Enterprises worldwide are spending approximately $20 billion per year on IT security, yet very costly breaches continue to occur. In large part, this is because security efforts have mainly been focused on network security rather than data privacy. Data privacy is the process of securing critical data as it is being stored, transmitted, and used within the enterprise.
The need to augment network security mechanisms with data privacy technologies has never been more vital. For example, given that most estimates cite that now over 50 per cent of security breaches are perpetrated by internal staff, perimeter security mechanisms like IDSs and firewalls are ill equipped to address many threats to sensitive data.
According to Gartner, 75 per cent of external-based attacks are tunneling through applications. Further, in spite of the deployment of network security technologies, organizations are still susceptible to a range of attacks: storage systems can be breached via insecure storage management interfaces and physical storage systems and data in the databases themselves can be stolen.
Failure to implement a data privacy solution can have a disastrous effect on an organization. Public disclosure of breaches can be catastrophic to an organization's brand, market capitalization, and consumer trust. Plus, privacy legislation and the security policies of credit card issuers mandate disclosure of breaches, meaning organizations that try to keep a breach secret will be susceptible to civil litigation and steep fines.
It's no surprise then that, in a recent worldwide survey of Chief Information Officers, data privacy rose to the top three on their list of top priorities, with security number one. Historically, the challenge in achieving data privacy has been that many of the options available to an organization have been lacking, either in terms of delivering true security, or in terms of prohibitive cost or complexity. Furthermore, deploying a data privacy solution will require some planning in advance to ensure that all issues are addressed and well understood prior to implementation. Following are a few of the key considerations in undertaking a data privacy implementation.
Ensure involvement across all core technology areas
Leveraging encryption as a means of securing data can affect technology groups across the enterprise. As a result, it is essential that this effort involve all core technology areas, including network, IT, security, development, database, and storage. Clearly, some groups will be affected more than others, however, the ability of an enterprise to successfully deploy a data privacy solution will hinge on their ability to work across a broad range of IT groups.
Leverage a centralized model to increase ROI
When considering a data privacy solution, it is critical to consider the centralization of many of the fundamental building blocks of data privacy, including encryption, key management, logging and auditing, and authentication and authorization. Doing so will help deliver a scalable solution, reduce the cost of management, increase security (particularly key management security), and allow for faster responses to security attacks. Leveraging a centralized hardware platform will ensure that an enterprise maximizes the use of specialized hardware to offload encryption overhead on many platforms. Finally, a centralized model will significantly reduce the cost of ongoing management and maintenance by enabling a single management interface and centralized audit logs. In addition, doing so will help create a compelling ROI model that can make a strong case for deployment of a data privacy solution.
Understand and minimize performance impact
Encrypting data can have significant performance implications on existing systems within the enterprise. In order to adequately address performance concerns, an enterprise must understand what acceptable level of performance impact can be tolerated within their specific environment, if any, and how to best minimize the performance impact of encryption. Review the infrastructure and systems in advance to see if there are points that can be optimized to offset performance impacts, offload encryption to specialized hardware where possible, and encrypt only the data that requires this level of security.
Anticipate and plan for necessary changes
In today's complex enterprise environments, it is important to anticipate and plan for the changes that will be required as a result of encryption of critical data. These changes will occur in business logic, databases, storage systems, and other components of the overall enterprise architecture and must be addressed and planned for in advance of deployment. Some of these changes include:
o data size and type changes when converting cleartext to ciphertext,
o potential additional storage requirements as some encryption may result in larger data segments, and
o changes to business logic to plan for the impact of encryption.
By Randy Budde, marketing communications manager, Ingrian