Mercredi 27 Avril 2011 Solutions pour une gouvernance efficace

Présentation au sujet: "Mercredi 27 Avril 2011 Solutions pour une gouvernance efficace"— Transcription de la présentation:

1 Mercredi 27 Avril 2011 Solutions pour une gouvernance efficace
Bernard Montel - Directeur Technique RSA, Division Sécurité d’EMC

2 Ère de l’entreprise hyper-étendue
BUSINESS ISSUES IMPACT Explosion de l’Information Innovation Collaboration Supply Chain Extension des Identités Entreprise Hyper étendue Services Cclients Evolution de l’Infrastructure As part of a “Hyperextended Enterprise,” you are most likely exchanging information with more constituencies in more ways and more places than ever. You are innovating and collaborating -- identifying new markets, developing new products and finding new ways to reach customers -- across a vast array of partners. Your supply chains are becoming more complex and far reaching with outsourcing being aggressively pursued. If you are like most of our customers, you’re looking for new ways to serve your customers and assimilating new web and communications technologies in the process. And, in doing so, your customers require access to your systems, and you may be storing increasing amounts of sensitive information about your customers within these systems. Consumer technology is taking hold within organizations. End users are now dictating what devices they want to use to do business. How many of you or your users are using iPads in a business situation? And, certainly virtualization and cloud computing are taking the enterprise by storm, as they very may well be in your organization today. Click: What does all this mean for you sitting here today? It means that the landscape that you operate within every day has changed with more information to manage and protect than ever before. As a matter of fact, during the last couple of years during the Great Recession when virtually every economic indicator went down – housing prices, jobs, wealth, corporate revenue, IT budgets – information grew by 62 percent. We’re now measuring it in zettabytes. You have more identities to manage – not just your employees, but partners, customers, and consultants and many identities are not even people. Physical as well virtual infrastructure to secure and maintain compliance. And with the growth in information, identities and infrastructure, we have increasing regulations. Click: All of this is taking place against a backdrop of increasingly sophisticated cybercriminals, which means that you are responsible for managing an extremely complex risk, security and compliance environment. Consumérisation de l’IT Augmentation des Réglementations Environnement Complexe en terme de Risque, Sécurité et Conformité Virtualization et Cloud Computing 2 2

3 Répondres aux défis de nos clients
Gérer le risques et les menaces à travers toute l’entreprise Prouver la Conformité de manière cohérente et économique Accès Sécurisé pour une Mobilité & une Collaboration accrues Sécuriser la Virtualisation & le Cloud Computing Our customers come to RSA primarily to meet four challenges that are the aligned with these questions. To help them manage risk and threats throughout the enterprise – or maybe I should say “hyperextended” enterprise To prove compliance consistently and affordably To secure access for increased mobility and collaboration To secure Virtualization and Cloud Computing Note: This is an opportunity to engage the customer in dialogue, asking them questions to determine which area is most relevant to why they are meeting with you today. The slide is designed as a menu. If you click on the image associated with each area, you will go directly to that “chapter” in the deck. There will be back buttons on the “Chapter” slides that will allow you to come back to the menu slide so that you can proceed directly to another area of conversation. The “How?” Button will take you directly to the How We Do It section of the deck. How?

4 Répondres aux défis de nos clients
Prouver la Conformité de manière cohérente et économique PCI-DSS Réduire les coûts, réduire le périmètre Our customers come to RSA primarily to meet four challenges that are the aligned with these questions. To help them manage risk and threats throughout the enterprise – or maybe I should say “hyperextended” enterprise To prove compliance consistently and affordably To secure access for increased mobility and collaboration To secure Virtualization and Cloud Computing Note: This is an opportunity to engage the customer in dialogue, asking them questions to determine which area is most relevant to why they are meeting with you today. The slide is designed as a menu. If you click on the image associated with each area, you will go directly to that “chapter” in the deck. There will be back buttons on the “Chapter” slides that will allow you to come back to the menu slide so that you can proceed directly to another area of conversation. The “How?” Button will take you directly to the How We Do It section of the deck. How?

