Transcript
Automating policy enforcement to prevent endpoint data loss
IBM Data Security Services for endpoint data protection—endpoint data loss prevention solution Protecting your business value from growing data losses Today, global business trends in worker mobility, data sharing and collaboration, driven by new technologies, contribute to strong growth in some of the world’s most profitable companies. But, increased growth comes with increased risk and cost to companies as associated data losses, misuse and business-process compromises become a growing problem.
Highlights Publicly embarrassing corporate expertise and proven
data losses and dramatic data
enforcement of data protection
methodologies to deploy,
privacy breaches as well as rising
policy
support and manage a complete
information-related crime—such as
integrated security solution
corporate IP theft and online identity-
■ Facilitate policy-based
■ Automate discovery of sensitive content to protect business value ■ Consistently enforce required corporate and regulatory
based fraud—demonstrate the ■ Benefit from lower total cost of
security strategy and technology. To
deployments using an extensible
address these incidents, companies
platform and scalable solutions
now need to protect their critical data
security policies while raising user awareness and voluntary compliance of policies ■ Leverage market-leading
limitations of traditional information
ownership and accelerated
at the “point-of-use”—employee ■ Ensure optimized protection
PCs, laptops, USB-attached storage
through professional security
devices and other endpoint devices.
services, managed security
IBM offers an endpoint data loss
services and support desk
prevention solution that represents
endpoint data loss prevention
an evolutionary combination of
technologies, services
technologies and services to help
companies discover and classify
internal hard disk or different externally
sensitive data, monitor data usage
attached media to protect data on lost
and control and block high-risk
or stolen devices. And, it allows you
activities. IBM Data Security Services
to perform forensics for investigative
ensure that your organization benefits
purposes. Ultimately, endpoint security
application controls and block
from the latest endpoint data loss
reduces the risk of data loss more
unauthorized behavior
prevention technologies—to detect
directly than security at any other point.
and mitigate the risks associated with
• Discover sensitive data at rest across endpoints including laptops, desktops, file servers and more • Monitor data usage, configure
• Define and deliver reliable management and support services
sharing sensitive data while enhancing
Delivering end-to-end integrated
collaboration and business agility.
security solutions for endpoint
IBM Data Security Services
data protection
address the challenges associated
Reducing risk—and enhancing business
Data generates new value when
with deploying a comprehensive
processes—through the endpoint
it is used. Although usage creates
solution by managing cost and
Unprotected endpoint devices are
risk, appropriate manipulation
scope, accelerating implementation,
like open doors into your sensitive
increases the value contribution
leveraging IBM information security
information. You need to guard the
of an organization’s most valuable
expertise and eliminating the need
data on those devices—whether
asset—data.
for additional headcount.
You need to protect data in every
IBM can create a security frame-
Enabling endpoint data loss prevention
stage of its lifecycle—from creation
work to help secure your information
as part of a holistic solution
and modification to distribution and
throughout the extended enterprise.
The IBM approach to data loss preven-
archiving. And you have to secure data
IBM also provides application
tion is to disperse control across three
no matter what form it takes or where it
integration for ease-of-compliance
main areas of the IT environment.
is stored. Endpoint data loss prevention
reporting and policy administration.
By dispersing encryption, content
enables you to make information more
The resulting solution ensures that
inspection, user monitoring and access
readily accessible to authorized users,
you can collaborate while mitigating
control management functionalities
to help ensure consistent collaboration
risk associated with data transfer
throughout the infrastructure, IBM can
while encouraging and enforcing the
and usage.
help identify and deploy mitigating
the data is at rest, in use or in motion.
responsible use of corporate data to
controls for greater data protection
improve compliance with regulations
IBM designs endpoint data loss
across the extended enterprise at a
and policies.
prevention solutions with your needs
lower total cost.
in mind to: Endpoint data security gives you wide coverage in terms of geo-
IBM data loss prevention solutions • Establish an enterprise data
are designed to help you achieve
graphical range, modification of end
loss prevention framework for
your company goals while protecting
user behavior and visibility into data
your organization
against sophisticated and complex IT
usage. It offers strong preventative control without interfering with business processes. Endpoint data loss prevention enables you to encrypt sensitive data files on the endpoint
• Deploy market-leading technology using a proven implementation methodology • Translate and enforce corporate data classification and management policies
and privileged user threats that can lead to the loss of business value.
• Assess the risk associated with the sharing of sensitive data and define effective data security policies • Implement automated data security policies uniformly across the enterprise • Build out and deploy preventative warnings and justifications enforced by policies to train and deter end users before they take risky actions • Deploy alert and block controls and audit collections of high-risk behavior, ultimately preventing costly and Figure 1: The IBM approach to data loss prevention disperses control across three main
damaging data loss incidents
areas in the IT environment.
