SlideShare uma empresa Scribd logo

The Business Case for Data Security

Imperva
Imperva

The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.

TecnologiaNegócios
1 de 13
Baixar para ler offline
White Paper The Business Case for Data Security Business Case The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions. “ ” With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory.
The Business Case for Data Security Executive Summary DatabaseFileWeb Large-scale application attacks, targeted insider threats, and a swelling raft of regulations are compelling organizations to adopt a new defense: data security. In this paper, we will address three key business questions: 1) What are the risks and regulatory drivers for data security? We take a close look at today’s security and compliance landscape, current data security challenges, and the auditing and reporting requirements in leading data privacy and data governance regulations. We conclude that data security should be an executive focus, when businesses consider the devastating impact of data breaches and the rising costs of regulatory compliance. 2) What are the alternative approaches to achieving data security? We contrast Imperva’s holistic data security approach with other approaches, including “do it yourself” projects, use of data security features within event management and application delivery products, and loosely integrated data governance solutions. It is our contention that only a comprehensive and intelligent platform can deliver the right level of security and control that is essential for effective data security. 3) What are the financial benefits of deploying a holistic data security solution like Imperva SecureSphere? Based on the analysis offered above, we determined that Imperva SecureSphere offers a cost reduction and cost avoidance benefit of 274% compared to alternative approaches. Calculating the total costs over a five year period, a typical large enterprise would spend $5,487,500 in data breach expenses, manual monitoring, auditing, and reporting costs versus $1,467,850 with Imperva SecureSphere appliances, licenses, maintenance, and operations costs. The cost savings are compelling, demonstrating why data security has moved to the forefront of most organizations security strategy. Imperva White Paper < 2 >
The Business Case for Data Security I. Data Security and Compliance: An Evolving Landscape DatabaseFileWeb Security and compliance are two of the most critical concerns for any organization. Between 2005 and 2010, data breaches have cost organizations billions of dollars and exposed over 500 million sensitive records,1 leaving a litany of lawsuits, sanctions, fines, and lost revenue, in their wake. In addition, organizations are subject to increasingly stringent regulatory compliance requirements. A growing number of regulations mandate monitoring and auditing of user activity, application safeguards, and internal controls. To develop a cohesive strategy for security and compliance, organizations must analyze their security risks and compliance needs. Financial Impact of Security Incidents Data breaches are financially devastating, averaging $6.75 million per incident and $204 per compromised record.2 Data breaches not only impact organizations, but also affect the tens of millions of individuals who fall victim to identity theft and fraud. Due to external attack or insider abuse, data breaches are perhaps the single most damaging security event that an organization can endure. In addition to breaches, organizations must fortify their valuable resources against denial of service, data loss, and data manipulation. Hacking and External Threats Hacking and external threats are the leading cause of data breaches, accounting for approximately 94%3 of all compromised records in 2009, according to an in-depth investigation of data breaches. And 92%3 of compromised records from hacking-related attacks were attributed to Web application attacks. Based on this forensic evidence, if organizations had fortified their Web applications against attack, they could have reduced the total number of known compromised records from over 140 million to roughly 20 million. Web Application (92%) Network File Shares (1%) Remote Access and Control (2%) Physical Access (1%) Backdoor or Control Channel (5%) Wireless (1%) Unknown (1%) Figure 1 Proportion of Breached Records Due to Hacking by Attack Method3 The rise in Web-related data breaches is due in part to more sophisticated attack techniques. Hackers have become more organized, pooling resources, and delegating responsibilities based on skill set. They are also creating automated capabilities to improve efficiency and scale building armies of bots – remotely controlled computers – to unleash large-scale, automated attacks.4 These new methods have made Web application attacks very effective and, unfortunately, very destructive, as is borne out in data breach investigations. 1 Privacy Rights Clearinghouse, www.privacyrights.org/500-million-records-breached 2 Ponemon Institute, “Cost of a Data Breach,” January 2010 3 Verizon Business, “2010 Data Breach Investigations Report 4 Imperva, “Industrialization of Hacking,” 2010 Imperva White Paper < 3 >
The Business Case for Data Security The Enemy Inside DatabaseFileWeb Risks associated with insider threats, ranging from sabotage and fraud to sensitive data theft, have also increased, along with the opportunities for insiders to profit from their illicit activity. Many organizations have overlooked insiders who may access sensitive networks, applications, and data on a daily basis. Privileged users must have access to sensitive data in order to perform their job. Therefore, they can abuse these privileges and gain control of such data more easily and more covertly than external users. It is not surprising, then, that insiders accounted for 48% of all breaches and 3% of all compromised records in 2009.5 Rising Cost of Achieving and Maintaining Regulatory Compliance Organizations of all sizes must comply with a raft of regulations designed to bolster security, reduce fraud, and ensure privacy. These regulations were enacted for a variety of reasons: as the result of an extraordinary event, as with the implosions of Enron and Worldcom that led to Sarbanes Oxley (SOX), or as the evolution of disparate security standards that morphed into the industry-wide and influential Payment Card Industry Data Security Standard (PCI DSS). Addressing Multiple Compliance Mandates In addition to SOX and PCI, organizations must adhere to a range of other industry and government regulations. Healthcare companies must comply with HIPAA, the HITECH Act, and MAR. Federal institutions must fulfill FISMA, ITAR, EAR, and DISA STIGs requirements. Energy companies must comply with NERC and FERC. Organizations in Europe are governed by Basel II and EU data breach notification laws. The list goes on, as does the amount of auditing and security requirements that organizations must address. On top of these regulations, new regulations are introduced every year, and existing laws change. While each regulation defines unique auditing and security requirements, it is possible to distinguish consistent themes across most compliance mandates. Achieving compliance becomes much easier when organizations develop well-defined and repeatable processes that track all user activities, maintain separation of duties, and establish user accountability. Demonstrating Compliance All regulations require organizations to demonstrate compliance to external auditors and governmental agencies. Organizations must prove that compliance processes are in place. They also have to collect pertinent audit and security data and present it in a clear, understandable format. With these operationally taxing manual processes, it is not surprising that U.S. businesses spend over $2.5 billion on SOX compliance each year.6 5 Verizon Business, “2010 Data Breach Investigations Report 6 AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?” Imperva White Paper < 4 >
The Business Case for Data Security II. Data Security: Requirements and Alternative Approaches DatabaseFileWeb Organizations’ data security strategy should focus on the core business drivers of preventing external attacks, mitigating insider abuse, and automating compliance processes. Some of the resulting operational requirements include: » Accurate Protection for Business-Critical Applications and Data A data security solution should provide comprehensive protection of all critical data assets including Web applications, databases, and files from external attack and insider threats. Because of the complex nature of data-layer threats, a security solution should be able to detect known attack methods, malicious users, deviations from expected user behavior, and correlate multiple event attributes together for pinpoint accuracy. » Full Auditing with Separation of Duties Since audit trails of user activity have become an essential aspect of compliance, a complete data security solution must be able to audit all access and changes to databases and files. It should ensure audit data integrity and user accountability and identify material variances in user activity. Demonstrating compliance must be achieved through automated reports and analytical tools – the basis for forensic investigations. » Low Impact Deployment Any solution designed to improve security should not impact application uptime or impose management burden. The solution should meet availability and performance requirements while not introducing operational risks. In addition, it should support centralized management, monitoring, auditing, and reporting to streamline administration for large, distributed deployments. Data Security: The Future of Security and Compliance To address the full scope of today’s security and compliance requirements, Imperva has created a new technology category, Data Security. With Data Security, organizations can mitigate data breach risks and directly satisfy auditing and compliance mandates by implementing one, integrated, best-of-breed security solution. Data Security protects business-sensitive data where it lives, in database and file servers and how it is accessed, through applications. With data-layer protection, data security solutions can block the attacks that lead to costly data compromises more accurately than any existing technology. It can also monitor users to prevent insider abuse, and audit all activity with unmatched visibility for compliance. The Imperva SecureSphere Data Security Suite Imperva SecureSphere Data Security Suite encompasses the market-leading SecureSphere Web Application Firewall, and the award-winning SecureSphere Database Security and File Security Solutions. Either deployed alone, or together as one integrated, centrally managed solution, SecureSphere Data Security Solutions offer a powerful defense against hackers and malicious insiders, streamline and automate regulatory compliance, and prioritize and mitigate data risks. Imperva White Paper < 5 >
