Is data-asset protection a critical strategy for your company? Everyone even thinking "no" can hand over their SecurID fobs, card keys and laptops, and exit the building quietly. Those of you answering "yes," congratulate yourselves on towing the corporate line.
Yet the truth is that most companies see data protection as a tactical task. Executives see you as the front-line defense in their effort to keep regulators, if not happy, at least pacified.
So here are some steps and ideas I think you should seriously consider.
First, determine if you have a data-asset problem. If, for example, you can't trace the ebb and flow of data around your division or company over a 24-hour period, or if you have multiple or redundant data-access standards across your company, you might have trouble on your hands. There are other tests, but these are two critical indicators.
Analyze the specific data-retention and data-protection regulations that govern each category of data you collect. Work with the legal department and a data archivist, who usually will know the relevant regulations. Build a regulatory compliance grid, which will show which databases and which files contain data elements covered by the various regulations. The goal is to identify and minimize redundant regulatory compliance projects.
Next, analyze your company's data storage practices. Protecting data at rest is profoundly important. Sensitive information traditionally is kept at rest in database servers and archives -- where they are most vulnerable.
Protect your databases
Database attacks are rising, resulting in the compromising or loss of information critical to companies -- everything from inventory and billing data to customer data and human resources information. And increasingly, databases hold sensitive customer information -- financial records, healthcare histories, order histories, credit card numbers and Social Security numbers. Any loss here is an operational and customer relationship disaster, as well as a financial nightmare.
Threats to your databases can come from external hackers or groups working inside the firewall. While firewalls are indispensable protection for the network to keep unauthorized people out, today's focus on e-business applications is more about letting the right people inside your network.
Consequently, as databases become networked into more complex e-business applications, their vulnerability to attack grows. Without extra precautions taken to secure the confidential data in databases, your company's privacy is at risk. Taking the right security approach enables your e-business to flourish and protects your critical data.
While there are commonplace solutions that protect information in transit (for example, SSL at the socket level and VPN / IPSec at the transit level), the same is not always true for data at rest -- particularly unencrypted data. Encryption of data at rest is typically the last resort when all other protection mechanisms failed and, therefore, is a critical component of the enterprise security strategy.
When considering encryption of data at rest the deciding factors include the following: Who should have access to the encryption keys? How much data must be encrypted to provide security? What's an acceptable trade-off between data security and application performance? How will database information be share across applications and throughout the enterprise?
The value of your investment can be maximized by leveraging one secure encryption solution across all major applications and all major databases throughout the enterprise.
While preventive security mechanisms such as encryption, access control and user identification technologies will increase the protection of databases from attack, you must also require secure audit trails and reporting to provide peace of mind and ensure that you know with certainty who has gained access to what data and when.
These recommendations are far from encyclopedic on this topic, but they make for a good foundation in any campaign to create a culture of enterprise data security.
Such a culture treats data security as a core strategy for a company. Of course, you can't do much to foster such a culture at the executive level, but you can do your part to make sure information you touch or control remains as secure as gold in Fort Knox.
About the author: Dr. David Taylor is vice president of data security strategies at Protegrity. He manages the company's Strategic Consulting group, where he delivers and manages customized investigations of how people interact with data security. Taylor is also the co-author of the book Doing E-Business, published by John Wiley & Sons in December 2000.
This was first published in June 2006