IBM partners with Verdasys Inc., Leveraging endpoint technology to
solution can transparently encrypt data
combining professional and managed
address a broad set of information
files and/or e-mail to bring information
security services with comprehensive
security risks
transfer into compliance automatically.
technology to provide an integrated
IBM’s data-centric approach to end-
The IBM endpoint security process is
endpoint data loss prevention solution.
point security is specifically designed
designed to:
This partnership ensures that every
to prevent data from leaving the enterprise through three possible paths of exit—via devices, applications or
step of the solution lifecycle is backed • Establish a secure virtual perimeter around an enterprise
network connections. In cases where
• Discover and classify sensitive data
corporate policy or regulations require
• Gain visibility to how sensitive data
encryption of all mobile data, the
by both proven experience and marketleading technology. Reducing your management headache
is used by employees, contractors,
and optimizing your technology
partners and outsourcers
investment IBM uses Verdasys Digital
DATA-CENTRIC SECURITY Where and What is Sensitive Data DISCOVERY Desktops Servers Storage CLASSIFICATION Tagging CONTENT Similarity Keyword Dictionary CONTEXT Server Application File Type User
Guardian technology to power What is the User Doing With it? UNSTRUCTURED DATA Read Write Move Print Burn Copy/Paste Upload
Where is the Data Going?
Devices
ALERT Detection WARN Awareness
Applications
Networks STRUCTURED DATA View Delete Modify
Apply Risk Appropriate Policy and Actions
PROMPT Intent ENCRYPT Protection BLOCK Prevention
Email
MASK Need to Know
solution. An integrated framework and multi-function unified agent enables companies to intelligently and adaptively address the broadest set of information risk challenges in today’s highly collaborative and mobile business environment.
CONTINUOUS AUDIT LOGGING
Figure 2: IBM Data Security Services uses proven technology and services to secure data throughout its lifecycle.
its endpoint data loss prevention
Digital Guardian Integrated Data Security Platform
drives on laptops, desktops, or external devices and CDs/DVD.
Add-On Modules
Application Logging and Dynamic Masking
Adaptive E-Mail Encryption
Adaptive File Encryption
File encryption eliminates the need
Adaptive Content Inspection
for multiple encryption tools to consistently enforce data security
Multi-Function Agents
Desktop Agents Windows, Linux
Central Management Server
Trust Verification Agent Win, Linux, Citrix, Unix
policy, reduce the risk of data loss
Server Agents Win, Linux, Citrix
Digital Guardian Server and Management Console (Windows)
from stolen laptops and increase regulatory compliance. •
E-mail Encryption—Provides patented, policy-driven encryption of e-mail content and attachments, operates transparently and includes automatic key management. Integrated e-mail
Figure 3: Verdasys Digital Guardian Integrated Data Security Platform
encryption enforces security policy on Digital Guardian ensures that data,
printing, and CD subsystems, offering
network and Web mail systems both
applications and usage of information
complete visibility into data activity,
on- or offline. This eliminates the need
are governed, controlled, audited
location and movement.
for separate mail encryption tools,
and, when necessary, automatically encrypted across infrastructure and
while enforcing consistent security • Policy Enforcement—Protect your
policies across the enterprise and
business process boundaries through
data through configurable policies
beyond to your partners, suppliers,
the following capabilities:
delivered from the central server.
contractors and outsourcers.
Policies can vary from broad to • Actionable Data Discovery and
discrete and enable full control
• Trust Verification Agents (TVA)—
Classification—Data classification
over data usage at the “point of
Establish a secure community of trust
polices are created and enforced by
use” both on- and offline. Rules are
between the data owner, provider and
hardened and invisible endpoint
subsets of policies and warn users
user. It helps ensure that sensitive data
agents. Context-based classification
of impending high-risk activities
is accessed only by trusted machines
allows you to discover and classify
and policy violations before action
and is subject to corporate security
files based on source application,
is taken, giving users the ability
policies. TVA creates a “virtual”
server, path, file type and user
to alter their behavior without
network access control solution across
identity. Content-based classification
interrupting business processes.
your extended enterprise without
allows you to discover and classify
Rules can also block user actions
requiring the redefinition of networks
files based on keyword or entity
outright when policy violations are
and servers. The community-of-trust
content pattern matching and
repeated or severe. Administrators
solution enables organizations to
document similarity.
are automatically alerted to policy
enforce data security policy across
violations, and all activities
offshore locations, suppliers and
are logged.
outsource providers.
• Monitoring Data Movement and User Activity—Agents utilize integrated context and content monitoring
•
File Encryption—Delivers automatic,
•
Application Logging and Masking—
to record all user activity related
policy-driven encryption of sensitive
Enforces field-level access control
to system operations that interact
files located on or copied to local
through data masking and meets
with the file, networking, clipboard,
and environmental information
audit logging for legacy (3270
for individual or group activity.
with you to define your data loss
terminal emulators), client server
Efficiently move through aggregated
prevention policies and deployment
and Web- based applications. It
log and audit information to focus on
priorities for implementation and
saves millions of dollars in recoding
meaningful data, reducing the cost
testing. IBM will also utilize a number
costs while extending data security
and time of analyzing information
of predefined rules and policies to
to applications that lack the native
and creating effective forensic reports.