The Business Case for Data Security DatabaseFileWeb SecureSphere Data Security Solutions offer organizations several unique capabilities: » Complete, End-to-End Data Protection - SecureSphere protects data where it is stored – in databases and files – and how it is accessed – through applications – and addresses the full Data Security and compliance life cycle. » Automated Security – Imperva’s patented Dynamic Profiling automatically learns application and database usage without manual intervention. The unique ThreatRadar service further streamlines security by automatically stopping attacks from known, malicious sources. » Full Visibility with Separation of Duties – SecureSphere monitors and audits all database and file activity, including privileged user access, without relying on native auditing capabilities. Interactive audit analytics enable users to analyze, correlate and view activity from any angle. » Streamlined User Rights Management – SecureSphere simplifies the process of reviewing and managing user rights across distributed file servers and databases. SecureSphere aggregates access rights, identifies dormant accounts and highlights excessive privileges. » Zero-Impact Deployment – SecureSphere offers multiple, transparent deployment options for easy integration into any environment with no impact on existing applications, databases or files. Imperva White Paper < 6 >
The Business Case for Data Security Contrasting Imperva’s Data Security with Alternative Approaches DatabaseFileWeb To meet security and compliance requirements, organizations may rely on a combination of native logging tools, manual reporting processes, and manual application vulnerability fix and test procedures. The following section investigates various approaches to prevent data breaches and address compliance mandates. Security Information and Event Management To manage the massive amounts of data collected, some organizations have turned to Security Information and Event Management (SIEM) solutions. SIEMs aggregate log data across multiple servers and devices, correlate events to identify anomalies, and streamline compliance reporting. However, SIEMs that rely on native logging for audit data present the following challenges: » Complex configuration of native database and file server logging utilities by DBAs and IT Administrators » No separation of duties as logging policies and audit trails can be manipulated by the users that should be audited » Significant degradation database and file server performance In addition, SIEMs, as cross-product security event aggregators, do not provide in-depth analysis or purpose built reports for database and file activity, and cannot prevent unauthorized access or monitor activity in real-time. Data Governance and Information Management Information Management vendors offer a broad spectrum of solutions for data management and governance. This breadth enables organizations to use one supplier to address multiple data security and data management requirements. However, such an approach often increases the cost, complexity, and duration of data security and compliance projects. Broad-scale, non-specialized information management vendors may turn relatively simple auditing projects into multi-year, company-wide consulting engagements. In addition, while broadening project scope, information management vendors often fall short in terms of addressing all necessary auditing and compliance requirements. For example, an information management vendor may be able to secure database data, but not files nor applications. Organizations should assess their current and future security requirements and determine if such a solution is aligned with project goals and will address monitoring and security objectives within a desired timeframe and budget. Integrated Application Delivery and Security One approach to achieve Web application attack protection is to combine a Web Application Firewall with a load balancer for combined application delivery and security. Such an approach can consolidate multiple functions onto a single hardware platform. However, adding Web application security to existing application delivery controllers (ADCs) can have a number of unexpected consequences, including drastically degrading ADC performance and impacting the stability of mission-critical networking equipment. Most importantly, ADCs only tackle one aspect of data security: application protection. They cannot monitor or protect application data stored in databases, nor can they secure unstructured data in files. Manual Vulnerability Management Most organizations invest considerable effort to ensure that Web applications, databases, and file servers do not contain vulnerabilities. Web developers must allocate time and resources to ensure that applications are written according to secure coding best practices. IT administrators and DBAs must deploy vendor-supplied patches into key applications and databases. Security personnel must test applications and servers for weaknesses and then fix any discovered vulnerabilities. Imperva White Paper < 7 >
The Business Case for Data Security However, while an essential aspect of any data security strategy, manual vulnerability patch processes: DatabaseFileWeb » Burden developers and administrators with disruptive fix and test cycles (“fire drills”) » Can expose organizations to attack for weeks or months while vulnerabilities are being fixed Based on extensive research, fixing a single Web application vulnerability takes on average between two to four months.7 With 83% of Websites having had serious vulnerabilities, relying on manual fix and test processes is not sufficient. The length of time to apply database security patches is even longer, often exceeding three months after a patch is released.8 Unfortunately, attackers will not wait for weeks or months to unleash online attacks. Organizations should evaluate solutions that can virtually patch vulnerabilities to eliminate this window of exposure and reduce the costs associated with emergency fix and test cycles. Approaches to Data Security SecureSphere Native Data Governance Application Manual Function Capability Data Security Logging and Information Delivery and Vulnerability Suite and SIEM Management Security Management Security Purpose-Built Platform    End-to-End coverage of all     data assets Proactive Policy Enforcement    Instant Vulnerability    Mitigation Compliance Compliance Automation     Separation of Duties    User Accountability     Deployment Rapid Time-to-Value    No impact on systems and   business processes Imperva White Paper < 8 >
The Business Case for Data Security III. Return on Security Investment (ROSI) with Imperva SecureSphere9 DatabaseFileWeb The SecureSphere Data Security Suite is designed from the ground up to meet all aspects of security and compliance for business-critical applications and data. SecureSphere provides conclusive cost-savings by offloading operationally-expensive logging from database and file servers and by driving down manual compliance reporting costs. More importantly, SecureSphere offers return on security investment (ROSI) by drastically reducing the risk and impact of a devastating data breach. In order to quantify the cost savings provided by Imperva, we compared the cost of implementing SecureSphere versus the cost of “doing nothing” and the subsequent expenses created by a data breach or manual auditing and reporting processes. The following table shows our assumptions. The number of protected records is an estimate for a medium size company, but this number will vary widely and should be adjusted according to the individual business profile. The average number of records lost in a data breach is extrapolated from results of the Ponemon Institute “2009 Cost of a Data Breach” report. The probability of a data breach is estimated at 5%. Basic Assumptions Value10 Number of Protected Records 100,000 Average Number of Records Lost in a Data Breach 33,088 Probability of a Data Breach 5% Annual Cost of a Full Time DBA or IT Security Administrator (in USD) $110,000 Reducing the Financial Impact of a Data Breach Data breaches are costly, averaging $6.75 million per incident.11 The expenses mount as organizations are forced to investigate breaches to assess affected records, notify customers, and pay legal fees and fines. However, the single highest cost is lost business, accounting for nearly half of the total financial impact of a breach. Statistics show 98% of compromised records originated from servers,12 predominantly Web application, database, and file servers. A dedicated data security solution could lower the cost of a data breach by accurately identifying the scope of the breach or preventing the breach from ever occurring. SecureSphere Database Activity Monitoring and File Activity Monitoring can audit every access to sensitive data and quickly identify the individual records that were compromised. Without this independent and tamper-proof audit trail, organizations often have to assume the worse and notify all potential victims – even if only a fraction of that data was accessed by a perpetrator. An Activity Monitoring solution can drastically reduce the extent of a data breach, by an estimated two thirds. A proactive defense such as a Web Application Firewall, Database Firewall and File Firewall can block attacks, avoiding the breach altogether for almost all application-related breaches. The following table shows the costs of a data breach with and without a data security solution. 9 In our opinion, the only viable alternative approach that fully addresses data security requirements is manual compliance and vulnerability mitigation. The ROSI calculation therefore compares Imperva to a manual approach. 10 These numbers vary between organizations. They represent a typical number for a medium-to-large enterprise. 11 Ponemon Institute, “Cost of a Data Breach,” January 2010 12 Verizon Business, “2010 Data Breach Investigations Report” Imperva White Paper < 9 >