5 L’approche EMC pour répondre aux défis de nos clients
MENU

6 La GRC – Analogie avec l’application des lois
Gouvernance = Etablir les règles Risque= S’assurer que les bonnes règles sont en place et fonctionnent Conformité = Mesurer l’efficacité d’une règle Comprendre le processus utilisé pour définir la règle Comprendre si les personnes adhèrent parfaitement à la règle OPTIONAL SLIDE The GRC-Law Enforcement Analogy G = setting the rules Governance establishes who has the authority to make the speed limits and how to communicate the limits (i.e. signs). R = ensuring the correct rules are in place and functioning Risk involves the process of establishing what the speed limit should actually be given whether the road is in a residential neighborhood versus an interstate or highway, school zones, egress, ingress, etc. C = measuring the effectiveness of the rule, 2 part 1.) Understanding the process used to define the rule 2.) Understanding how well people adhere to the rule Compliance involves someone assuring that the speed limit is enforce. Police and camera monitoring equipment at intersections can be used as enforcement methods for compliance to the speed limit. The model then leads back to Governance, as a judge decides the penalties. He will evaluate risk based on whether the traffic violator is a first time or repeat offender and determine the fine.  Additional Information There are road signs and there are policeman patrolling our roads; one without the other is not a complete or successful situation. The road signs tell drivers what the rules are, and gives them the knowledge to make decisions and act accordingly. The policemen help ensure that drivers are adhering by those rules. Without signs, policemen are punishing drivers for behavior that they didn’t even know was incorrect. Without policemen, the signs are providing guidance and rules yet no one is enforcing the rules. Therefore no one can be certain that they are being followed. Either situation (no signs or no policeman) results in a potentially chaotic and uncontrollable mess. However, when both the signs and the police are in place, traffic runs smoothly and as it was designed when the ‘rules’ were created.

7 L’approche eGRC d’EMC Best Practices d’EMC Consulting/Implementation GRC Business Solutions Business Continuity Information Governance Content and Data buckets are underwhelming, we can remove these, there is a better graphic for this Security Management EMC’s Four Solution Areas for Building an eGRC Strategy Leveraging a common management platform, the best-in-industry eGRC content library, EMC’s broad product portfolio and third party integrations, EMC’s eGRC strategy incorporates four primary solution areas. These solutions enable organizations to break down silos and deliver to senior executives a single view of their organization’s risk and compliance posture. EMC will continue to deliver new content, integrations and business solutions in four key areas. Business Solutions – eGRC Business Solutions enable organizations to build an efficient, collaborative eGRC program across IT, finance, operations and legal domains, gaining visibility into Enterprise Risk Management, Audit Management, Vendor Management, Policy and Compliance Management initiatives. [Phil?] Information Governance – EMC’s Information Governance solutions help customers gain visibility into their information workflows, manage information-based risk, simplify eDiscovery and reduce costs. These capabilities make information governance actionable with modular archiving, file intelligence, eDiscovery and records management solutions designed to address the most pressing pain points and expand over time to support an information governance strategy. Business Continuity & Disaster Recovery - EMC’s Enterprise Business Continuity solutions provide a centralized, automated approach to business continuity and disaster recovery planning, allowing you to respond swiftly in crisis situations to protect your ongoing operations and improve the availability of key business systems. Advanced Security Management – RSA Advanced Security Management solutions give customers a risk-based view of their physical, virtually and cloud infrastructures, their digital information and the people, devices and systems accessing that information. The security management suite bring together the RSA Archer eGRC Management Platform with core IT operations and security technologies such as security information and event management (SIEM), data loss prevention (DLP) and fraud detection. EMC Consulting Services Supporting the eGRC strategy, EMC Consulting expanded its services and new offerings to help organizations build and implement sustainable and cost-effective eGRC programs that balance business risk and agility. With worldwide expertise in delivering eGRC strategies, architectures and solutions to more than half of the Global Fortune 500 organizations, EMC Consulting drives business-focused eGRC program design and execution leveraging its intimate understanding of the EMC and RSA product portfolio. EMC’s Consulting advisory services include eGRC Strategy, Maturity Assessment and Roadmap as well as eGRC program implementation services for cloud computing, information governance, security management and business continuity. Plate-forme de gestion RSA Archer eGRC

