In-Depth
What’s Next for Data Security: Convergence
We’re on the threshold of witnessing a convergence of data security initiatives that may be the only real choice some enterprises will have to ensure consumer privacy and organizational confidentiality.
by Gary Palgon
"There’s something happening here. What it is ain’t exactly clear.”
The words in this iconic 1960s Buffalo Springfield song describe what’s happening with data security in many companies around the world. What is clear is that the industry is changing rapidly to keep ahead of the threats posed by professional cyber thieves and the security risks presented by new, smaller, and more mobile technology. Just when CSOs think their organization’s security is locked down, a new challenge arises.
We’re on the threshold of witnessing a convergence of data security initiatives, which for many companies will be the only real choice to ensure consumer privacy and organizational confidentiality.
Some companies place the priority on shoring up data security for information flowing between business partners; others believe strong perimeter security will protect stored data inside the confines of their firewall. However, thanks to the inventiveness of cybercriminals, ever-strengthening data security mandates and privacy laws in response to their attacks, and data theft disasters, CSOs understand that data breaches can happen anywhere and at any time. It’s no longer enough to protect data in motion between business partners, or expect a firewall to protect it at rest. Today it takes a comprehensive data security program that secures confidential and sensitive information from the moment it’s created until it’s destroyed to adequately protect organizations. That's why organizations are moving from a siloed approach for addressing data security challenges to lifecycle protection.
The early days of electronic business focused on B2B security -- making sure the information exchanged with business partners up and down the supply chain and with banks was protected. This practice proliferated in the mid-90s as the use of private networks to transfer files gave way to the Internet, which, though free, is also public and therefore required a whole new approach to data security.
Over the last five years, the need to secure stored data became a priority driven by numerous breaches of credit card data and other confidential information. Companies realize it is just as important to secure sensitive data moving within their enterprise, over wireless transmissions, to and from remote offices and with business partners. Managed file transfer (MFT) -- the continuation of the original B2B file transfer security -- is gaining traction with organizations that want to ensure that all company and customer confidential data in transit with business partners or moving between employees is protected.
To make things even more complicated, CSOs must protect information created and/or stored on a plethora of mobile devices -- laptops, smart phones, DVDs, and thumb drives, to name a few -- and sent to and from these endpoints and Web applications wirelessly, over the Internet, or through the company network. Gartner sums it up this way in a recent report: “Larger amounts of critical information are being accessed on endpoints that are not under the direct control of the organization, leading to growing interest for control technologies that accompany the data to the remote desktop, or provide limits on the amount of information that can move across the organizational perimeter.” (See Note 1.)
Getting to Safety
As CSOs across industries and governments begin to recognize the need for data security convergence, they’re reexamining their internal data security best practices. Although acceptable use policies and employee education are important components of a data security program, neither solves the problem by itself. Organizations must shore up its data security efforts by reviewing and securing all points at risk. That means discovering all of the places sensitive information is created, stored, and enters and leaves your company as well as what path(s) it travels within and beyond your firewall. Once you know what you’re dealing with -- and remembering that new risks will manifest over time -- you can find the technologies that can fill the gaps in your organization. Only with a combination of best practices and good technology can you achieve a lifecycle data security program.
In its latest Hype Cycle report for Data and Application Security, Gartner examines several technologies designed to enhance control over information to ensure that privacy requirements are met and reduce the chance of theft and manipulation. Among those technologies are managed file transfer and enterprise key management, both of which Gartner predicts will become mainstream technologies within the next two to five years (See Note 1).
The report cites the increased interest in enterprise key management occurring as a result of “increasing audit focus on data security and as organizational focus on data security begins to shift away from the historical approach of protecting data within technology silos to the more holistic strategy of protecting enterprise data throughout its life cycle.”
The report notes that companies are looking at managed file transfer technology “to assist in passing audits related to the privacy and security of data at rest and in transit.” Finally, the report recommends that “Organizations that are likely to be impacted by recent national, regional, local and corporate mandates should consider MFT solutions as a way to prove compliance to mandates and regulations.”
Simply put, to stay ahead of the threats and vulnerabilities your organization must secure its data wherever it’s stored and travels within or outside your enterprise. Although traditionally viewed as two separate problems by many organizations, data security professionals are beginning to see them as the key components of a holistic enterprise data security program. An example of this convergence is the need for lifecycle management for encryption keys for stored data and lifecycle management for certificates and keys used to secure information in transport to provide enterprises with centralized visibility, control, and audit capabilities of these lifecycles.