The Business Case for Data Security Impact of a Data Breach Due to Web, Database and File Security Threats DatabaseFileWeb SecureSphere SecureSphere Without Database and File Web, Database, SecureSphere Activity Monitoring13 File Firewall14 Number of Suspected Compromised Records 33,088 33,088 0 Number of Confirmed Compromised Records Not available 11,029 0 Consulting Services and Investigation Costs $1,350,000 $225,000 0 Notification Costs $742,000 $247,000 0 Legal Costs $1,147,000 $382,000 0 Identity Protection and Other Services $202,000 $67,000 0 Lost Business and Related Costs $3,307,000 $1,102,000 0 Cost of a Data Breach $6,750,000 $2,023,000 0 Vulnerability Remediation Efforts In addition to reducing the likelihood of an expensive data breach, a dedicated data security solution can also cut vulnerability remediation costs. First, Imperva SecureSphere can virtually patch application and database vulnerabilities, thereby eliminating disruptive emergency fix and test cycles. Vulnerabilities can be fixed as part of regular development schedules, which is significantly less expensive than fixing vulnerabilities in production. Second, SecureSphere typically allows organizations to delay minor patch updates until a cumulative patch is available or a new software version is released. This provides organizations considerable cost savings compared to the expense of developing, testing, staging, and implementing software patches. The following table compares the labor costs of remediating Web application and server vulnerabilities for an organization with 10 online applications, 15 Web servers, and 5 database servers. Annual Vulnerability Remediation Labor Costs Without SecureSphere With SecureSphere Emergency Fix and Test of Custom Vulnerabilities $120,000 $0 Custom Vulnerability Fixes in Scheduled Releases $0 $19,200 Operating System Patches $25,000 $12,500 Web Server Patches $25,000 $12,500 Database Server Patches $12,500 $6,250 Total $182,500 $50,450 13 SecureSphere Database and File Activity Monitoring offer auditing but no access control; 14 When SecureSphere is implemented in “Firewall” mode, the risk of a Web, Database or File data breach is immeasurable. While auditing can reduce the impact of a breach by identifying actual compromised records, when SecureSphere is deployed inline, it can proactively prevent attacks from occurring. Imperva White Paper < 10 >
The Business Case for Data Security Labor Costs of Auditing and Reporting DatabaseFileWeb While both databases and file servers offer native logging capabilities, managing and maintaining audit log files can be an expensive proposition. Database or IT administrators must determine what activity to audit, create log rules, and then sort through reams of log messages to find materially relevant information for reports. Raw data must be arranged into a presentable format for auditors. Organizations must also develop in-house tools to prevent unauthorized access or manipulation of log data for separation of duties. Native tools only address one aspect of the data security and compliance lifecycle. They cannot locate sensitive data on the network, test databases for vulnerabilities, or patch these vulnerabilities. Organizations that use native audit tools must also account for the costs of manually discovering and classifying sensitive data – two requirements either implied or explicitly spelled out in many compliance regulations. Furthermore, many regulations require that organizations limit user access rights to business need-to-know and remove dormant accounts. For large enterprises, managing database and file access rights for thousands of users can be an overwhelming task, leading many administrators to grant excessive privileges. A dedicated data security solution such as SecureSphere can eliminate manual administrative tasks, automate auditing and compliance reporting, and dramatically improve the overall security posture of the organization. The following table compares the number of full time employees required to meet database and file security compliance requirements, with and without a data security solution. Without SecureSphere With SecureSphere Labor costs for Labor costs for Labor costs for Labor costs for Task initial setup ongoing maintenance initial setup ongoing maintenance Discovery $55,000 $55,000 $11,000 $11,000 Classification and Assessment $55,000 $55,000 $11,000 $11,000 Managing User Rights to $110,000 $110,000 $55,000 $11,000 Databases and Files Enablement of Auditing $27,500 $27,500 $11,000 $1,100 Writing and Maintaining $165,000 $55,000 $11,000 $11,000 Custom Scripts Creating Custom Reports $110,000 $55,000 $27,500 $11,000 Implementation of Workflow $110,000 $55,000 $11,000 $11,000 and Business Processes Total $687,500 $412,500 $137,500 $67,100 Software and Hardware Investment for SecureSphere Versus Native Auditing In addition to comparing the labor expenses of security and compliance, businesses must also analyze the hardware and software investment. With SecureSphere, the costs are relatively straight forward: the price of the SecureSphere Data Security Suite, which includes the price of the Web Application Firewall, Database Firewall and File Firewall, plus the MX Management Server. If organizations opt for native logging, then they will need to purchase additional hardware and software licenses to maintain previous performance levels. This is because full logging of all activity can degrade server performance by approximately 30 - 50%. The table below compares the infrastructure costs incurred by using native logging tools versus deploying the SecureSphere Data Security Suite. Imperva White Paper < 11 >
The Business Case for Data Security DatabaseFileWeb Without SecureSphere With SecureSphere Additional Database and File Server Hardware $50,000.00 $0.00 Additional Database and File Server Software $200,000.00 $0.00 SecureSphere Data Security Suite and $0.00 $73,600.00 MX Management Server Annual Support and Maintenance Fees $40,000.00 $14,720.00 Hardware and Software Administration Costs $20,000.00 $20,000.00 Total $310,000.00 $108,320.00 Total Return on Security Investment Because security and compliance must be addressed holistically, the following table compares the total hardware, software, and management costs of the SecureSphere Data Security Suite to native logging and manual compliance processes. In addition, a Return on Security Investment (ROSI) calculation must factor in the cost and risk of a data security breach. The following table combines the data from the above tables to provide the return on investment of the SecureSphere Data Security Suite versus no dedicated Web application, database, or file security. Without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $182,500 $182,500 $182,500 $182,500 $182,500 Auditing and Compliance Costs $687,500 $412,500 $412,500 $412,500 $412,500 Hardware and Software Costs $310,000 $60,000 $60,000 $60,000 $60,000 Data Breach Cost = Probability x Impact $337,500 $337,500 $337,500 $337,500 $337,500 Total Cost without SecureSphere $1,517,500 $992,500 $992,500 $992,500 $992,500 SecureSphere Costs and Risk Posture Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $50,450 $50,450 $50,450 $50,450 $50,450 Auditing and Compliance Costs $137,500 $67,100 $67,100 $67,100 $67,100 Hardware and Software Costs $108,320 $34,720 $34,720 $34,720 $34,720 Data Breach Cost = Probability x Impact $112,500 $112,500 $112,500 $112,500 $112,500 Total Costs with SecureSphere $408,770 $264,770 $264,770 $264,770 $264,770 Cost Savings with SecureSphere $4,019,650 ROSI with SecureSphere 274% Investment Based Discount Rate 10% NPV (Net Present Value) $3,654,227 The total infrastructure, labor, and data breach costs of the SecureSphere Data Security Suite over five years totaled $1.47 million, compared to $5.49 million for native logging, manual compliance processes and no proactive Web, database or file security protection. Note that the projected data breach cost savings for SecureSphere were conservative, assuming only the cost savings associated with monitoring traffic and pinpointing individual breached records. With 98% of breached records originating from servers, the SecureSphere Data Security Suite, with an integrated Web Application Firewall, should be able to prevent most data breaches from ever occurring. Imperva White Paper < 12 >
White Paper Summary With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory. Besides protecting critical assets, a host of regulations have spurred the need to audit activity and streamline compliance processes. Unfortunately existing security solutions cannot effectively stop data security attacks or address security and compliance concerns holistically. A dedicated Data Security solution like Imperva SecureSphere not only satisfies today’s security and compliance requirements, it also offers a return on investment of 274% compared to not using a data security solution at all. When compared to alternative solutions, Imperva SecureSphere is the only sensible and effective choice to secure sensitive applications and data. With SecureSphere, organizations can: » Protect applications, databases, and files from internal and external threats » Lower the cost of auditing while implementing separation of duties » Automate compliance reporting » Virtually patch application and database vulnerabilities With its indisputable value, it is not surprising that Imperva has become the market leader for Web, database, and file monitoring and protection. Trusted by thousands of leading organizations around the world, Imperva SecureSphere is the practical, cost-effective solution for Data Security. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com. Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-BC-DATA-SECURITY-1010rev1

