During the 15th Sitting of security, the RSSI of Areva, LVMH, EDF and Louis Vuitton shared their experience meet the new challenges posed by cloud or mobility.
It’s a fact: with the rise of cloud and mobile terminals, data information system were scattered. The image is now well known for several years: the information system now less like a castle than an aircraft carrier. How do RSSI he faces this new challenge, which seems considerably complicate their mission? This was the theme discussed at a workshop organized by the Cesin during the 15th Sitting of security that ended this October 2nd. RSSI Several major French companies came to share their views and experience through high-flying animated exchanges by Mylène Jarossay, RSSI of the LVMH group.
The decor is quickly planted “. The first challenge is to know where the data resides and is becoming more complex as they may be processed by the business, or stored by providers,” notes Olivier Ligneul, RSSI EDF Group. “It is true that it is sometimes difficult to know exactly. Because you can buy a service based on a data center which itself is based on a subcontractor for data management. All of sometimes accompanied a lack of traceability. And it is not always clear that the initial rules of the contract with the service provider are followed by its subcontractor, “adds Fabrice Bru, at Louis Vuitton Malletier Ciso.
This is what drives Bernard Cardebat, RSSI of the Areva Group, to admit that he is “probably futile to try to protect everything, as if part of the information can be controlled, some is more fleeting.” He suggests that it is more realistic to adopt several levels of security and adapt the protection.
The ghosting problem
Another problem with the new context. “How to prevent afterimages data For information, today is a bit like a diamond: it never dies Before, we were concerned above all to protect the data. but now we want to destroy them: and this is true he must track down, “observes Olivier Ligneul. “It’s a problem all the more difficult, he continues, that this data live and change. A given that, at its inception, did not seem dangerous can now, with the Big data, and make more sense see its value change. “
So what that advise those responsible? Bernard Cardebat recalls that “regardless of the information system, there are invariants, and all the data owner. One that generated them, however, the level of risk to take is the one that is first judged acceptable by the data owner. The protection will therefore depend on the maturity. And a manager should know require contracts ensuring adequate protection. In this context, the RSSI needs, he beat time. “
From prevention to detection
As for effectiveness, very relative, DLP solutions (data loss prevention and data leakage prevention), Olivier Ligneul admits that “the precautionary approach may be appealing, but in reality, when information is dispersed, going from prevention to detection, or one might say the ‘DLP’ to ‘DLD’ for Data Loss Detection “. And to stop a leak, this finding retrospectively ‘must be done as quickly as possible “, supports Fabrice Bru.
“Scatter the data also can not put all your eggs in one basket”
Finally, two areas for improvement in the form of desire, were discussed by these security officials. The first is to editors: it is to ensure that the apps detect and make themselves up anomalies or feared events. The second, more utopian aims to erect the end users advanced sensors malfunctions they attend. “They must have the reflex to report them. To react faster, we must admit a higher rate of false positives,” said Bernard Cardebat. According to him, one can not do without these sensors. “We must try to convert users to be more vigilant,” he recommends.
Still, as much Mylène Jarossay concluded, disperse data also allows not put all your eggs in one basket. This is also an opportunity in terms of safety. “The dispersion makes it possible to dilute the risks,” admits Fabrice Bru adding that “the cloud also ensures an SLA would have trouble reaching many teams internally.” The cloud also allows him “greatly accelerate projects,” and so sometimes “to give his group a significant competitive edge.”