help accelerate solution deployment
data access and logging capabilities
•
• Create your Policy Design by working
regulatory requirements through
throughout large enterprises.
necessary to protect data and ensure
The IBM endpoint data loss prevention
regulatory compliance.
solution can help prevent the loss of
• Implement all components of
sensitive information, applications and
a solution in your environment
Reporting for Audit and Decision
processes essential to maintaining
successfully by providing the
Support—Provides comprehensive
market value, proprietary assets,
following Implementation Services:
reporting capabilities that include
intellectual property and the reputation
aggregated views of enterprise data
and process integrity of your global
usage, trend reporting, group or
enterprise.
individual reporting, data-at-rest
• Implementation planning and project management • Solution architecture and design
reports, compliance reports and
Deploying your endpoint data loss
operational reports. All report types
prevention solution—IBM understands
offer high-level views and granular
data security at the enterprise level.
• Testing of primary components
details. The reporting engine includes
Our consultants and specialists have
•
an easy query interface for the
experience with a wide range of
creation of custom reports. Digital
industry solutions and IT architectures
Guardian’s actionable reporting
to help you adopt an endpoint data loss
offers visibility into the state of data
prevention solution. Our professional
• Project documentation
risk across the entire organization.
support services can help you:
• Help desk deployment assistance
Drill-down capabilities offer visibility to data movement and usage at an
• Installation of primary components Pilot deployments to test in your live environment • Product roll-out of controls to all endpoints
• Technical training and • Conduct a Requirements and Planning
transfer skills
individual level. Compliance reports
Workshop to help you define your
include predefined data usage
environment, business, compliance
reports for PCI, HIPAA, GLB and
and IT requirements, prepare for
• Provide a single point of contact
SOX regulations.
implementation of controls and help
for your support needs with a global
• Project close-out and hand-off
you develop an all encompassing
Support Desk—which will provide
approach for planning and imple-
support for all Verdasys products
Generates aggregated case reports
menting a data loss prevention
licensed and deployed in the
that include data usage from across
solution.
solution with escalation to Verdasys
• eDiscovery and Forensic Reporting—
the enterprise including: offline, contractor and partner activities.
for break/fix or insolvable issues. • Assess and discover sensitive data
The IBM support desk will own and
It can drill down through your case
and user actions associated with this
help manage, track and resolve
reports to discover file, network,
data on endpoint devices through a
problems related to the data loss
classification, user activity, time
Discovery Assessment.
prevention solution.
Ongoing endpoint data loss prevention
Why IBM and Verdasys?
support a comprehensive solution
with IBM Managed Security Services
Together IBM and Verdasys combine
to protect your market value at less
IBM provides ongoing managed
their technology, experience and
risk than your internal staff and most
services to help you manage your
expertise to deliver a complete end-
other service providers.
solution:
point data loss prevention solution.
• Ongoing remediation and policy
Verdasys software is designed to
For more information
identify and mitigate the risk of
To learn more about IBM Data
enforcement for day-to-day
sharing critical information across
Security Services for endpoint
operational support from an IBM
the extended enterprise through
data loss prevention, contact your
hosting center that runs and manages
automated discovery, classification
IBM representative or visit:
your deployed data loss prevention
and monitoring of sensitive data
solution. Our services include:
utilizing an optimized mix of context
•
Policy design, implementation
and content analysis. Verdasys
and enforcement
software enables the creation and
• Implementation, configuration
management of centrally defined data
and maintenance of server and
security rules that automatically enforce
endpoint agent components
corporate security policies at the end-
• Single point of contact for support desk
point, helping prevent unauthorized use of data through control and block activities and preventing data loss
• Ongoing monitoring, response and
through CD burning, copying/pasting,
reporting for day-to-day monitoring
printing, writing to USB drives, network
and response to critical events and
transfers, file sharing and use of
policy violations. IBM will deliver
unapproved applications
periodic reports on policy compliance, enforcement status and end-user
With IBM Global Services’ experience,
violations. In the case of a serious
global reach and scale, you can
event, based on defined procedures
confidently deploy Verdasys’ best-in-
and service level agreements, IBM
class software. IBM solutions, powered
will escalate the issues. IBM would
by Verdasys, provide you with an end-
then propose adjustments and
to-end integrated endpoint data loss
refinements to your policy to help
prevention solution to manage your
accommodate new requirements and
information security through its entire
minimize false positives.
lifecycle—creation through ongoing management.
IBM combines refined methods and extensive skills to help you realize
With IBM and Verdasys,
the full value of your technology
knowledgeable practitioners,
investment. Our services are designed
proven methodologies and
to help optimize productivity, manage-
innovative software and services
ability and cost-effectiveness within
help you rapidly implement and
your IT organization.
ibm.com/services
© Copyright IBM Corporation 2008 IBM Corporation New Orchard Road Armonk, NY 10504 U.S.A. Produced in the United States of America 04-08 All Rights Reserved. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both Verdasys, and the Verdasys logo are registered trademarks of Verdasys Incorporated. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
SEDO3004-USEN-00