Recomendados

Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...
Anastasija Nikiforova
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
Enterprise Data Management
Enterprise Data ManagementEnterprise Data Management
Enterprise Data Management
Bhavendra Chavan
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 

Recomendados

Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...
Anastasija Nikiforova
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
Enterprise Data Management
Enterprise Data ManagementEnterprise Data Management
Enterprise Data Management
Bhavendra Chavan
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Database technology
Database technologyDatabase technology
Database technology
Fara Jumakhon
 
Data Governance_Notes.pptx
Data Governance_Notes.pptxData Governance_Notes.pptx
Data Governance_Notes.pptx
VivekDubley
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Data Quality: principles, approaches, and best practices
Data Quality: principles, approaches, and best practicesData Quality: principles, approaches, and best practices
Data Quality: principles, approaches, and best practices
Carl Anderson
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 
Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?
DATAVERSITY
 
Data Quality Strategies
Data Quality StrategiesData Quality Strategies
Data Quality Strategies
DATAVERSITY
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Amazon Web Services
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
Data Governance and Metadata Management
Data Governance and Metadata Management Data Governance and Metadata Management
Data Governance and Metadata Management
DATAVERSITY
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Oracle Advanced Analytics
Oracle Advanced AnalyticsOracle Advanced Analytics
Oracle Advanced Analytics
aghosh_us
 
You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?
Precisely
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and Compliance
Quadrisk
 
Top 10 Artifacts Needed For Data Governance
Top 10 Artifacts Needed For Data GovernanceTop 10 Artifacts Needed For Data Governance
Top 10 Artifacts Needed For Data Governance
First San Francisco Partners
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
wbesse
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
Keith Braswell
 

Mais conteúdo relacionado

Mais procurados

Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?
DATAVERSITY
 
Data Quality Strategies
Data Quality StrategiesData Quality Strategies
Data Quality Strategies
DATAVERSITY
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Data Governance and Metadata Management
Data Governance and Metadata Management Data Governance and Metadata Management
Data Governance and Metadata Management
DATAVERSITY
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Oracle Advanced Analytics
Oracle Advanced AnalyticsOracle Advanced Analytics
Oracle Advanced Analytics
aghosh_us
 
You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?
Precisely
 

Mais procurados (20)

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Database technology
Database technologyDatabase technology
Database technology
 
Data Governance_Notes.pptx
Data Governance_Notes.pptxData Governance_Notes.pptx
Data Governance_Notes.pptx
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Data Quality: principles, approaches, and best practices
Data Quality: principles, approaches, and best practicesData Quality: principles, approaches, and best practices
Data Quality: principles, approaches, and best practices
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?
 