8 Plan de Continuité et de Reprise d’Activité
1 Panne du système IT 6 Toute révision du processus de reprise peut être mise à jour et centralisée dans Archer pour utilisation future. Reprise totale des systèmes et passation de tous les tests en xx heures 5 Des sites de Back-up et network recovery pout continuer l’activité sur une autre localisation et d’accéder aux plans BC/DR hébergés dans Archer. 2 4 L’IT travaille avec les Business Units pour s’assurer que les systèmes sont via des plans de test et supervise la progression. Les systèmes sont à nouveau en ligne et les détenteurs d’applications démarrent les procédures de reprise/test stockées sur Archer 3

9 RSA Archer Solution de Gouvernance, Risque & Conformité pour l’entreprise
Audit Management Gérer Centralement le planning, la priorité, les équipes et procédures d’audits. Policy Management Gérer Centralement les politiques, les rapprocher des objectifs. Business Continuity Management Automatiser l’approche de la continuité d’activité et le planning de la reprise. Risk Management Identifier les risques pour votre activité, les mesurer. Threat Management Suivre les menaces avec un système centralisé d’alertes. Compliance Management Documenter votre modèle de contrôle, évaluer son efficacité Solutions Overview In today’s volatile business environment, organizations must have the right technology at the core of their GRC architecture. Selected by one in four of the Fortune 100 and employed by more than six million users worldwide, Archer Technologies’ flexible, integrated out-of-the-box solutions allow organizations to build a best-in-class enterprise GRC program. Through Archer, businesses can implement consistent, efficient and sustainable processes for managing the lifecycle of corporate policies, analyzing risks and evaluating their compliance profile. Archer delivers nine core enterprise governance, risk and compliance management solutions. All Archer solutions are fully customizable and are built on the BITS-certified Archer SmartSuite Framework, empowering customers to easily adapt Archer’s solutions to their unique and changing requirements or to build new, powerful, easy-to-use global applications. Solutions include: Policy Management Risk Management Compliance Management Enterprise Management Incident Management Vendor Management Threat Management Business Continuity Management Audit Management Vendor Management Centraliser les données fournisseurs, et assurer la conformité avec vos politiques et contrôles. Enterprise Management Gérer les actifs de l’entreprise Incident Management Rapporter les incidents et les violations d’éthique, gérer leur escalade, suivre leur investigations et analyser leurs résolutions.

10 Une Approche Flexible Import de données
Incidents, Ressources, Processus, Scans de Vulnérabilité Flexible The Platform offers a point-and-click interface for building and managing business applications. Non-technical users can automate processes, streamline workflow, control user access, tailor the user interface and report in real-time. Unified RSA provides a common platform to manage policies, controls, risks, assessments and deficiencies across lines of business. This unified approach eases system complexity, strengthens user adoption and reduces training time. Collaborative The Platform enables cross-functional collaboration and alignment. Business users across IT, finance, operations and legal domains can work together in an integrated framework using common processes and data. A common platform to manage policies, controls, risks, assessments and deficiencies across IT, finance, operations and legal domains and the lines of business The development process for new applications is reduced from months to weeks or even days. Business users are empowered to tailor RSA Archer eGRC Solutions and create their own applications without relying on IT. RSA’s flexible delivery model lets you deploy applications on-premise or in our software as a service (SaaS) environment. Vendor-neutral integration with source systems allows you to consolidate all information necessary to manage risk and compliance The Archer eGRC Exchange enables you to download best-practice applications that are ready to deploy in your environment.

