More in IT Governance and Risk:
If every chief security officer or director of IT had access to a time machine and could travel into the future to witness evolving data security threats, back in the present we'd see a quantum leap in effective countermeasures to contend with each new threat. But, without time machines or even a modest crystal ball, we're left with projections from analysts, industry pundits, and research groups, which—although sometimes illuminating—are often like trying to drive your car forward by intently studying the rear view mirror. The way organizations have approached data protection has changed dramatically in recent years and promises to keep changing at a rate that will keep security professionals earning their pay. Earlier vulnerabilities are met; new vulnerabilities arise. New data security techniques emerge; outmoded, less-effective techniques are discarded.
Consider the ways that organizations have approached data security in the last two decades. Once, securing the perimeters of the organization against intrusion was considered the best-practice approach. Then, applying encryption to sensitive data and resources gained favor, later complemented by stronger authentication techniques to restrict access to servers, PCs, and media. Presently, the security focus embraces both data security and regulatory compliance, bringing these twin requirements under a single umbrella that emphasizes accountability, privacy, and protection of data regardless of what form the data takes.
Anyone with a bit of experience in this industry knows that achieving 100% security is an oxymoron. The ingenuity of hackers, fraudsters, and thieves in their quest to breach security is unendingly pitted against the inventiveness and prescience of data security professionals working to foil their attempts. The dynamics and high stakes leave no time for anyone to be asleep at the wheel. Typically, the practical and realistic goal is to make it too difficult and too expensive for anyone to defeat the security mechanisms in place—to stay one step ahead of the thieves' capabilities. The Suite B algorithms fostered by the National Security Agency, with longer key lengths backed by modern cryptographic techniques, greatly lessen the opportunity for hackers to break down the protective veil of encryption. But, they don't entirely eliminate the possibility. Nothing does.
Given that future data threats are unknown and 100% security is impossible, what is the appropriate, realistic way for organizations today to minimize the vulnerabilities in their data use? The key is to look for the greatest points of vulnerability—the gaps in data security. If your perimeter is secure (and it should be), are the laptops used by your mobile workforce protected? Are the memory sticks and USB drives that staff members casually carry in their pockets protected? Are the online transactions with your supply chain partners safeguarded? Are the encryption keys themselves that are used to protect data resources hidden and guarded? Are the internal servers used by temps and contract workers secure against a data breach? A strategy session where the stakeholders in your organization meet with the security team may help uncover the weak points and develop countermeasures to strengthen them.
A holistic, 360-degree approach to data security can satisfy two related organizational requirements. One: the regulatory climate worldwide requires that data privacy and accountability be ensured by organizations that use and store sensitive information. Two: corporate policies and brand integrity needs make it essential to protect data against loss or theft. Whereas in the past, disconnected and fragmented approaches to data security often left substantial gaps in the level of protection, today a more unified and universal approach holds the best promise to guard against known and emerging threats. Accountability is also an important part of the equation. You not only need to protect the data—you need to demonstrate that you've taken measures to prevent data breaches and account for the validity of each data transaction. Compliance and sound data security are complementary sides of the same coin.
Without the ability to travel forward in time to survey IT developments, we're best served today with a strategy that provides 360-degree protection against data threats. Central management can be a big step in that direction. A centrally managed data security solution establishes a consistent platform for implementing corporate security policies and providing the accountability to satisfy the regulatory agencies. It also helps ensure that vulnerabilities in the security approach can be effectively identified and fixed by granting visibility into the data use patterns in complex IT environments—across servers, desktops, notebook computers, and removable media. With a centralized solution of this type—using the strongest, most current encryption algorithms and the most effective authentication techniques—you can plug the gaps and keep the hackers and thieves at bay. And, by tracking, monitoring, and evaluating trends—through transaction histories, data use patterns, and analyses of fraudulent incidents—you'll be better prepared to address emerging threats before they do damage.
Raphael Leiteritz is head of innovation, corporate business and new strategy, Utimaco Safeware AG