Data Quality Strategies
Data Quality StrategiesData Quality Strategies
Data Quality Strategies
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Data Governance and Metadata Management
Data Governance and Metadata Management Data Governance and Metadata Management
Data Governance and Metadata Management
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Oracle Advanced Analytics
Oracle Advanced AnalyticsOracle Advanced Analytics
Oracle Advanced Analytics
 
You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and Compliance
 
Top 10 Artifacts Needed For Data Governance
Top 10 Artifacts Needed For Data GovernanceTop 10 Artifacts Needed For Data Governance
Top 10 Artifacts Needed For Data Governance
 

Semelhante a The Business Case for Data Security

OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
IJNSA Journal
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
IJERD Editor
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 

Semelhante a The Business Case for Data Security (20)

Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Cybersecurity Facts & Figures - What Every Business Needs to Know
Cybersecurity Facts & Figures - What Every Business Needs to KnowCybersecurity Facts & Figures - What Every Business Needs to Know
Cybersecurity Facts & Figures - What Every Business Needs to Know
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
 

Mais de Imperva

Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 

Mais de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

The Business Case for Data Security

  • 1. White Paper The Business Case for Data Security Business Case The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions. “ ” With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory.
  • 2. The Business Case for Data Security Executive Summary DatabaseFileWeb Large-scale application attacks, targeted insider threats, and a swelling raft of regulations are compelling organizations to adopt a new defense: data security. In this paper, we will address three key business questions: 1) What are the risks and regulatory drivers for data security? We take a close look at today’s security and compliance landscape, current data security challenges, and the auditing and reporting requirements in leading data privacy and data governance regulations. We conclude that data security should be an executive focus, when businesses consider the devastating impact of data breaches and the rising costs of regulatory compliance. 2) What are the alternative approaches to achieving data security? We contrast Imperva’s holistic data security approach with other approaches, including “do it yourself” projects, use of data security features within event management and application delivery products, and loosely integrated data governance solutions. It is our contention that only a comprehensive and intelligent platform can deliver the right level of security and control that is essential for effective data security. 3) What are the financial benefits of deploying a holistic data security solution like Imperva SecureSphere? Based on the analysis offered above, we determined that Imperva SecureSphere offers a cost reduction and cost avoidance benefit of 274% compared to alternative approaches. Calculating the total costs over a five year period, a typical large enterprise would spend $5,487,500 in data breach expenses, manual monitoring, auditing, and reporting costs versus $1,467,850 with Imperva SecureSphere appliances, licenses, maintenance, and operations costs. The cost savings are compelling, demonstrating why data security has moved to the forefront of most organizations security strategy. Imperva White Paper < 2 >
  • 3. The Business Case for Data Security I. Data Security and Compliance: An Evolving Landscape DatabaseFileWeb Security and compliance are two of the most critical concerns for any organization. Between 2005 and 2010, data breaches have cost organizations billions of dollars and exposed over 500 million sensitive records,1 leaving a litany of lawsuits, sanctions, fines, and lost revenue, in their wake. In addition, organizations are subject to increasingly stringent regulatory compliance requirements. A growing number of regulations mandate monitoring and auditing of user activity, application safeguards, and internal controls. To develop a cohesive strategy for security and compliance, organizations must analyze their security risks and compliance needs. Financial Impact of Security Incidents Data breaches are financially devastating, averaging $6.75 million per incident and $204 per compromised record.2 Data breaches not only impact organizations, but also affect the tens of millions of individuals who fall victim to identity theft and fraud. Due to external attack or insider abuse, data breaches are perhaps the single most damaging security event that an organization can endure. In addition to breaches, organizations must fortify their valuable resources against denial of service, data loss, and data manipulation. Hacking and External Threats Hacking and external threats are the leading cause of data breaches, accounting for approximately 94%3 of all compromised records in 2009, according to an in-depth investigation of data breaches. And 92%3 of compromised records from hacking-related attacks were attributed to Web application attacks. Based on this forensic evidence, if organizations had fortified their Web applications against attack, they could have reduced the total number of known compromised records from over 140 million to roughly 20 million. Web Application (92%) Network File Shares (1%) Remote Access and Control (2%) Physical Access (1%) Backdoor or Control Channel (5%) Wireless (1%) Unknown (1%) Figure 1 Proportion of Breached Records Due to Hacking by Attack Method3 The rise in Web-related data breaches is due in part to more sophisticated attack techniques. Hackers have become more organized, pooling resources, and delegating responsibilities based on skill set. They are also creating automated capabilities to improve efficiency and scale building armies of bots – remotely controlled computers – to unleash large-scale, automated attacks.4 These new methods have made Web application attacks very effective and, unfortunately, very destructive, as is borne out in data breach investigations. 1 Privacy Rights Clearinghouse, www.privacyrights.org/500-million-records-breached 2 Ponemon Institute, “Cost of a Data Breach,” January 2010 3 Verizon Business, “2010 Data Breach Investigations Report 4 Imperva, “Industrialization of Hacking,” 2010 Imperva White Paper < 3 >
  • 4. The Business Case for Data Security The Enemy Inside DatabaseFileWeb Risks associated with insider threats, ranging from sabotage and fraud to sensitive data theft, have also increased, along with the opportunities for insiders to profit from their illicit activity. Many organizations have overlooked insiders who may access sensitive networks, applications, and data on a daily basis. Privileged users must have access to sensitive data in order to perform their job. Therefore, they can abuse these privileges and gain control of such data more easily and more covertly than external users. It is not surprising, then, that insiders accounted for 48% of all breaches and 3% of all compromised records in 2009.5 Rising Cost of Achieving and Maintaining Regulatory Compliance Organizations of all sizes must comply with a raft of regulations designed to bolster security, reduce fraud, and ensure privacy. These regulations were enacted for a variety of reasons: as the result of an extraordinary event, as with the implosions of Enron and Worldcom that led to Sarbanes Oxley (SOX), or as the evolution of disparate security standards that morphed into the industry-wide and influential Payment Card Industry Data Security Standard (PCI DSS). Addressing Multiple Compliance Mandates In addition to SOX and PCI, organizations must adhere to a range of other industry and government regulations. Healthcare companies must comply with HIPAA, the HITECH Act, and MAR. Federal institutions must