeNet and Gemalto booth at the 2015 RSA Conference in San Francisco. Check out some of our favorite tweets/photos from the event (so far) below, showing the presentations, info-tainment, SafeGame and other can’t-miss booth activities.

You can see everything we’re doing throughout the show by following us on Twitter. Also check us out on Periscope, Twitter’s new live streaming app, to watch some RSA highlights in real time.

 

 

read more »

Recent Tweets

Cloud