Check out our recent article, A vision for hardware data protection. Our intent with that piece is to be a bit forward-looking in terms of what’s commonly deployed today, but most of what we describe is available in the form of COTS building blocks today (the secure viewer tied to hardware boot policy being perhaps one exception to that). The additional opportunity for vendors is to make such solutions configurable, automated, convenient for admins and end-users alike, etc.
An alert reader pointed out the following with respect to protecting high-value data assets:
“Something I would add is, all outbound traffic should be being mirrored on SPAN/mirrored ports and have multiple IDSs (like FireEye, Bro, Sourcefire, etc.) looking for anomalous flows, sending alerts to SIEMs, and forwarding all network appliance logs to a central log server, like Splunk. Also, sensitive data or machines should only be accessible via jumpboxes/hosts.”