fulfill FISMA, ITAR, EAR, and DISA STIGs requirements. Energy companies must comply with NERC and FERC. Organizations in Europe are governed by Basel II and EU data breach notification laws. The list goes on, as does the amount of auditing and security requirements that organizations must address. On top of these regulations, new regulations are introduced every year, and existing laws change. While each regulation defines unique auditing and security requirements, it is possible to distinguish consistent themes across most compliance mandates. Achieving compliance becomes much easier when organizations develop well-defined and repeatable processes that track all user activities, maintain separation of duties, and establish user accountability. Demonstrating Compliance All regulations require organizations to demonstrate compliance to external auditors and governmental agencies. Organizations must prove that compliance processes are in place. They also have to collect pertinent audit and security data and present it in a clear, understandable format. With these operationally taxing manual processes, it is not surprising that U.S. businesses spend over $2.5 billion on SOX compliance each year.6 5 Verizon Business, “2010 Data Breach Investigations Report 6 AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?” Imperva White Paper < 4 >
  • 5. The Business Case for Data Security II. Data Security: Requirements and Alternative Approaches DatabaseFileWeb Organizations’ data security strategy should focus on the core business drivers of preventing external attacks, mitigating insider abuse, and automating compliance processes. Some of the resulting operational requirements include: » Accurate Protection for Business-Critical Applications and Data A data security solution should provide comprehensive protection of all critical data assets including Web applications, databases, and files from external attack and insider threats. Because of the complex nature of data-layer threats, a security solution should be able to detect known attack methods, malicious users, deviations from expected user behavior, and correlate multiple event attributes together for pinpoint accuracy. » Full Auditing with Separation of Duties Since audit trails of user activity have become an essential aspect of compliance, a complete data security solution must be able to audit all access and changes to databases and files. It should ensure audit data integrity and user accountability and identify material variances in user activity. Demonstrating compliance must be achieved through automated reports and analytical tools – the basis for forensic investigations. » Low Impact Deployment Any solution designed to improve security should not impact application uptime or impose management burden. The solution should meet availability and performance requirements while not introducing operational risks. In addition, it should support centralized management, monitoring, auditing, and reporting to streamline administration for large, distributed deployments. Data Security: The Future of Security and Compliance To address the full scope of today’s security and compliance requirements, Imperva has created a new technology category, Data Security. With Data Security, organizations can mitigate data breach risks and directly satisfy auditing and compliance mandates by implementing one, integrated, best-of-breed security solution. Data Security protects business-sensitive data where it lives, in database and file servers and how it is accessed, through applications. With data-layer protection, data security solutions can block the attacks that lead to costly data compromises more accurately than any existing technology. It can also monitor users to prevent insider abuse, and audit all activity with unmatched visibility for compliance. The Imperva SecureSphere Data Security Suite Imperva SecureSphere Data Security Suite encompasses the market-leading SecureSphere Web Application Firewall, and the award-winning SecureSphere Database Security and File Security Solutions. Either deployed alone, or together as one integrated, centrally managed solution, SecureSphere Data Security Solutions offer a powerful defense against hackers and malicious insiders, streamline and automate regulatory compliance, and prioritize and mitigate data risks. Imperva White Paper < 5 >
  • 6. The Business Case for Data Security DatabaseFileWeb SecureSphere Data Security Solutions offer organizations several unique capabilities: » Complete, End-to-End Data Protection - SecureSphere protects data where it is stored – in databases and files – and how it is accessed – through applications – and addresses the full Data Security and compliance life cycle. » Automated Security – Imperva’s patented Dynamic Profiling automatically learns application and database usage without manual intervention. The unique ThreatRadar service further streamlines security by automatically stopping attacks from known, malicious sources. » Full Visibility with Separation of Duties – SecureSphere monitors and audits all database and file activity, including privileged user access, without relying on native auditing capabilities. Interactive audit analytics enable users to analyze, correlate and view activity from any angle. » Streamlined User Rights Management – SecureSphere simplifies the process of reviewing and managing user rights across distributed file servers and databases. SecureSphere aggregates access rights, identifies dormant accounts and highlights excessive privileges. » Zero-Impact Deployment – SecureSphere offers multiple, transparent deployment options for easy integration into any environment with no impact on existing applications, databases or files. Imperva White Paper < 6 >
  • 7. The Business Case for Data Security Contrasting Imperva’s Data Security with Alternative Approaches DatabaseFileWeb To meet security and compliance requirements, organizations may rely on a combination of native logging tools, manual reporting processes, and manual application vulnerability fix and test procedures. The following section investigates various approaches to prevent data breaches and address compliance mandates. Security Information and Event Management To manage the massive amounts of data collected, some organizations have turned to Security Information and Event Management (SIEM) solutions. SIEMs aggregate log data across multiple servers and devices, correlate events to identify anomalies, and streamline compliance reporting. However, SIEMs that rely on native logging for audit data present the following challenges: » Complex configuration of native database and file server logging utilities by DBAs and IT Administrators » No separation of duties as logging policies and audit trails can be manipulated by the users that should be audited » Significant degradation database and file server performance In addition, SIEMs, as cross-product security event aggregators, do not provide in-depth analysis or purpose built reports for database and file activity, and cannot prevent unauthorized access or monitor activity in real-time. Data Governance and Information Management Information Management vendors offer a broad spectrum of solutions for data management and governance. This breadth enables organizations to use one supplier to address multiple data security and data management requirements. However, such an approach often increases the cost, complexity, and duration of data security and compliance projects. Broad-scale, non-specialized information management vendors may turn relatively simple auditing projects into multi-year, company-wide consulting engagements. In addition, while broadening project scope, information management vendors often fall short in terms of addressing all necessary auditing and compliance requirements. For example, an information management vendor may be able to secure database data, but not files nor applications. Organizations should assess their current and future security requirements and determine if such a solution is aligned with project