Stop, drop and roll with Sam Albert as he explores what to do "When Firewalls Go Up in Smoke."
Pick a headline: FBI Says Hackers Breach Its Database; McDonald’s Web Site Defaced; Credit Card Data Stolen from e-Retailer. The stories appear almost daily. It’s particularly unnerving when you consider that the majority of database break-ins go unreported. After all, what company wants to advertise that its security has been compromised?
While much of the media hype surrounding these events focuses on the overall concerns about Internet and e-commerce data security, rarely is the culprit responsible for the breach held up for public scrutiny. I’m not speaking about the hacker, but the firewall through which access was achieved.
In nearly every single instance of data theft, the deed was accomplished by penetrating a firewall. And it’s the fundamental form of defense used to keep unwanted visitors at bay. Passage is permitted only to those with appropriate authorizations, codes and/or passwords. Fortunately, firewalls do a pretty good job. But a determined and skilled cracker has a good chance of getting through most firewall defenses. Once the hacker gets past the firewall, it’s easy pickings.
The Spy Within
While external attacks on databases are cause enough for concern, internal security breaches are not only more likely, but usually more sophisticated and dangerous. In a recent survey, nearly 60 percent of firms said that one or more authorized users abused their company’s systems in the past year.
Today’s distributed enterprises contain the informational equivalent of the corporate crown jewels. But to be useful, data must not only be stored, but selectively accessed, transmitted and shared. All of these activities expose information to the risk of theft or prying eyes.
What’s an Internet-enabled enterprise to do? The answer is, as much as possible. Industry experts agree that there is no one-stop shopping solution for data protection. Businesses today must employ a layered defense that uses a broad spectrum of security capabilities, including file encryption, firewalls, passwords to protect networks and systems, identification and authorization to monitor users. A firm’s information-security infrastructure is most effective when it ensures constant protection for sensitive data, not just when it is at rest in databases, but wherever it might land.
For some companies, encryption is the ultimate choice. Data that isn’t encrypted can, in fact, be downloaded by hackers, but the encrypted data is utterly unintelligible and useless. The problem with fully-encrypted databases is that their response times are slow, rendering them all but useless for e-business applications.
At last, two firms today are working toward a solution. Protegrity Inc., a new high-tech firm in Stamford, Conn., leverages encryption technology that originated in Sweden, where stringent privacy requirements exist. Following $25 million worth of refinement and development, Protegrity’s technology enables users to encrypt only those data elements that demand the highest levels of protection, such as proprietary manufacturing formulas, personnel data, etc. By being able to encrypt only the most sensitive data, the database itself remains fundamentally unencumbered. Moreover, the encryption acts like a shell that travels with the data and keeps it secure wherever it goes.
"The solution that Protegrity has developed is unique in the marketplace," says Peter Nilsson, Protegrity’s CIO, "and brings with it a firewall safety net. We have evaluated countless unauthorized penetrations of firewalls and concluded, virtually without exception, that our solution would have prevented the theft of data. It keeps sensitive data out of the hands of hackers, as well as ‘authorized’ users who are nosing around where they shouldn’t be."
Oracle, a database vendor, also applies a toolkit to the problem. And I feel other database companies (e.g., IBM with DB2) will also approach this issue. In fact, both Oracle and IBM are partnering with Protegrity to use this tactic to solve the problem.
In a world of rapidly changing technologies, continued vigilance is critical. Both providers and users of data security technology must make a constant effort to stay one step ahead of the e-bad guys prowling the virtual highways of the Web. The jury is out on whether this newest data security "wrinkle" will have a fast adoption cycle. But this trend and this space should be closely observed now and into the future.
Sam Albert is president of Sam Albert Associates (Scarsdale, N.Y.), a consulting firm specializing in building strategic corporate relationships. He can be contacted via e-mail at email@example.com.