[Owasp-leaders] Attend the January 29 OWASP Austin Chapter Meeting Remotely!

Josh Sokol josh.sokol at owasp.org
Mon Jan 28 14:42:22 UTC 2013

*January  OWASP Austin Chapter Meeting*

*When*: January 29th, 11:45am-1:00pm

11:45 AM - Chapter Announcements
12:00 PM - Presentation

*Topic:* Data events, or why security is cloudier than you think

Data security doesn't involve just securing data at rest or in transit. It
also needs to be secured in use ­ which means that at any point, the
characteristics of the data can change. We call this situation a "data
event," and it can mean that security requirements have to change as a

This is not the same thing as logging event data; this is taking into
account changes in the combination, use or business context surrounding
specific data. For example, a press release is confidential and requires a
certain set of security policies in the areas of access control, DLP, key
management (if encryption is involved), and so on. But once the business
event occurs, the press release suddenly becomes the opposite of
confidential, and all the policies have to change immediately as a result.

Data events can also occur when data elements are combined in particular
ways so that they become covered by regulations. A query might produce a
small enough sample size that it needs to be treated as protected
information, or a doctor becomes a patient so that her name is now
protected by HIPAA. Data events are often tied closely to the business
context, and as such can mirror transactions and workflows.

Data events are important because traditional security policies have been
applied to the current container of the data: this database is confidential
because some rows are confidential, or this Word document requires access
control (but its content can be copied and pasted somewhere else).
Container-centric security is too static for today's high-speed, big-data,
cloud-based (pick as many buzzwords as you like) processing.

This talk will describe the concept of data events, and will invite
audience discussion on how security controls can be adapted to them.
Speakers: *Wendy Nather

*Wendy Nather *is Research Director of the 451 Research Enterprise Security
Practice. With over 20 years of IT experience, she built and managed the IT
security program at the Texas Education Agency, where she directed
multimillion-dollar initiatives for a statewide external user base of over
50,000. She also provided security guidance for the datacenter
consolidation of 27 Texas state agencies.

Wendy previously worked in various roles in the investment banking division
of Swiss Bank Corp (now UBS). Based in Chicago, Zurich and London, she also
served as the first IT Security Director for the EMEA region. She has
spoken at various industry conferences in the US and abroad, and
co-authored The Cloud Security Rules. She was also named one of Tripwire
Inc.’s “Top 25 Influencers in Security.”

Register to join the Webinar:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130128/bbdacaf5/attachment.html>

More information about the OWASP-Leaders mailing list