Detecting and Remediating PII at Rest: Lessons Learned

1
Detecting and Remediating PII at RestLessons
Learned
Bill Puig CISSP, PMP(212) 552-1589wpuig_at_comcast
.net
2
Just what is Personally Identifiable
Information?
Examples of PII (a non-exhaustive list)

• PII is any piece of information that can
  potentially be used to uniquely identify,
  contact, or locate an individual.
• Various U.S. Federal regulations govern the
  collection, use and securing of PII, in order to
  guard against its misuse. These include

Full name (if not common) National
identification number (e.g., U.S. Social Security
number) Credit card numbers Date of
birth Telephone number Street address E-mail
address Vehicle registration plate number
Driver's license number Face, fingerprints, or
handwriting

• The Gramm-Leach-Bliley Act (GLBA)
• The Sarbanes-Oxley Act (SarbOx, or SOX)
• The Health Insurance Portability and
  Accountability Act (HIPAA)

3
Within the virtual environment, data may be at
rest, in flight, or available at enterprise
endpoints. PII controls must address all three.
Data at Rest
Data in Flight
Data at the Endpoint
Virtual Enterprise
4
Dealing with Data at Rest poses unique challenges

• You may have lots of it, depending on

• The nature of your business
• Regulatory requirements that govern your business
• Organizational processes and culture

• Containers are not necessarily mutually
  exclusive, and may be distributed across
  disparate platforms

5
Like any large program, Data at Rest should be
addressed in digestible chunks

• Understand what you have by categorizing it
  across multiple dimensions
• Define and prioritize your management approach,
  according to

• Which data categories pose the greatest risk
• Which categories can be addressed quickly and
  cheaply

• Execute your approach, via the appropriate
  processes and technology
• Implement controls to manage your data going
  forward

A few Case Studies are discussed on the following
pages
6
Case Study Applications
7
Case Study Lotus Notes Databases
8
Case Study Intranet Web Sites
9
Case Study Shared Disk Storage
10
A wide range of vendor solutions addressing PII
at Rest have emerged in the marketplace
The good news

• Most vendors are lean and hungry, and willing
  to be responsive to clients in order to build
  their businesses
• Some vendors are establishing good track records,
  and building strong user communities

BUT

• Some companies are new and small, and the support
  they offer may thus be limited
• Some solution components may not be ready for
  prime time or may still be on the drawing board

Know your requirements and look before you leap!
11
If needed, homegrown technology solutions can be
crafted quickly to meet specific needs
Many high-level programming languages, including
Java and Perl, offer regular-expression based
pattern matching capabilities. These can be
leveraged by skilled programmers to build tools
to scan Web sites and disk drives for some common
types of PII.
Considerations

• Scalability
• Performance
• Scan accuracy (minimizing false positives)
• Portability across platforms
• Ongoing maintenance

12
Summary
Dealing with PII at Rest requires a combination
of technology and process
Technology
Process
to expedite effective, accurate solutions
to understand the depth and breadth of your PII
issues to prioritize actions to address those
issues to identify and implement workable,
sustainable solutions