11 Gestion de la conformité et des Incidents

12 Des exigences de conformité croissantes
PCI DSS ISO ITIL COBIT Contrôles Internes et Politique de Sécurité Prévision d’augmentation des réglementations Increasing compliance requirements are forcing organizations to look at how they are managing their governance efforts as well. The mindset of many organizations is that made it through the era of SOX, then met the requirements of PCI. More and more regulations are forcing them to find more efficient ways to manage compliance with multiple regulations and standard frameworks. “ Nous l’avons fait pour SOX, puis PCI. Mais je fais face à de plus en plus de réglementations. Nous avons besoin d’un moyen plus efficace de gérer la conformité vis à vis de multiples réglementations et standards. ”

13 Les données de conformité sont réparties sur de multiples silos
Impacts Business Les exceptions à la politique ne sont pas suivies et exposent un risque “ ” Le reporting de conformité est stocké dans des feuilles Excel et ne représente qu’un moment précis “ ” Les données de conformité sont réparties sur de multiples silos “ ” Les managers ont du mal à prioriser les menaces en fonction de leur impact sur le business. “ ” Les initiatives de conformité sont traitées comme des projets individuels “ ” With these increasing regulatory demands, businesses often find that: Compliance initiatives are tacked individually, as one off projects. Gathering compliance data is very difficult as it is usually scatter across business units or geographies. The organization struggles to prioritize their resources on addressing threats, risks and audit deficiencies that are prioritized based on the risk exposure. Transition from Challenges to a Solution: Our customers have come to rely on RSA Archer eGRC Solutions to answer questions through an extensive repository of what’s important to them. It helps put risks, threats, incidents and compliance deficiencies into business context so they can prioritize their response and focus on what’s most significant to the organization.

14 Construire votre programme d’IT-GRC
Policy Management Incident Management Lois PHI Rapporter les incidents et les violations d’éthique, gérer leur escalade, suivre leurs investigations et analyser leurs résolutions. Gérer Centralement les politiques, les rapprocher des objectifs et feuilles de route, et promouvoir leur connaissance pour encourager une culture de gouvernance d’entreprise Réglementations PCI Objectifs Business Many of our customers have begun their IT-GRC program one of two ways: First, many define the business objectives, laws, regulations, and frameworks which guide their organization. This documentation process centralizes their objectives, policies and guidelines and enables the business to promote awareness. [Click] Secondly, many organizations begin implementing an Incident Response or Incident Management program. Many regulations such as PCI, NERC, HIPAA, FFIEC and many others, mandate that organizations must effectively handling of security incidents that represent risk to your business. Laws such as the Massachusetts Privacy Act not only require an incident response process, but mandate that the organization follows it. Many RSA Archer customers have quickly implemented the Incident Management solution to report incidents and ethics violations, manage their escalation, track investigations and analyze resolutions. This has provided them with a quick win to meeting those regulatory demands. Transition: Let’s dig a little further into some of the details. Frameworks SOLVENCY II

15 Comment nous procédons – Solutions RSA Archer IT-GRC
RSA Archer Policy Management Gérer Centralement les politiques, les rapprocher des objectifs et feuilles de route, et promouvoir leur connaissance pour encourager une culture de gouvernance d’entreprise. Exploiter les standards de Best-Practice de Contrôle Créer les politiques Rapprocher des sources qui font autorité Documenter les Procédures de contrôle RSA Archer Policy Management provides the foundation for a best-in-class governance, risk and compliance program with a comprehensive and consistent process for managing the lifecycle of corporate policies and their exceptions. The solution offers a centralized infrastructure for creating policies, standards and control procedures and mapping them to corporate objectives, regulations, industry guidelines and best practices. You can also communicate policies across your enterprise, track acceptance, assess comprehension and manage exceptions. Powered by the RSA Archer eGRC Platform, the Policy Management software solution gives you a meaningful understanding of what governs your business, and it enables you to formulate policies appropriately to aid in achieving corporate objectives and demonstrating regulatory compliance. Using RSA Archer Policy Management, you can: Author corporate policies Leverage best-practice control standards out-of-the-box Map your controls back to the authoritative sources that govern your business Document and manage manual and technical control procedures Communicate corporate policy across your internal organization Track and authorize exceptions requests for a specific time period Communiquer aux Employés Traquer les demandes d’Exception “ La solution [RSA] Archer Policy Management nous fournit un outil encore plus complet pour gérer efficacement les standards et réglementations pendant que nous continuons à maintenir le plus haut niveau de conformité de notre entreprise et pour nos clients. Senior VP of Information Security, Financial Services Client ”

