By Jim Wyne, CIPP/US
What’s the risk?
Data is king. We enter, collect, scan, process, analyze, store, print and transmit data all day, every day. It’s the heart and soul of most organizations, and they rely on it to achieve their goals and accomplish their missions. But how safe is this most precious asset of the business? How is it being protected? Is enough being done to ensure it is safeguarded? What else can be done?
In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and re-evaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization.
Chief privacy officers (CPOs) and privacy administrators work closely with CIOs and CISOs. They are the watchdogs of the data who understand the personal identifiable information (PII), nonpublic information (NPI) and sensitive corporate information collected and housed within the organization. Privacy administrators provide education to the stakeholders to recognize sensitive data and define procedures aimed at protecting that data and the processes to be followed when a breach occurs. They are also passive participants in understanding and evaluating applications that use and manipulate sensitive data.
Isn’t What’s Being Done Enough?
Recently, at a cybersecurity summit sponsored by The Washington Post, Craig Mundie, senior advisor to Microsoft, said, “People need to understand, in the last 12 months there’s been a qualitative change where the attacks are moving to destructive types of attacks.”
Gen. Michael Hayden, former director of the Central Intelligence Agency and National Security Agency, said at the summit, “The problem is getting worse. There are other actors out there now who are coming to your networks, not just to steal your stuff or maybe not even to steal your stuff. They want to hurt your network.”
Gone are the days when endpoints of the organization were confined to desktops and laptops connected to the LAN and somewhat easy to secure and manage by central IT administrators. Endpoints now included virtual users, smartphones, tablets, external consultants and even partner organizations with a need to exchange information. These additional complexities require information to be pushed and pulled to devices internally and externally, thereby increasing the risk of exposure and the likelihood of data theft.
A recent survey conducted by the Norse Corporation and published by the Ponemon Institute reported that 60 percent of respondents said they were unable to stop a security exploit due to a lack of outdated intelligence. Only 10 percent said they would know with certainty if such an incident occurred.
Beyond Network Security, What Else Is Being Done To Protect Data?
One solution organizations have migrated toward to address risk of data theft is data-at-rest (DaR) encryption for endpoint devices. A DaR solution encrypts all data stored or at rest on hard drives of laptops, desktops and even server drives. DaR encryption, however, employs a device protection philosophy that serves to protect data on the hard drive in the event the device, such as a laptop, is stolen or lost. DaR encryption does very little, if anything, to prevent data theft during a network intrusion. When the laptop is connected to the network and online, all the data is live and accessible. When the data is in flight inside or outside of the network, the data is “in the clear” and susceptible to theft from an intruder or man-in-the-middle attack. If implemented, device protection utilizing a DaR solution is a good start to data protection but should not be the only safeguard adapted.
In a recent Global Information Security Study conducted by Frost and Sullivan, 62 percent of CISOs rank data theft as a top-five concern, followed by hackers at 50 percent. Mobile devices scored the second highest concern at 70 percent; they are all related to protecting the organization’s data at rest and in flight. Be it employee theft; man-in-the-middle attacks or hackers trying to break into a network and steal data, or sensitive data pushed to a tablet or smartphone and then lost or stolen, all the top concerns of this study are related to the organization’s data being stolen.
What is Data-Centric Security and How Can it Protect Data?
To address this risk, a data-centric security solution targeted at directly protecting the data, versus the devices at the endpoints of the organization, will add additional fortification to security measures currently in place. Such a solution should focus on protecting data, files, documents and folders stored and used by the user community throughout its lifecycle. It should also protect the data when it is in motion and distributed to employees internally, externally and to partner organizations.
Additionally, the solution should be minimally disruptive to the end users’ workflow and include the ability for IT, security or privacy administrators to access the protected data as needed for auditing or mischievous employee behavior purposes.
Data-centric security is the only way to ensure the most important asset of the business—the data—is protected.
Not all data-centric security truly minimizes risk, however. Some organizations have chosen to invest in privacy training for their employees along with a few manual intensive tools to use when they believe data should be protected. They then trust that the good habits and sensible decisions of the users will serve to protect the organization’s most critical data as they store and move it internally or externally. Unfortunately, this still leaves data open to access by network intrusion and increases the risk of data theft and exposure of data in flight in the event employees forget to protect the data manually or do not believe it’s sensitive data they are handling. It may be a cost-effective solution, but it leaves uncertainty and doubt. In this scenario, risk has not been fully minimized and the cost to the organization can well exceed the cost of an automated data-centric security solution if a data breech occurs. The damage caused to the reputation of the organization may never be restored.
What Is the Best Approach To Implementing Data-Centric Security?
Best practices that fully minimize risk should revolve around automated data-centric security solution that features strong encryption and administrative controls through policy management. Policy management is an important ingredient that enables the organization to enforce standards and protection on data stored on the devices at the endpoints or the organization. Equally important is the ability to include a contingency key for access to encrypted data by security administrators for auditing purposes or in the event an employee leaves the organization.
In the federal government environment, the Federal Information Security Management Act and the Federal Information Processing Standards (FIPS) provide a framework, guidance and requirements for securing sensitive data. FIPS 140-2 mandate the use of strong AES 256 encryption, the use of digital certificates and digital signing to secure all sensitive data. Most, if not all, federal employees are assigned a digital certificate that is stored on their PIV or CAC card making deployment of a data-centric security solution supporting digital certificates a fairly easy and quick process.
A checklist of features and functions in a robust data-centric security solution include:
- Protect enterprise data by securing files, file names, e-mail messages and attachments regardless of security format or computing platform using strong encryption. For federal agencies, the solution should meet FIPS 197 and FIPS 140-2 requirements.
- Reduce complexity by enabling a seamless user workflow and integration into desktop and office computing applications such as Word, Excel, Outlook, etc.
- Reduce sensitive data exposure by securing files using PKI encryption (digital certificates) and/or complex passwords.
- Prevent the recovery of sensitive temporary files that have been deleted by shredding.
- Enforce the use of data protection using a centrally managed security policy in the enterprise.
- Provide contingency key support to ensure access to all encrypted files by IT security for emergencies, protection against malicious employee behavior and audit purposes.
- Provide for easy adaption into in-stream applications and job streams via a command line interface or API.
- Ensure access to encrypted data on mobile devices.