goals and will address monitoring and security objectives within a desired timeframe and budget. Integrated Application Delivery and Security One approach to achieve Web application attack protection is to combine a Web Application Firewall with a load balancer for combined application delivery and security. Such an approach can consolidate multiple functions onto a single hardware platform. However, adding Web application security to existing application delivery controllers (ADCs) can have a number of unexpected consequences, including drastically degrading ADC performance and impacting the stability of mission-critical networking equipment. Most importantly, ADCs only tackle one aspect of data security: application protection. They cannot monitor or protect application data stored in databases, nor can they secure unstructured data in files. Manual Vulnerability Management Most organizations invest considerable effort to ensure that Web applications, databases, and file servers do not contain vulnerabilities. Web developers must allocate time and resources to ensure that applications are written according to secure coding best practices. IT administrators and DBAs must deploy vendor-supplied patches into key applications and databases. Security personnel must test applications and servers for weaknesses and then fix any discovered vulnerabilities. Imperva White Paper < 7 >
  • 8. The Business Case for Data Security However, while an essential aspect of any data security strategy, manual vulnerability patch processes: DatabaseFileWeb » Burden developers and administrators with disruptive fix and test cycles (“fire drills”) » Can expose organizations to attack for weeks or months while vulnerabilities are being fixed Based on extensive research, fixing a single Web application vulnerability takes on average between two to four months.7 With 83% of Websites having had serious vulnerabilities, relying on manual fix and test processes is not sufficient. The length of time to apply database security patches is even longer, often exceeding three months after a patch is released.8 Unfortunately, attackers will not wait for weeks or months to unleash online attacks. Organizations should evaluate solutions that can virtually patch vulnerabilities to eliminate this window of exposure and reduce the costs associated with emergency fix and test cycles. Approaches to Data Security SecureSphere Native Data Governance Application Manual Function Capability Data Security Logging and Information Delivery and Vulnerability Suite and SIEM Management Security Management Security Purpose-Built Platform    End-to-End coverage of all     data assets Proactive Policy Enforcement    Instant Vulnerability    Mitigation Compliance Compliance Automation     Separation of Duties    User Accountability     Deployment Rapid Time-to-Value    No impact on systems and   business processes Imperva White Paper < 8 >
  • 9. The Business Case for Data Security III. Return on Security Investment (ROSI) with Imperva SecureSphere9 DatabaseFileWeb The SecureSphere Data Security Suite is designed from the ground up to meet all aspects of security and compliance for business-critical applications and data. SecureSphere provides conclusive cost-savings by offloading operationally-expensive logging from database and file servers and by driving down manual compliance reporting costs. More importantly, SecureSphere offers return on security investment (ROSI) by drastically reducing the risk and impact of a devastating data breach. In order to quantify the cost savings provided by Imperva, we compared the cost of implementing SecureSphere versus the cost of “doing nothing” and the subsequent expenses created by a data breach or manual auditing and reporting processes. The following table shows our assumptions. The number of protected records is an estimate for a medium size company, but this number will vary widely and should be adjusted according to the individual business profile. The average number of records lost in a data breach is extrapolated from results of the Ponemon Institute “2009 Cost of a Data Breach” report. The probability of a data breach is estimated at 5%. Basic Assumptions Value10 Number of Protected Records 100,000 Average Number of Records Lost in a Data Breach 33,088 Probability of a Data Breach 5% Annual Cost of a Full Time DBA or IT Security Administrator (in USD) $110,000 Reducing the Financial Impact of a Data Breach Data breaches are costly, averaging $6.75 million per incident.11 The expenses mount as organizations are forced to investigate breaches to assess affected records, notify customers, and pay legal fees and fines. However, the single highest cost is lost business, accounting for nearly half of the total financial impact of a breach. Statistics show 98% of compromised records originated from servers,12 predominantly Web application, database, and file servers. A dedicated data security solution could lower the cost of a data breach by accurately identifying the scope of the breach or preventing the breach from ever occurring. SecureSphere Database Activity Monitoring and File Activity Monitoring can audit every access to sensitive data and quickly identify the individual records that were compromised. Without this independent and tamper-proof audit trail, organizations often have to assume the worse and notify all potential victims – even if only a fraction of that data was accessed by a perpetrator. An Activity Monitoring solution can drastically reduce the extent of a data breach, by an estimated two thirds. A proactive defense such as a Web Application Firewall, Database Firewall and File Firewall can block attacks, avoiding the breach altogether for almost all application-related breaches. The following table shows the costs of a data breach with and without a data security solution. 9 In our opinion, the only viable alternative approach that fully addresses data security requirements is manual compliance and vulnerability mitigation. The ROSI calculation therefore compares Imperva to a manual approach. 10 These numbers vary between organizations. They represent a typical number for a medium-to-large enterprise. 11 Ponemon Institute, “Cost of a Data Breach,” January 2010 12 Verizon Business, “2010 Data Breach Investigations Report” Imperva White Paper < 9 >
  • 10. The Business Case for Data Security Impact of a Data Breach Due to Web, Database and File Security Threats DatabaseFileWeb SecureSphere SecureSphere Without Database and File Web, Database, SecureSphere Activity Monitoring13 File Firewall14 Number of Suspected Compromised Records 33,088 33,088 0 Number of Confirmed Compromised Records Not available 11,029 0 Consulting Services and Investigation Costs $1,350,000 $225,000 0 Notification Costs $742,000 $247,000 0 Legal Costs $1,147,000 $382,000 0 Identity Protection and Other Services $202,000 $67,000 0 Lost Business and Related Costs $3,307,000 $1,102,000 0 Cost of a Data Breach $6,750,000 $2,023,000 0 Vulnerability Remediation Efforts In addition to reducing the likelihood of an expensive data breach, a dedicated data security solution can also cut vulnerability remediation costs. First, Imperva SecureSphere can virtually patch application and database vulnerabilities, thereby eliminating disruptive emergency fix and test cycles. Vulnerabilities can be fixed as part of regular development schedules, which is significantly less expensive than fixing vulnerabilities in production. Second, SecureSphere typically allows organizations to delay minor patch updates until a cumulative patch is available or a new software version is released. This provides organizations considerable cost savings compared to the expense of developing, testing, staging, and implementing software patches. The following table compares the labor costs of remediating Web application and server vulnerabilities for an organization with 10 online applications, 15 Web servers, and 5 database servers. Annual Vulnerability Remediation Labor Costs Without SecureSphere With SecureSphere Emergency Fix and Test of Custom Vulnerabilities $120,000 $0 Custom Vulnerability Fixes in Scheduled Releases $0 $19,200 Operating System Patches $25,000 $12,500 Web Server Patches $25,000 $12,500 Database Server Patches $12,500 $6,250 Total $182,500 $50,450 13 SecureSphere Database and File Activity Monitoring offer auditing but no access control; 14 When SecureSphere is implemented in “Firewall” mode, the risk of a Web, Database or File data breach is immeasurable. While auditing can reduce the impact of a breach by identifying actual compromised records, when SecureSphere is deployed inline, it can proactively prevent attacks from occurring. Imperva White Paper < 10 >
