Last June, Wisegate, a crowd sourced IT research company, surveyed hundreds of its senior-level IT professional members to assess the current state of security risks and controls in business today. The respondents considered malware and breaches of sensitive data to be the primary security risks/threats, followed by malicious outsider risk.
As shared with CSO’s readers in April, BYOD and cloud adoption were the top tech trends driving these concerns. Here, we delve deeper into a new trend: how information security professionals are moving toward practices that secure the data itself rather than securing the device. What are these practices and what are their strengths and pitfalls?
Many factors, from BYOD policies to cloud adoption, have opened small holes in the vaults in which organizations store valuable and sensitive data. With many organizations now lacking physical parameters to protect sensitive information and less knowledge as to where data actually resides, IT professionals have turned their efforts to defend the data itself.
Unable to guarantee the integrity of their devices and networks, CISOs are using a new category of security controls known as information protection and control (IPC). Broadly speaking, the protection of data is provided by encryption technologies, while the control is provided by data leak prevention (DLP) technologies.
Data leak prevention
Simply put, DLP can detect when a file with sensitive data is leaving a protected server. Most DLP mechanisms are difficult to configure and make a lot of noise. As a result, most enterprises choose to use DLP technologies to monitor functions, alerting and reporting on potential threats but not shutting down the system. The problem with monitor-only mode is that by the time the security team has seen the alert and reacted accordingly, the hackers have already escaped with the valuable data. While blocking the movement of data interrupts workflow and slows down business processes, monitor mode DLP on its own is not an adequate security control. To truly protect data, DLP technology must be used in a mix of layered defense, including defending the data itself.
Unlike DLP technology, encryption can be used to secure the data. A strong algorithm with an adequate key length will theoretically protect the data forever—wherever it is, and whoever has access to it. Data that has been encrypted is considered regulatory compliant, if and when correct key management is used.
Successful key management is one of major weaknesses of encryption. Managing all of the decryption keys and making sure that only the right people have keys, as well as renewing keys when they expire is one of the most challenging aspects of encryption for an organization. Additionally, encryption can pose practical problems too. While fixed data can be encrypted and stored, the process is too cumbersome for dynamic application data, making it difficult to perform operations.
Proxy servers and in-house key storage are two additional steps that some organizations have employed to up the security of the data. Both systems decrease an attacker’s ability to access the data, however neither of these approaches solves the problem of manipulating encrypted data. Homomorphic encryption has been saluted as the Holy Grail that will remedy our need to use dynamic but encrypted data. However, this solution is still in a testing stage and is not yet a functioning security product.
Just as security mechanisms become more sophisticated, so do the tactics deployed by malicious attackers. Without a robust multifaceted security system in place, even the most protected data will be vulnerable to the attempts of hackers. These days, the question about data hacks is not how, but when. Implementing strategies that not only allow an organization to prepare, protect and react, but also increase the opportunity cost for would-be hackers will be integral to data defense.
Elden Nelson, is editor in chief at Wisegate, a private crowd sourced IT research service for senior IT professionals, including CSOs and CISOs.
This story, "IT: Forget the device, secure the data" was originally published by CSO.