Protection needs to go beyond the network, and focus on data

Data security has moved past early adopters and penetrated the mainstream of the security industry, a report on a survey of IT security professionals has concluded, with 27% of respondents claiming a decline in security incidents and 46% reporting no increase

Data security has moved past early adopters and penetrated the mainstream of the security industry, a report on a survey of IT security professionals has concluded, with 27% of respondents claiming a decline in security incidents and 46% reporting no increase. But not all are getting what they expect from the technologies they have deployed.

Over 1,000 IT security professionals were asked by security research firm Securosis which security technologies are best at reducing the number of security incidents, reducing the severity of incidents, and reducing the cost of compliance.

Between 40% and 50% of survey respondents said the technologies they have deployed either eliminate or significantly reduce the number of security incidents, but the same controls rated slightly lower for reducing incident severity, and still lower for reducing compliance costs.

The fact that many technologies being deployed are not meeting all three requirements equally, particularly cutting the cost of compliance, means organisations are not getting what they expect out of their investments, says Amichai Shulman, chief technology officer at Imperva, which commissioned the study.

Security technology suppliers need to ask themselves why their products are scoring lower in reducing compliance, he says, especially as compliance is one of the top reasons for deploying data security controls for 88% of survey respondents.

Payment card industry data security standards (PCI DSS) was the most frequently cited standard. Compliance with PCI DSS was required by 47% of respondents.

"Security technologies need a dramatic reduction in management overhead because most require more attention than users would like," says Shulman.

Data security is complex, so suppliers need to understand how to make their products easier to deploy, maintain, configure and manage, he says.

"Like network firewalls, other security products need to become easy enough for operation teams to manage without the need of specialists," he says.

Only three technologies made the top five in reducing incidents, severity and compliance costs. These are network data loss prevention (DLP), full drive encryption and endpoint DLP.

Web application firewalls scored highly in the first two categories.

This shows that the most successful approach, according to IT security professionals, is one that involves the direct protection of data and web applications, says Shulman.

"Many external attacks are being carried out through web applications, and a web application firewall is the way to mitigate them," he says.

But the survey revealed that most organisations still rely on traditional, infrastructure-related security controls like e-mail filtering, access management and network segregation.

E-mail filtering is the single most commonly used control, but the one cited overall as the least effective.

This is probably because IT security professionals either consider the cost of ownership too high or the management burden too great, says Shulman.

But, he says, organisations that are successful in reducing security incidents typically use e-mail filtering because it reduces the load on IT by stripping out spam messages.

Too many organisations are still focused on reducing the number of security incidents, says Shulman, but do not consider things like reducing the severity of incidents when buying new technologies.

"A good firewall will reduce the number of network penetrations, for example, but without logging and monitoring systems in place, once someone gets past the firewall, there is no way of controlling the severity of the incident," he says.

The survey revealed that 15% of organisations either do not know if they suffered any data breachess, or claimed they did not experience any.

"This shows many companies are still not applying adequate controls on data," says Shulman, even though most attacks today are at the data level.

"If organisations do not have the right data controls in place, they will not even know that data has been stolen," he says.

However, says Shulman, this is also possibly indicative of the reluctance of many organisations to admit that have been victims of data theft.

According to Shulman, the study above all shows that there needs to be a shift from traditional infrastructure-based controls applied at the perimeter or the network, to data and application-related controls.

As organisations deploy more data-oriented processes and controls, they will increase their ability to contain incidents that do occur, he says.

The survey is available online to enable security professionals to compare their data security practices with other survey respondents.

Read more on IT risk management