What You Can Do
Companies that routinely send and receive business documents via a secure pipe with business partners often let their guard down once the information penetrates the corporate firewall. The next step to implementing a lifecycle data protection program is to review all points where sensitive data is created and assess where it flows and is stored until it is destroyed. This should include all internal and external endpoints and inbound and outbound transmissions.
For instance, a social insurance number might be entered on a Web site via a mobile phone, processed through a corporate application on a server, and later backed up and stored on tape at an offsite facility. Managed file transfer solutions will help to ensure it is always encrypted while in motion and an enterprise encryption key management solution will keep it encrypted when being stored at each point throughout the enterprise and on the backup tape.
In addition to technology, make it a policy to destroy confidential information when it’s no longer needed for business -- that means in both electronic and hard-copy form. Reducing the amount of information you need to protect reduces your liability and the effort it takes to pass compliance audits.
Using an MFT solution that includes a secure B2B gateway and secure internal file transfer while providing centralized management and logging for automated and ad hoc file exchanges of any size and protocol will provide the flexibility, manageability, and security you need to meet compliance requirements and have peace of mind.
If you’re exchanging information with business partners over an EDI VAN, verify that both the VAN and the communication methods are secure. Most are not. One plausible solution is to switch to a secure VAN to communicate with your smaller, less active business partners and establish direct connections with your largest trading partners.
If your company regularly encrypts sensitive information for storage and has a good encryption key management system, you still might need to extend that protection to external transmissions. Make sure employees are either encrypting sensitive and confidential information before sending it or that it’s being sent over a secure pipe. Many data leakage protection (DLP) solutions inspect information, such as e-mail and files, as they cross corporate boundaries. If information is being sent over a wireless network, ensure that the network uses the latest encryption to provide greater security.
Protecting data created and stored on mobile devices is a combination of policy and technology. In addition to unsecured-information breaches on laptops, mobile phones, DVDs, and thumb drives, the other big risk to using these devices is that they can be lost, misplaced and physically stolen. You can either prevent sensitive and confidential data from being loaded onto these types of devices or make sure the data residing on the endpoints is encrypted right at its source and accessible only by people with proper authority.
Summary
Data security practices and technologies are coverging because it’s the only way organizations can adequately protect their businesses and customers. Developing a lifecycle data protection program will soon be on the “to-do” lists of CSOs across industries, and it’s not too soon to get started. Resources and technologies are available to put a program in place that protects confidential information cradle to grave. Just remember that the situation will continue to evolve and with it, the requirements. Staying current with the latest threats must always be top of mind and adopting new guards -- both policies and technology -- is an ongoing process even when you have everything locked down.
Table 1: Summary of Best Practices
Best practices for protecting stored information and securing files in transport are much the same. This table compares the similarities to illustrate that the convergence of the two simplifies the overall requirements for additional levels of security.
|
Stored Data |
Data in Motion |
|
Encryption Key/Certificate Management |
Requires lifecycle key management for encryption |
Requires lifecycle certificate management and encryption key management (PGP/SSH) |
|
Logging |
All administrative and end-user functions should be logged and made available for audit, compliance and forensic purposes |
All administrative and end-user functions should be logged and made available for audit, compliance and forensic purposes. Additionally, tracking is required to understand when files are sent, received, and by whom |
|
Access Controls |
Organizations must be able to control who has permissions and what permissions they have to access and use stored data |
Organizations must be able to control who has permission to send and receive sensitive files and associated permissions about the transfers |
|
Encryption Standards |
Use accepted encryption standards to protect data such as AES and 3DES |
Transport data using secure protocols such as sFTP (FTP with SSH), HTTPs (HTTP with SSL), etc. |
|
Centralized Administration |
Dashboard to administrate key management, user rights to stored data, surveillance and reporting of information access and use throughout the enterprise |
Dashboard to administrate certificate and key management, user rights to transfer data, surveillance and reporting of information access and use throughout the enterprise
|
- - -
Note 1: Jay Heiser, Joseph Feiman, Neil MacDonald, Jeffrey Wheatman, John Bace, Ruggero Contu, Gregg Kreizman, Carsten Casper, Eric Ouellet, L. Frank Kenney, Ray Wagner, John Girard, Greg Young, Frances O'Brien, Arabella Hallawell, Paul E. Proctor, Mark Nicolett, Avivah Litan, David Furlonger, French Caldwell, David Norton, “Hype Cycle for Data and Application Security, 2009.” Gartner, Inc. July 17, 2009.
Gary Palgon is vice president of product management for Atlanta-based nuBridges (www.nubridges.com), where he is responsible for defining strategy for the company’s data protection solutions. Reach him directly at
gpalgon@nubridges.com