A Five-Pillar Survival Guide for an Insecure Cyberworld
Here are five pillars to consider in rethinking your approach to data security in a cyber-environment in which both values and risks increase daily.
Fri, October 11, 2013
Network World — Edward Snowden's action demonstrated that an ordinary insider with a U.S. security clearance can intercept and distribute highly confidential information, even in an age of complex technology designed to prevent such action. What further risks are there?
Here are five pillars to consider in rethinking your approach to data security in a cyber-environment in which both values and risks increase daily:
1. Rely Not On Compliance Policy Alone. A Compliance with legislative and regulatory requirements and internal company policies is mandatory in today's organizations. Failures can lead to significant career and financial penalties.
However, even compliance with legislation and policies designed to improve security may not be sufficient if the policies are not current with respect to growing cyber threats. Organizations need a risk-based approach to security, in addition to compliance. They should also work to ensure compliance requirements receive regular reviews for currency. This is the approach, for example, the US federal government agencies are developing to move from a compliance-driven approach for their security operations to "continuous monitoring" in modernizing the Federal Information Security Management Act (FISMA).
2. Focus on Protecting Data vs. Infrastructure. Infrastructure in an age of BYOD is highly vulnerable. The American Society of Civil Engineers recently gave US infrastructure a grade of D+ in this area, citing many critical deficiencies. A new paradigm is in order: protect data before infrastructure. Data and information is at the core of invasion risk from such challenges as the Advanced Persistent Threat. Protect your information first.Companies where sensitive and secure data is at stake desire a user interface that is highly functional, yet intuitive and easy to learn. It should provide utmost control and in managing sensitive data for insiders and collaborating organizations.
Major organizations are developing data classification standards to improve the protection of sensitive information. For example, EDUCAUSE, the association of IT leaders in higher education, has published extensively on these policy developments in leading research universities.
3. Security is Ubiquitous. Knowledge workers are everywhere; therefore, their eyes and ears represent a high value of security protection. Organizations must ensure that these knowledge workers are aware of current threats and are able to recognize risky situations quickly.
End-users are also partners and providers, particularly in an emergent age of cloud computing. This calls for provider shielding; the provider has no capability to access the information located within customer data once encryption is set for their application and use. A provider can still add the value of helping their clients build a private cloud without being privy to its content.