I recently had the opportunity to listen to an illuminating presentation by Eric Appel, VP at Intel Security on the concepts of SMAC and the Three R’s. As it turns out the “Three Rs” he was referring to weren’t Reduce, Reuse, Recycle (or even Reading, ‘Riting, & ‘Rithmetic).
SMAC stands for: Social, Mobile, Analytics, and Cloud. SMAC is the new focus for CISOs: “Every security question you get moving forward from CISO’s and the like will always involve at least one aspect of social, mobile, analytics, and cloud.”
As for the “Three Rs,” Eric meant Rich, Ruin, and Regulate.
- What data in my organization will make us RICH?
- What data in my organization can RUIN us?
- What data do we need to have REGULATIONS around?
Data that is being ‘SMAC-ked’ around falls into one of these three categories. This got me wondering how TITUS fits into these models. Can TITUS help protect and manage these three classes of data as it is shared, accessed from mobile devices, and stored in the cloud? And can TITUS provide meaningful insight to the CISO about this data and how it is being used?
Let’s delve a little more deeply into SMAC.
Social – When TITUS classifications are applied to email and documents, it can transform how users interact with and share data. TITUS applies visual markings to data to help remind users of the information’s value and make them more accountable. The classifications are also linked to policies that control how information is shared based on its sensitivity. So, if a file is highly valuable, policy can ensure it is encrypted before it is uploaded to the cloud. Or, the user can be warned if they are about to send information to unauthorized recipients.
Mobile – TITUS has extended our classification suite to mobile devices, allowing organizations to protect and control data from their smartphone or tablet. As on the desktop, classification metadata provides protection and enforces information sharing policies. Access to email can be controlled by classification or geolocation, and Microsoft RMS protected email can easily be accessed within TITUS Mail. Likewise for documents – printing, sharing with other apps or cloud storage such as Box and Dropbox can be governed by the classification.
Analytics – TITUS has two key advantages when it comes to analyzing data, how it is used, and if there is an insider threat. Because TITUS provides identity to your data, so you can focus monitoring and analysis efforts on the data that matters. Then, since TITUS is within applications on the user’s desktop and mobile device, it is possible to report exactly what users are doing with your organization’s most important data. For example, TITUS can feed user activity to Intel Security’s data protection solutions via the McAfee data-exchange layer (DXL). This allows McAfee to create risk profiles for each user and, should the user’s risk evaluation cross a pre-defined threshold, make appropriate policy adjustments to protect corporate data – all in real-time.
Cloud – By providing identity to your data before it is moved to the cloud, it is possible to control what is uploaded, who has access, and how it is protected or encrypted. And, because your data is identified it is much easier to locate, manage, and erase.
Now, on to the “Three Rs”
Rich – The “crown jewels” of many organizations and one of the main types of data that generates revenue is intellectual property (IP). This data is typically unstructured which makes it inherently difficult to find and protect through traditional content scanning methods. While you can do proximity searches and keyword matches, the very nature of IP makes automated classification difficult. For this reason TITUS has made it very easy for the creators of IP to properly identify the value of the data and ensure it is protected. Because if it isn’t, your IP might end up making someone else rich.
Ruin – As we know from their recent breach, Sony had business conversations that described negative feelings towards industry colleagues. This was not IP, nor was it regulated data. However, it did have negative value to their organization – they were simply storing information which ended up hurting individual and Sony’s corporate reputation. Almost all data reaches a point where it is no longer an asset but crosses over into liability. When this happens, it is in your best interest to dispose of this data. TITUS metadata can work to inform records management systems, helping them properly track the retention period of an email or document so that it can be destroyed when it becomes a liability.
Regulate – There is a great deal of data that is regulated by various government and industry requirements. By identifying this data with TITUS, organizations can ensure that it is protected and shared in compliance with regulations. For example, Personally Identifiable Information (PII) can be automatically encrypted. In the case of export controlled data, or even where there exist ethical walls within an organization, TITUS can prevent violations caused by the improper handling of unstructured data.
All-in-all, I decided that TITUS was well positioned to help with any CISO’s data security concerns. But is SMAC an accurate representation of your organization’s security priorities? Let us know.