16 Comment nous procédons – Solutions RSA Archer IT-GRC
RSA Archer Incident Management Report Rapporter les incidents et les violations d’éthique, gérer leur escalade, suivre leurs investigations et analyser leurs résolutions. Identifier les Incidents Gérer les Investigations Evaluer les Incidents RSA Archer Incident Management centralizes and streamlines the complete case management lifecycle for cyber and physical incidents and ethics violations. Archer's web-based solution allows you to capture incident reports, evaluate the criticality of an incident and assign response team members based on business impact and regulatory requirements. You can also consolidate response procedures, manage investigations end-to-end, and report on trends, losses, recovery efforts and related incidents. Powered by the RSA Archer eGRC Platform, the Incident Management solution allows you to effectively manage incidents that occur anywhere you do business from detection through analysis and resolution. Through RSA Archer Incident Management, you can: Report incidents of any type, including theft, harassment, fraud, violence, bribery, corruption, equal opportunity violations, conflicts of interest, phishing, denial-of-service attacks, etc. Integrate incident data from a call center or intrusion detection service through the Data Feed Manager. Centralize incident documentation, response procedures and investigations across your enterprise. Access control incident data down to the field level to protect personal identities and the integrity of confidential information. Notify responders via when incidents enter their queue for investigation. Use the on-demand platform for efficient access to incident data and response procedures no matter where personnel are located. Employ automated task management functionality to track response activities. Document legal and law enforcement involvement in the response process, and track losses and recovery costs. Maintain an incident history and audit trail with the capability to track each version of an incident record throughout its lifecycle.  Produce rollup reports to track incidents and identify trends, incident similarities and relationships to better understand mitigation and prevention requirements. Understand the relationships of incidents to business units, information assets, facilities, vendors, risks, financial loss events and your business continuity program through seamless integration with Archer's full GRC solution suite. Traquer les Procédures de réponse Résoudre les Incidents Produire des rapports sur les tendances d’Incident “ Nous sommes maintenant capables de traquer automatiquement tous les incidents relatifs à la confidentialité et toute information qui pourrait être mal utilisée. Notre équipe de confidentialité peut aisément rechercher, traquer le statut et produire des rapport avec la solution RSA Archer incident tracking solution. Information Security Consultant, Insurance Client ”

17 Cas d’utilisation RSA Incident Management
Enterprise and Policy Mgr Les alertes enVision sont mises en contexte avec les actifs, risques, processus, équipes, etc. de l’entreprise Context Policy Integration Framework Alimentation temps – vers Archer des incidents pour le suivi de la conformité Incident Dashboards and Workflow Les Incidents sont assignés à des files d’attente, un workflow automatise le processus de gestion du case. Des métriques sont remontées dan un Tableaux de bord dirigeants “Nous avons économisé 1,500 Heures par mois grâce à l’intégration.” Source: EMC CIRC SIEM / DLP Données Formatées XML sortant de enVision Task Triage – détails sur les Incident avec notes associées 17

18 Notification of application problem Communication to all employees
Business Continuity & Incident Management Use Case #3 Critical Application Crash Recovery Help Desk Auto detection IT Manual Incident Creation Communication to all employees Auto Incident Creation Request Business Continuity Support Major Site Crash Notification of application problem Communication to all employees Major Site Up Again Business Continuity Team Employee Un site « A » plante Une application critique de commande via le net est « out of order » Notification par un user ou détection automatique par Archer Déclenchement d’une communication automatique aux employés Déclechement d’un plan de recovery Notification d’un team d’astreinte Acknoledgment de la prise en charge Exécution de la procédure centralisée disponible Activation du site de secours Communication aux employés Restauration et Rétablissement du service Qualify severity, Provide recovery procedure Staff Close Incident Get Procedure from Archer Execute Procedure Recover Crash Notify

