Until fairly recently, headlines regarding data loss more often than not concerned lost laptops, USB drives and even CD-Roms.
The last 12 months however, have seen cyber attacks become increasingly focused on getting to the heart of an organisation's crown jewels – server data. While events such as those affecting the New York Times, IEEE, Yahoo and LinkedIn have motivated a number of organisations to revaluate their security measures, a troubling proportion still have some way to go in locking down defences.
As businesses grow, more and more data is becoming dispersed across corporate networks, putting all sorts of sensitive data – from human resources records, credit card and payment information, customer details, even transactional and warehouse data – at unnecessary risk.
Over the years, many enterprises have invested in strong perimeter defences creating a customary checklist of firewalls, network IDS/IPS and gateway anti-virus. The traditional security model of a hardened perimeter around the data centre protecting everything inside has eroded with the advent of virtualisation and cloud computing. Moreover, as the destructive capabilities of cyber crime continue to grow in sophistication, such conventional network layer controls are doing less to protect against breaches (see the New York Times and Wall Street Journal examples).
Data is still the lifeblood of an organisation, and so any threat to sensitive data constitutes a threat to the overall well-being of the organisation. However, as the enterprise becomes increasingly distributed, dispersing more and more information to various locations in the network, it is becoming difficult to understand exactly where data resides at any one time, making securing it a growing challenge.
Though the threefold process of data discovery, classification and segmentation can be arduous and typically a manual process, it is essential to figure out what to protect and, more importantly, how.
As a starting point, consider the type of data being processed and logged. Unfortunately, it is not uncommon to find that companies do not have a full inventory of the type of data that they accumulate, or even where that data is being stored (an issue being further compounded with the abundance of new storage technologies). This can be an invitation to an ICO fine.
When classifying data, it is important to segment information according to the level of risk associated with a compromise of that data. For example, information that will not do any harm to a company if it is exposed can be classified as ‘public', while on the other hand financial, regulated or personally identifiable information, may cause significant harm to a company in the event of it being leaked by inadvertent or malicious means and should therefore be classified ‘sensitive'.
Give particular attention to privileged users and their management. Privileged users frequently have blanket access to an organisation's networks and all data held within. Unnecessary authority in the hands of one party can risk a careless or rogue employee taking actions that result in compromised data. Holding a review of the data and segmenting it accordingly can therefore serve to crucially reveal the access control flaws present and, by consequence, indicate where to implement restrictions over who can – and should – access what data. For example, the office IT administrator should only have the authorisation to backup/restore files, while the application developer or data owner can be given the privilege to manipulate data.
Evolving business requirements are driving a need for data centric controls that can travel with data. Placing controls right down on the data itself rather than at the storage or volume level provides a separation of duties based on employee function, reducing risk and mitigating against both internal and external threats.
The ramifications of any data breach are extremely negative in terms of public perception. While a compromise of data may not always result in regulatory fines or legal sanctions, it can result in lost revenues, diminished trust, reduced competitive advantage, damaged reputation and other negative consequences.
Understanding what information needs to be protected from the outset is paramount, not only does this ensure that the most appropriate controls are installed in the right place, but that tight security budgets are strategically invested to maximum effect.
Paul Ayers is vice president of EMEA at Vormetric