Tip

Data security requires multi-layer approach

Is data-asset protection a critical strategy for your company? Everyone even thinking "no" can hand over their SecurID fobs, card keys and laptops, and exit the building quietly. Those of you answering "yes," congratulate yourselves on towing the corporate line.

Yet the truth is that most companies see data protection as a tactical task. Executives see you as the front-line defense in their effort to keep regulators, if not happy, at least pacified.

So here are some steps and ideas I think you should seriously consider.

First, determine if you have a data-asset problem. If, for example, you can't trace the ebb and flow of data around your division or company over a 24-hour period, or if you have multiple or redundant data-access standards across your company, you might have trouble on your hands. There are other tests, but these are two critical indicators.

    Requires Free Membership to View

While firewalls are indispensable protection for the network to keep unauthorized people out, today's focus on e-business applications is more about letting the right people inside your network.
Dr. David Taylor
Vice president of data security strategiesProtegrity

Analyze the specific data-retention and data-protection regulations that govern each category of data you collect. Work with the legal department and a data archivist, who usually will know the relevant regulations. Build a regulatory compliance grid, which will show which databases and which files contain data elements covered by the various regulations. The goal is to identify and minimize redundant regulatory compliance projects.

Next, analyze your company's data storage practices. Protecting data at rest is profoundly important. Sensitive information traditionally is kept at rest in database servers and archives -- where they are most vulnerable.

Protect your databases
Database attacks are rising, resulting in the compromising or loss of information critical to companies -- everything from inventory and billing data to customer data and human resources information. And increasingly, databases hold sensitive customer information -- financial records, healthcare histories, order histories, credit card numbers and Social Security numbers. Any loss here is an operational and customer relationship disaster, as well as a financial nightmare.

Threats to your databases can come from external hackers or groups working inside the firewall. While firewalls are indispensable protection for the network to keep unauthorized people out, today's focus on e-business applications is more about letting the right people inside your network.

Consequently, as databases become networked into more complex e-business applications, their vulnerability to attack grows. Without extra precautions taken to secure the confidential data in databases, your company's privacy is at risk. Taking the right security approach enables your e-business to flourish and protects your critical data.

While there are commonplace solutions that protect information in transit (for example, SSL at the socket level and VPN / IPSec at the transit level), the same is not always true for data at rest -- particularly unencrypted data. Encryption of data at rest is typically the last resort when all other protection mechanisms failed and, therefore, is a critical component of the enterprise security strategy.

When considering encryption of data at rest the deciding factors include the following: Who should have access to the encryption keys? How much data must be encrypted to provide security? What's an acceptable trade-off between data security and application performance? How will database information be share across applications and throughout the enterprise?

The value of your investment can be maximized by leveraging one secure encryption solution across all major applications and all major databases throughout the enterprise.

While preventive security mechanisms such as encryption, access control and user identification technologies will increase the protection of databases from attack, you must also require secure audit trails and reporting to provide peace of mind and ensure that you know with certainty who has gained access to what data and when.

Practice defense in-depth

App security defense in depth: Strategies to lock down your Web apps

Basics of application security

Beyond intrusion detection

These recommendations are far from encyclopedic on this topic, but they make for a good foundation in any campaign to create a culture of enterprise data security.

Such a culture treats data security as a core strategy for a company. Of course, you can't do much to foster such a culture at the executive level, but you can do your part to make sure information you touch or control remains as secure as gold in Fort Knox.

-------------------------------
About the author: Dr. David Taylor is vice president of data security strategies at Protegrity. He manages the company's Strategic Consulting group, where he delivers and manages customized investigations of how people interact with data security. Taylor is also the co-author of the book Doing E-Business, published by John Wiley & Sons in December 2000.


This was first published in June 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.