19 PCI-DSS Réduire les coûts, réduire le périmètre

20 Le Cycle de vie de la conformité PCI
Etre conforme à la norme Sécuriser les Données sensibles Maintenir le niveau de sécurité PCI Données bancaires et associées Maintenir la sécurité et gouverner la mise en Conformité Objectif : définir le périmètre Impact : évaluer l’impact Dommages : perte ou fuite de données sensibles Pertes : Image avantages compétifis Effort: Audit réguliers Cout : élevé et difficile à maintenir Sensitive data is everywhere, and there is a strong need to protect information to meet industry or government regulations, or to protect sensitive corporate secrets. Regulations such as PCI, HIPAA or other directives can cause corporations significant headaches if not followed correctly. We have seen fines upward of $500,000; audits can increase in frequency; lawsuits can occur. DPM can greatly reduce the burden of compliance. Securing sensitive data is critical for any company. Not only are employee and customer data important to protect, but there are other corporate secrets and IP that must be secured as well. If a leak occurs, it can damage brand equity; customers and employees can lose confidence in the corporation and leave; competitive advantage can be lost. DPM’s main objective is to secure your sensitive data and reduce the risk of breach. Having the controls in place to actually encrypt or tokenize is one thing, but how can you do it in a cost effective manner? DPM provides the tools to improve the operational efficiencies while keeping the costs low. How can DPM do this? Using this product can reduce the number of FTEs needed for security, reduce the capital needed for additional hardware and software, and reduce the total cost of ownership. It is designed to not only provide the protection itself, but also to lower the total cost of ownership for customers over the long haul.

21 Améliorer la sécurité des données des cartes de paiement
Ayant pris conscience des risques de détournement des données, les entreprises sont désormais soucieuses de protéger certaines données particulièrement sensibles - les informations relatives aux cartes de crédit des consommateurs. American Express, Discover Financial Services, JCB, MasterCard et Visa ont ainsi collaboré pour proposer aux entreprises manipulant des données de carte de crédit (banques, entreprises, commerçants, établissements de traitement des paiements, etc.) des recommandations concernant la protection des ces informations. Cette collaboration s'est concrétisée par le standard PCI DSS (Payment Card Industry Data Security Standard), un ensemble de bonnes pratiques de sécurité couvrant l'ensemble du cycle de vie des informations sur les cartes de crédit. Ce standard est extrêmement strict. Et de ce fait, il est souvent préconisé comme fondation à d'autres initiatives.

22 Introduction to Selling Data Protection Manager
Quelle solution pour réduire le périmètre PCI-DSS ? RSA Data Protection Manager Protection de la donnée de bout-en-bout PROTEGER RENFORCER GERER ETENDRE Données sensible et séquestre des clés Permissions d’accès Le cycle de vie des clés et des tokens “alias” Sur l’ensemble du périmètre Augmenter la sécurité de la donnée Réduire le coût opérationnel Our DPM solution enables our customers to increase their data protection while lowering their operational costs. By protecting sensitive data and key vaults and enforcing client policies and permissions, RSA DPM enables our customers to increase their data security. The more data and keys that are under DPM’s control, and the easier it is to enforce client policies and permissions, the more security our customers will receive. By managing key and token lifecycles and scaling across the enterprise, RSA DPM lowers operational costs. By managing lifecycles across the enterprise, RSA DPM gives customers the ability to centrally manage the administration of sensitive data from one server. Showing customers that they can guarantee ROI on Data Protection Manager can be relatively easy, especially if they use encryption in a lot of places and are managing a lot of keys. For metrics to mention (Benchmarks provided by Aberdeen Research, “Managing Encryption – The Keys To Your Success”, Oct 2008): Best-in-Class organizations with regard to key management practices currently support encryption at a much higher scale … About 40% more applications About 11.5-times more encryption keys under management … and at a significantly lower cost 36% less in terms of average cost / encryption-enabled application 92% less in terms of average cost / key - Confidential -

