Data Protection Security School

Data Protection Security School Security's Data Protection Security School will help infosec professionals formulate a comprehensive strategy and pinpoint technologies that can help them secure sensitive information throughout the network -- including data in motion and data at rest. is always looking for ideas for future lessons in our Data Protection Security School. Contact us if you have feedback on this school or ideas for future content.

Table of contents:

Security visibility: Honestly assessing security posture

Aaron Turner, N4Struct
In this lesson, learn how to gain the clearest visibility into the state of your company’s information security efforts, including how to make the most of your SIM, log management, network monitoring, GRC and penetration testing tools and services to provide a centralized collection of intelligence you can use to evaluate your company’s state of security.

About the author:
Aaron Turner is the co-founder of N4Struct, an information security consultancy focused on helping organizations identify how to solve some of the toughest industrial espionage cases.

Locking down database applications

Andreas Antonopoulos
In this lesson, learn how to secure database apps by building roles and privileges and monitoring access to prevent insider abuse, plus satisfy regulators by properly segregating duties and limiting application access to sensitive database data.

About the author:
Andreas M. Antonopoulos is a Senior Vice President and Founding Partner with Nemertes Research.

How to build secure applications

Diana Kelley, Security Curve
In this Data Protection Security School lesson, learn how to build security into the software development lifecycle, implement a practical, efficient change management system and test your applications using a black-box or white box technique.

About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. This lesson also features special guest contributor Ed Moyle, a partner with SecurityCurve.

Network Content Monitoring

Technologies that monitor how data moves in and out of organizations are rapidly intersecting. Data loss prevention, digital rights management and database activity monitoring, just to mention a few, all have overlapping functions and purposes not only to secure data but to help organizations with their compliance mandates. In this security school, you’ll learn about these intersections and how to best prioritize and strategize for your data protection investments.

About the expert: Mike Chapple is an IT security professional with the University of Notre Dame and a technical editor for

Mitigating Web 2.0 threats

David Sherry, Brown University
As companies look to cut costs, Software as a Service has gained ground in the enterprise. Similarly, social networking sites like Facebook and LinkedIn are must-haves in today's workplace. David Sherry reviews how to secure these services and defend against a variety of Web 2.0 threats.

About the author:
David Sherry is chief information security officer at Brown University.

Watching the watchers

Andreas Antonopoulos
In this Data Protection Security School lesson, expert Andreas explores how to monitor the activities of your most trusted insiders with a combination of policy, process and technology to keep unauthorized access and data loss to a minimum.

About the author:
Andreas M. Antonopoulos is a senior vice president and founding partner with Nemertes Research.

Database defenses for a new era of threats

Rich Mogull, Securosis
All too often, precious corporate databases containing customer records and other sensitive data are forgotten or ignored. This lesson offers an overview of the basic tools needed to secure a company's databases against today's emerging and most dangerous threats.

About the author:
Rich Mogull is the founder of Securosis LLC, an independent security research firm and consulting practice.

Executing a data governance strategy

Russell L. Jones, Deloitte & Touche
Today data is siloed in many applications and databases with no documentation on how trusted it is and the relationships among applications that capture and use data. In this lesson, learn how you can remedy these issues with a mature data governance strategy.

About the author:
Russell L. Jones is part of the Security & Privacy Services team with Deloitte & Touche.

Preventing data leaks

Richard Bejtlich
Today's most devastating security breaches often originate from within. In some cases, insiders accidentally or inadvertently leak confidential or proprietary IP. This lesson identifies "must have" data loss prevention policies, processes and technologies for combating this growing threat.

About the author:
Richard Bejtlich is founder of consultancy Tao Security.

Enterprise strategies for protecting data at rest

Perry Carpenter
Many of today's data security breaches can be attributed to lost data. While security pros often focus on network soft spots, storage and e-discovery practices are often overlooked. This lesson will outline e-discovery services and how to ensure successful storage-security teamwork.

About the author:
Perry Carpenter is a security practitioner for a major telco firm.

Realigning your data protection priorities

In this Security School lesson, expert David Sherry explains how your organization should react to the shift of organized online criminals from coveting credit card numbers to identity information and how to re-prioritize your efforts in protecting your organization.

About the author:
David Sherry is chief information security officer at Brown University.

E-discovery and security in the enterprise

The new Federal Rules for Civil Procedure now allow a judge to request electronically stored information, and the inability to respond can be costly.

In this lesson, learn about updates to the FRCP and how to prepare for ligitation, and understand the technologies that can assist in the process.

About the expert:
Frank Lagorio, JD, is principal analyst for Contoural Inc.

Data loss prevention

Rich Mogull, Securosis
While every CSO and security manager knows the importance of protecting sensitive data, there is still a big gap between that understanding and the actual implementation of tools to do the job. This Data Protection Security School lesson will provide a comprehensive overview of the ways in which data loss prevention technologies can help protect intellectual property and confidential data.

About the author:
Rich Mogull is the founder of Securosis LLC, an independent security consulting practice.

Mobile device policy

Lisa Phifer
In this Security School lesson, expert Lisa Phifer covers the technologies, policy items and processes your enterprise needs to be considering as mobile workforces ramp up and security and compliance concerns emerge.

About the author:
Lisa Phifer owns network security consultancy Core Competence Inc.

Data encryption demystified

Tom Bowers
Five years ago, security professionals needed a deep understanding of cryptography to make encryption work. Today, thanks to advancements in "practical" cryptography, data encryption is more user-friendly, and easier to implement and manage across multiple applications. But there are still many complex decisions to make. This lesson will "demystify" the complexity around encryption and provide security managers with a practical deployment roadmap.

About the author:
Tom Bowers is managing director of consultancy Security Constructs.

Why SSL certificate security matters

Secure Sockets Layer (SSL) is a primary tool in protecting sensitive operations with Web servers. So getting SSL certificate security done right is absolutely essential to providing secure interactions with your organization's web applications. In this Security School lesson, you'll learn about specific methods used to exploit SSL and how to defend against them.

About the expert: Rob Shapland is a network and application security expert.

Database security issues

The start of many data security issues is, of course, the database. In this security school, we'll examine the predominant database security vulnerabilities and offer best practices on how to monitor database access to detect potential security incidents.

About the author: Michael Cobb, CISSP-ISSAP, is a renowned security author and the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification.