Q&A: Taming Data Breaches
Why IT must adopt an information-centric view of security.
News reports reinforce how customer data is continually under attack. IT has come to realize that the business perimeter is no longer where security ends -- it must adopt an information-centric view of security. As Mark Bower, director of information protection solutions at Voltage Security notes in our interview, IT must reexamine how it approaches data security.
Enterprise Strategies: Consumer data is constantly under attack. News reports highlight the ever-increasing theft of credit card information to medical records. Are these just a few isolated instances? How would you assess the job IT is doing in protecting customer data?
Mark Bower: Data breaches are on the rise, and for three clear reasons: data is money; concentrations of data in databases are a lucrative target; and well-funded criminals can quickly profit from data theft as here are so many poorly protected systems and insider threats as well.
With compliance laws such as PCI and some 45 state regulations on data-breach notification requirements, we now have visibility into how easy it is for data to fall into the wrong hands. Rather than seeing isolated cases, the steep breach trend is certain to continue unless organizations better equip themselves to mitigate the risk of exposure, reputation damage, and significant fines.
IT must now take a different view of protecting data. In the past, the business perimeter was where security ended; however, these days, data is the perimeter, so new techniques involving information-centric security must be adopted. Given the apparent ease of so many data breaches, IT must reconsider its approaches and protect data, and balance it by supporting the way business drives revenues.
What approaches has IT taken to protect customer data?
In the past, protecting customer data was actually more difficult than it might seem --technologies were invasive, complex, incomplete and, frankly, messy. For example, IT solutions for protecting data might at first glance seem simple, but when the way data is actually used to conduct business is analyzed -- for example, the way data moves from the back office (which might very likely be on legacy platforms) and the way it’s consumed by business partners and customers -- it’s actually been very difficult to protect. Changes to the database, applications, workflows and business processes have been necessary. This typically results in significant resistance from both the IT budget and lines-of-business management perspectives.
To further illustrate, “quick fix” solutions for database protection have been introduced that just encrypt the data in the database and decrypt it as it is removed. All this does is protect against theft at the server level. However, the data needs protection as it’s collected in the database all the way through to where it’s being consumed and used. We will continue to see breaches with these deficient solutions.
In addition, when you begin to consider best practices such as key rotation, data recovery, and discovery needs, segregation of duties, auditing and central management, these legacy approaches simply don’t meet contemporary needs at any reasonable price point. However, the good news is coming. New techniques are available that overcome these obstacles and provide a true information-centric approach.
Still, problems persist. What's been getting in IT's way? Do IT departments lack resources, commitment from upper management, or the right tools?
Effective data breach prevention is an enterprise issue, so involvement and awareness from upper management is critical. If this is not happening today, then it will be soon due to the Identity Theft Red Flag regulation, which comes into force on November 1st of this year. It requires that data breach handling policies be signed off at the executive and Board level. Think of it as the “Sarbanes-Oxley” of data protection.
That said, the right tools are as critical as the right polices and processes in order to ensure that the tools mitigate threats, which also need to be measured and prioritized. In choosing the right tools, significant care must be taken, especially in line with information or data-centric approaches.
A solution must meet three requirements. First, it must protect data along its lifecycle (as it’s collected, used, stored through end-of-life). Second, it has to be a true enterprise backbone for data protection--not a point solution. Finally, the solution must be agile to the business and independent of IT platforms. Along these lines, it must work with existing identity management infrastructure, policy enforcement tools, content inspection tools for breach detection, and integrate with existing enterprise platforms like ITSM and ETL tools.
IT must be careful when making its choice. A solution must not require significant changes to business processes, and it must not require modification of database or complex application change. It can’t inhibit investigations, legal proceedings, and discovery needs, and it can’t require additional dedicated resources. As to this last point, technologies such as encryption have in the past locked down the data and the business itself. In a harsher economic climate, that’s the last thing an enterprise needs.
What's broken or missing in IT's fight against theft?
Simply put, what’s been missing is a simple and elegant technology to protect data where it’s captured, used, stored, and consumed; one that can scale, and be deployed rapidly across the enterprise. Everything else to date has been incomplete or just too complex as noted above.
You mentioned that new techniques are available to overcome IT’s obstacles. Would you elaborate?
The new approach to solving this problem is an information- or data-centric model. That is, the data remains protected along its entire lifecycle. How do we actually deliver this for IT?<.>
Fortunately, there’s a major new cryptographic breakthrough called Format-Preserving Encryption or FPE (a mode of AES that allows data to be protected down to the field level without changing structure). Large enterprises and PCI Level 1 and 2 merchants can now solve their data protection problems easily for the first time with solutions that leverage FPE.
Voltage (the company I work for) has released the first set of solutions based upon this innovation with Voltage SecureData. When FPE services via Web services are coupled with Voltage SecureData's automated, transparent key management and central control, organizations get all the ingredients for a true information-centric approach to data privacy management at a total economic price point that makes it a no-brainer. With this approach, data and ID theft risks are easily and swiftly mitigated.