23 Quelle solution ? RSA Data Protection Manager
Introduction to Selling Data Protection Manager Quelle solution ? RSA Data Protection Manager RSA Data Protection Manager Chiffrement applicatif Protection de bout-en-bout Performances reconnues (RSA BSAFE) Support de nombreux algorithmes Tokenization Protection de bout-en-bout Format de donnée préservé Format de token “alias” paramétrable Chiffrement données résidentes Gestion de clés mutualisée dans l’entreprise Replication automatique Sequestre des clés * This is what RSA offers to handle those kind of customer challenges. This illustrates our Data Protection Manager product, version 3.0. * Application Encryption provides end-to-end protection right from when the sensitive data enters your systems. This solution gives you industry-leading performance and flexible algorithm support, providing the ability to custom-tailor this solution. * Tokenization also provides end-to-end protection, protecting your sensitive data right when it enters the systems. We offer format-preserving data tokenization, which is easier to implement than traditional encryption, as you don’t have to alter any database schemas to accommodate the protected data. There are also customizable token formats, such as credit card numbers and other PII formats such as social security numbers and account numbers. * Finally, we offer data-at-rest encryption and enterprise-wide key management. This provides protection for the back-end data (storage, tape, etc.). With automated replication, customers can rest easy that their data is protected, even if their infrastructure went down. With strong protection of the key vault, Data Protection Manager makes it easier to manage the lifecycle of keys and tokens from one central location. - Confidential -

24 Protéger Réduction du périmètre PCI par tokenisation
Introduction to Selling Data Protection Manager Protéger Réduction du périmètre PCI par tokenisation KJaSA^)(#E&HLghrS$Lja(*&gfbe$%634Hdc Chiffrement RSA Data Protection Manager Valeur originale Tokenization Capacité d’offrir une solution “hybride” pour des deploiements ayant besoin de chiffrement et de tokenisation : RSA Data Protection Manager With RSA DPM, you can apply either Application Encryption or Tokenization right from where the sensitive data enters the customer environment. * Let’s start with encryption. When data is encrypted, an algorithm and key are used. The key is the only mechanism to de-crypt the data back to its original state (or clear text). Therefore, these keys must be protected and managed accordingly. DPM’s enterprise key management capability helps customers manage these keys in a consistent and reliable way, providing capabilities to rotate the keys through their lifecycle. * With tokenization, a random number generator receives the original clear text and produces a token that looks very similar to the input data. As you can see from this credit card example, the first four digits of the number are preserved and the rest of the numbers are randomly generated. With RSA DPM, any portion of the original data can be kept. This token is then sent back to the original application in its place. The original data is encrypted in the Data Protection Manager vault and stored there. * The ability to offer “hybrid” deployments of both encryption and tokenization is a core differentiator for RSA DPM. You may be asking yourself why someone would choose traditional application encryption over tokenization; it seems harder to deploy and tokenization appears to be more flexible. Tokenization is a centralized model; it requires a round-trip to the token vault, which can be a problem if the network is down. Application Encryption, on the other hand, is a distributed model with excellent network performance. Locally cached (or stored) keys also permit offline use if the network goes down. Some customers choose to encrypt right in the application, but then tokenize later when the network is back up or at a batch level. This provides flexibility and customization to our customers who are looking for higher levels of protection. - Confidential -

25 Gérer Le cycle de vie des clés et des tokens “alias”
Introduction to Selling Data Protection Manager Gérer Le cycle de vie des clés et des tokens “alias” Data Protection Manager prend en compte la génération, distribution, et l’ensemble de la gestion du cycle de vie des clés et tokens Génération de clés et token sécurisée Actif désactivé compromis suprrimé Distribution sécurisée aux applications RSA DPM As previously mentioned, RSA DPM handles the generation, distribution and lifecycle management of keys and tokens from one central server location. Following along with the illustration, DPM secures keys and token generation and secures distribution to clients. The key and token lifecycles are managed with robust server-side controls. A key starts in active state and then moves to a deactive state (either manually or on a pre-set rotation schedule). It can be compromised and deleted at any point; these two stages happen manually. * Rotating keys and tokens on a regular basis not only is required to meet compliance, but also increases security by limiting data exposure and allowing administrators to quickly respond to events, such as a compromised key. La rotation des clés et des tokens n’est pas seulement nécessaire pour la mise en conformité, mais augmente également la sécurité en réduisant l’exposition des données - Confidential -

