Understanding the value of the data, where it resides and the corporate risk profile are key determining factors on implementing a security strategy. Stephen Lawton reports.
This editorial product was produced by the SC editorial team and underwritten by Informatica.
It is part one of a four-part series.
One of the challenges today's IT departments face when building an information security strategy is recognizing not only what needs to be secured, but how much security it needs. A one-size-fits-all information security strategy effectively becomes one-size-fits-none, simply because not all data is the same.
In order to fully understand how much protection each type of data requires, experts say the chief risk officer needs to build a profile of all of the different types of data the company has, as well as where the data resides. Building a matrix with the level of security needed to protect the data on one axis and the location of the data on the other axis can help determine not only what kind of security is required, but also how that security will be implemented based on where the data resides.
For example, highly confidential data that resides on a corporate server can be protected by a variety of traditional hardware and software tools. Multiple levels of identity, credential and access management authentication, combined with multiple firewalls, honey pots and physically isolated servers might be appropriate to protect the corporate data. However, if highly confidential data resides on a mobile device or in the cloud, different security techniques will be required.
Physically separating data with different security levels onto different physical hard drives is one approach to isolating protected data, says Michael Crouse, director of insider threat strategies at Raytheon Cyber Products Co. Tools can generate hashes for each file based on their security level while audit tools track where the files are stored.
James Pooley, a Silicon Valley-based attorney who specializes in intellectual property, acknowledges that tools and technology can address a lot of issues, but at the basis of security is “good old-fashioned management.” Risk management and technology are important, but no matter how good the tools are, “if you don't train your people to think about security, you will experience a lot of loss.”
Not all data is created equal. Some data, such as personally identifiable information (PII) –Social Security Numbers, phone numbers, or dates of birth – are required by various regulations to be protected in numerous ways. Credit card numbers and other bank card data has its own set of compliance requirements. Protected health information (PHI) that falls under the Health Insurance Portability and Accountability Act (HIPAA) also has its own set of rules about how data is handled. But, marketing data, for example, or historic financial data that has been reported to the SEC or already made public, carries less need for security than does PII or PHI.
The bottom line, says Tampa-based intellectual property attorney Tatiana Melnik, is “you can't put all your eggs in the same security basket.”
There is no single way to do security, nor is there only one way to do compliance. Just because data is secure, it does not mean it is compliant. And just because data is compliant, that does not mean it is secure. Managing risk means balancing security and compliance based on the type of data.
In today's business environment, risk is everywhere. Not only are IT executives protecting their networks from attackers who use technological engineering to breach a network, but also attackers who use social engineering. Part of a risk profile, therefore, should address how employees communicate with outsiders about the organization.
Corporate data is at risk all the time in places over which companies have no physical security controls. A service level agreement and a contract with a cloud provider will offer some level of control, but not necessarily as much as if the company had a physical data center. But, running one's own data center is no guarantee of security. A company that has a data center, but does not maintain appropriate levels of security for the data stored there, might be at greater risk than a company that stores its data in a secure cloud.
Once you understand your risk, you can put processes in place to protect your data. But remember the cautious words of Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and counter-terrorism advisor to several US presidents, security is a process, not a destination. Like security, risk also changes frequently and thus the risk assessment the company developed a year ago might be out of date based on changes within the company, such as new hires, mergers or acquisitions, changes in business processes, compliance requirements or any number of other events.