  • 11. The Business Case for Data Security Labor Costs of Auditing and Reporting DatabaseFileWeb While both databases and file servers offer native logging capabilities, managing and maintaining audit log files can be an expensive proposition. Database or IT administrators must determine what activity to audit, create log rules, and then sort through reams of log messages to find materially relevant information for reports. Raw data must be arranged into a presentable format for auditors. Organizations must also develop in-house tools to prevent unauthorized access or manipulation of log data for separation of duties. Native tools only address one aspect of the data security and compliance lifecycle. They cannot locate sensitive data on the network, test databases for vulnerabilities, or patch these vulnerabilities. Organizations that use native audit tools must also account for the costs of manually discovering and classifying sensitive data – two requirements either implied or explicitly spelled out in many compliance regulations. Furthermore, many regulations require that organizations limit user access rights to business need-to-know and remove dormant accounts. For large enterprises, managing database and file access rights for thousands of users can be an overwhelming task, leading many administrators to grant excessive privileges. A dedicated data security solution such as SecureSphere can eliminate manual administrative tasks, automate auditing and compliance reporting, and dramatically improve the overall security posture of the organization. The following table compares the number of full time employees required to meet database and file security compliance requirements, with and without a data security solution. Without SecureSphere With SecureSphere Labor costs for Labor costs for Labor costs for Labor costs for Task initial setup ongoing maintenance initial setup ongoing maintenance Discovery $55,000 $55,000 $11,000 $11,000 Classification and Assessment $55,000 $55,000 $11,000 $11,000 Managing User Rights to $110,000 $110,000 $55,000 $11,000 Databases and Files Enablement of Auditing $27,500 $27,500 $11,000 $1,100 Writing and Maintaining $165,000 $55,000 $11,000 $11,000 Custom Scripts Creating Custom Reports $110,000 $55,000 $27,500 $11,000 Implementation of Workflow $110,000 $55,000 $11,000 $11,000 and Business Processes Total $687,500 $412,500 $137,500 $67,100 Software and Hardware Investment for SecureSphere Versus Native Auditing In addition to comparing the labor expenses of security and compliance, businesses must also analyze the hardware and software investment. With SecureSphere, the costs are relatively straight forward: the price of the SecureSphere Data Security Suite, which includes the price of the Web Application Firewall, Database Firewall and File Firewall, plus the MX Management Server. If organizations opt for native logging, then they will need to purchase additional hardware and software licenses to maintain previous performance levels. This is because full logging of all activity can degrade server performance by approximately 30 - 50%. The table below compares the infrastructure costs incurred by using native logging tools versus deploying the SecureSphere Data Security Suite. Imperva White Paper < 11 >
  • 12. The Business Case for Data Security DatabaseFileWeb Without SecureSphere With SecureSphere Additional Database and File Server Hardware $50,000.00 $0.00 Additional Database and File Server Software $200,000.00 $0.00 SecureSphere Data Security Suite and $0.00 $73,600.00 MX Management Server Annual Support and Maintenance Fees $40,000.00 $14,720.00 Hardware and Software Administration Costs $20,000.00 $20,000.00 Total $310,000.00 $108,320.00 Total Return on Security Investment Because security and compliance must be addressed holistically, the following table compares the total hardware, software, and management costs of the SecureSphere Data Security Suite to native logging and manual compliance processes. In addition, a Return on Security Investment (ROSI) calculation must factor in the cost and risk of a data security breach. The following table combines the data from the above tables to provide the return on investment of the SecureSphere Data Security Suite versus no dedicated Web application, database, or file security. Without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $182,500 $182,500 $182,500 $182,500 $182,500 Auditing and Compliance Costs $687,500 $412,500 $412,500 $412,500 $412,500 Hardware and Software Costs $310,000 $60,000 $60,000 $60,000 $60,000 Data Breach Cost = Probability x Impact $337,500 $337,500 $337,500 $337,500 $337,500 Total Cost without SecureSphere $1,517,500 $992,500 $992,500 $992,500 $992,500 SecureSphere Costs and Risk Posture Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $50,450 $50,450 $50,450 $50,450 $50,450 Auditing and Compliance Costs $137,500 $67,100 $67,100 $67,100 $67,100 Hardware and Software Costs $108,320 $34,720 $34,720 $34,720 $34,720 Data Breach Cost = Probability x Impact $112,500 $112,500 $112,500 $112,500 $112,500 Total Costs with SecureSphere $408,770 $264,770 $264,770 $264,770 $264,770 Cost Savings with SecureSphere $4,019,650 ROSI with SecureSphere 274% Investment Based Discount Rate 10% NPV (Net Present Value) $3,654,227 The total infrastructure, labor, and data breach costs of the SecureSphere Data Security Suite over five years totaled $1.47 million, compared to $5.49 million for native logging, manual compliance processes and no proactive Web, database or file security protection. Note that the projected data breach cost savings for SecureSphere were conservative, assuming only the cost savings associated with monitoring traffic and pinpointing individual breached records. With 98% of breached records originating from servers, the SecureSphere Data Security Suite, with an integrated Web Application Firewall, should be able to prevent most data breaches from ever occurring. Imperva White Paper < 12 >
  • 13. White Paper Summary With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory. Besides protecting critical assets, a host of regulations have spurred the need to audit activity and streamline compliance processes. Unfortunately existing security solutions cannot effectively stop data security attacks or address security and compliance concerns holistically. A dedicated Data Security solution like Imperva SecureSphere not only satisfies today’s security and compliance requirements, it also offers a return on investment of 274% compared to not using a data security solution at all. When compared to alternative solutions, Imperva SecureSphere is the only sensible and effective choice to secure sensitive applications and data. With SecureSphere, organizations can: » Protect applications, databases, and files from internal and external threats » Lower the cost of auditing while implementing separation of duties » Automate compliance reporting » Virtually patch application and database vulnerabilities With its indisputable value, it is not surprising that Imperva has become the market leader for Web, database, and file monitoring and protection. Trusted by thousands of leading organizations around the world, Imperva SecureSphere is the practical, cost-effective solution for Data Security. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com. Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-BC-DATA-SECURITY-1010rev1