26 Tokenization Chiffrement
Tokenization versus chiffrement avec RSA DPM Ou : comment réduire le périmètre de sensibilité Tokenization Chiffrement Performance Modèle centralisé – plus d’effort u niveau serveur Modème distribué - certaines commandes de protection peuvent être executée au niveau du client Utilisation “Off-line” Necessite une connection établie avec le serveur Peut être executé sans connection au serveur pour une courte durée Opération fléxible Le format des tokens peut être facilement paramétrable Les utilisateurs n’ont pas le contrôle du format de la donnée chiffrée Impact sur le déploiement Préservation du format de la donnée. Pas d’impact sur la structure des bases de données Le format des données chiffrées change et doit être manipulé avec attention Utilisation de la donnée protégée D’autres applications peuvent utiliser une partie de la donnée du token

27 Référence OBJECTIFS: SOLUTION: RESULTATS:
Une société Internationale de Transport de colis et lettres a choisit RSA Data Protection Manager pour protéger les données sensibles et réduire le coût de mise en conformité OBJECTIFS: SOLUTION: RESULTATS: Protéger les données financières de ses clients résidentes dans le DataCenter Conformité A Payment Card Industry Data Security Standard (PCI DSS) RSA Data Protection Manager avec Tokenization Gérer et réduire the le risque et le coût de mise en conformité vis-à-vis d’un client dans le monde de la finance (plus de $420 Milliards d’actifs) Déploiement rapide with avec une mise en production en 6 mois La solution RSA a permis de mettre en conformité ce client et d’appréhender de nouveaux clients Here’s a good example of how tokenization helped a large transactional mailing company with over $420B in assets become PCI DSS compliant in just six months. The customer was concerned with protecting its sensitive financial data while it is at rest in its systems. This was driven by the need to comply with the Payment Card Industry Data Security Standard (PCI DSS). In this case, customers were demanding PCI DSS compliance, but this is not always the case; in most cases, corporations seek to comply with PCI DSS in order to avoid costly audits and brand damage. PCI DSS is a major driver for adopting tokenization and/or application encryption. This will continue to be more important in the market. After choosing our tokenization capability to help solve their needs, the implementation was done in a very short timeframe in order to meet requirements. Our integrated RSA solution of tokenization and key management enabled the company to meet all compliance demands and appease its customers. This particular customer stated that they feel “tokenization is the future of handling sensitive data.” This is our stance as well.

28 Les solutions RSA pour une meilleure gestion de la conformité à PCI DSS
Governance, Compliance & Risk (GRC) Platform Manage policies, audits, processes and more Data Loss Prevention Identify sensitive data & prevent leakage Security Incident & Event Management Simplify Security operations

29 Policy Exception Use Case: Archer and DLP
By selecting one of these exception requests, we can see a description and additional details and by selecting the details

30 Thank you. And we look forward to working with you to secure your Information Infrastructure, and help you realize the full value of your information. Thank you! 30

31 Incident Management Use Case #1 Application access request
Help Desk Application Team Investigation Team Incident Creation Classification Response Procedure Response Procedure Resolution Incident Closure Investigation Evidence Reporting

32 Incident Management Use Case #2 Loss of a Black Berry (or Laptop or Badge or Token…)
Incident Creation Declare loss of Blackberry Employee Help Desk Classification Response Procedure IT Block Mail/Phone Request new BB BlackBerry Team Deliver and Activate new BB Close Incident Incident statistics Risk Analysis CISO