It is a tough time for IT managers, writes Garry Sidaway, director of security strategy at Integralis. Not a week goes by without news of another data breach. The EU is discussing new regulations on data breach notification. When even security companies get hacked, what hope is there for everyone else?
Actually, there is quite a lot you can do to protect your company's data.
First of all, it is important to understand what data you have, where it sits and what risks it carries. Structured data from core applications normally lives in your datacentre. Traditional perimeter controls such as firewalls, intrusion prevention and access control at application, database and operating system level work well for protecting this structured data, but the simpler your IT infrastructure, the easier it will be to secure. If you have several different databases, combine them. Get rid of multiple operating systems or authentication solutions. Consolidate around your applications. Preparing for a move to the cloud is a good opportunity for a simplification exercise.
One mistake that can make your perimeter protection fail is not monitoring and patching software vulnerabilities. This includes third party software, as well as any code that is developed in-house. Make use of vulnerability testing solutions to check how watertight your code is.
The second mistake is not having adequately strong authentication in place. This starts with allowing employees to share passwords, or leave authentication tokens in their drawers. Consider how to get them on your side. Any authentication solution you implement must be both difficult to hack and easy to use - new technologies such as pattern-based authentication tick those boxes. Another simple step that is often forgotten is to change the default passwords on all hardware devices in your network.
The real difficulty is how to protect unstructured data or data in transit. Data that leaves the database is not controlled by your perimeter protection and can proliferate without audit trail. Encryption is essential, but has to be applied in the right place, where the data goes from being structured to its unstructured state. Key management is also an issue and private key models are often not sufficient. More granular encryption models with multiple keys for different user attributes should be implemented, with combinations of keys needed for decryption.
Next, use data loss prevention (DLP) technology to apply perimeter-like protection to unstructured data. DLP lets you set boundaries around data, whether it is in motion, at rest, or in use on laptops, mobile devices and PCs. It controls which data is allowed to leave the network and how, and can find and protect sensitive data even in fileshare applications. It will also let you set, manage and enforce security policies, playing an important part both in compliancy as well as in educating employees to act responsibly and keep information safe.
Using DLP technology will also illuminate exactly how sensitive information is being moved within your business. Once you understand the business processes involved, you can then shrink the footprint of your sensitive data by restricting access to it, making it less of a target for malicious attacks.
- The State of Data Security - Defending Against New Risks and Staying Compliant
- Seven Tips for Securing Mobile Workers
- CW+: The online challenge to business: Digital assets
- Whitepaper: A guide to ensuring your security in the cloud
- EC launches consultation on data breach legislation covering telecoms and ISPs
- Hampshire school data breach highlights need for multiple passwords
- Data breach at York University highlights urgency of security checks, says ICO
- England's top councils fail to comply with WAN code and cannot respond to data breaches
This was first published in August 2011