Data Security: Spurts of Progress but Much Work Ahead
News | 10 Dec 2012
In the never-ending battle for enterprise data security, industry experts say there has been progress on several fronts, but there is still much work that needs to be done. Two comprehensive surveys on the topic, "Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey," and the "2011 ISUG Report On Data Security Management Challenges,, confirm that many executives (up to 28%) see data breaches as "somewhat likely" or even "inevitable." In addition, a majority acknowledge that the main weaknesses to enterprise security are "inside," either carried out or resulting from an unintentional exposure by someone in the organization. Vulnerabilities Persist Along these lines, there is an enormous amount of data that tends to leak out of the secure confines of data centers, creating a range of security issues. “There are many copies of data which have less security and scrutiny than production environments,” Joseph Santangelo, principal consultant with Axis Technology, tells DBTA. “The increased reliance on outsourcers and internal contractors leave sensitive data within corporate walls open to misuse or mistakes.” Or, as another industry expert describes it, the supply chain often proves to be the greatest vulnerability for data security. “A typical organization has a direct relationship with only 10% of the organizations in its supply chain — the other 90% are suppliers to suppliers,” Steve Durbin, global vice president of the Information Security Forum, tells DBTA. “We collaborate in an open network environment where we interact at tweetneck speed, and we do so with many other organizations and individuals around the world, across multiple jurisdictions where the regulatory frameworks and treatment of data are disparate and in some cases nonexistent.” Many companies “just don’t have their hands around how many third parties they have, what all those third parties do, and what those third parties have access to,” agrees Carolyn Holcomb, partner with risk assurance services at PwC. “Contracts that were created a number of years ago, even as little as 5 years ago, often don’t mention privacy and security to the level that they should. Therefore, third parties are not held liable in their contracts. So it becomes a pretty difficult long process to get third parties under control.” Still, there are outside forces that continue to probe and evolve to get around even the most secure firewalls. Phishing, for example — in which hackers target users with phony emails, such as bank notices, to elicit private data such as bank account numbers — remains a constant threat. “Social engineering — the process of deceptively manipulating people into performing actions or disclosing confidential information — continues to be a widespread security problem,” Dodi Glenn, project manager for GFI Software’s Security Business Unit, tells DBTA. “We are at war — a cyber war,” says Sharon Besser, VP Technology at Net Optics. “Criminals, foreign governments and business rivals are using our advanced IT networks and infrastructure against us.” While Besser believes organizations are improving their security posture, they are only just keeping up with “great forces that are changing the IT landscape” — such as consumerization, big data analytics and anytime-anywhere connectivity. “In order to keep the same level of security, more resources need to be invested,” says Besser. “I think that overall our universal security score is ‘C,’ while 2 years ago it was ‘D.’ ” Still, the vulnerabilities organization face all are based on the human element. “You can use the right technologies to protect the business, but there will always be the chance that an employee will be tricked by social engineering or spear phishing,” Marc Blackmer, senior product marketing manager for HP Enterprise Security, tells DBTA. “This risk is amplified by a lack of control and oversight of user access.” Ultimately, what makes vulnerabilities particularly challenging is lax or complacent approaches taken by organizations, many experts argue. For example, Glenn, says, IT is often left to fight alone against incursions and breaches. “Management awareness of IT vulnerabilities seems to be increasing, but the burden of dealing with security issues still tends to rest with the IT department,” Glenn says. “The old way of protecting only the database or the network or the system or device isn’t enough anymore,” agrees Mark Bower, data protection expert and VP at Voltage Security. “Zero-day malware, SQL injection, external exploits, and insider incidents are causing greater loss of sensitive data than ever before. We’ve seen beaches on the order of millions of records stolen, and this across all industries. Unless a new approach is undertaken — and data-centric security is the only real solution and path ahead—organizations will continue to struggle in the continuous arms race against attackers,” he tells DBTA.
Awareness Grows While vulnerabilities are on the rise, so is awareness on the part of company management. Many data security experts are encouraged by the increasing level of awareness seen in recent years. “I’ve definitely seen progress,” Holcomb tells DBTA. “I’ve seen more companies asking us to help them proactively and help them get ahead of this.” There are other encouraging signs that organizations are finally starting to take data security seriously. “There have been strides among companies supporting better security for their online properties and for their workforce — via the corporate network and mobile devices like laptops and smartphones,” observes Alon Israely, co-founder of Business Intelligence Associates. “Also, network-engineering devices typically come with better security packages that are easier to manage. With the advent of virtualization technologies, security has also become stronger — especially in cases where organizations have specifically implemented those types of technologies to ensure that certain systems are better isolated.” However, not everyone shares the view that enterprises are taking more proactive approaches to data security. “Organizations have not made progress overall,” Joe Gottlieb, president and CEO of Sensage, argues. “In our third annual security industry study, we found that IT’s ability to consistently coordinate, measure and improve security data management processes, including log management, compliance reporting, real-time monitoring, forensic investigation, and incident response — areas that are critical to sustaining effective security intelligence — are trending downward since 2010. In addition, the study shows that security confidence is declining as security practitioners cite issues with data access and analysis as key challenges in threat management.” In the Unisphere Research-ISUG survey, only a minority of companies participating in the study have adopted best practices to help ensure that data is protected, or are regularly monitoring and auditing for security breaches. At the root of these oversights is a disconnect between what IT leaders view as important and what the business sees as its priorities when it comes to managing information security, according to this survey of 216 data managers and professionals, fielded among members of the International Sybase User Group (ISUG). The challenge with information security isn’t technical — it’s organizational and perceptual. Budget constraints top the list as the greatest impediment holding back efforts to address information security, as cited by close to half of survey respondents. Another 28% say there is a lack of understanding of the threats, while 23% point to a disconnect between IT operations and their executive management teams.” Plus, the threat level varies from organization to organization. “The mass media often distorts the actual nature of or importance of various threats,” Dan Brown, senior security researcher at Bit9, tells DBTA. “Management often sees the threat landscape through this distorted lens and therefore ends up with security priorities that are not always well aligned with the actual threat landscape.” When dealing with information security, “one size does not fit all,” says Brown. “Different organizations and verticals face different challenges that require different solutions. Complicating this is that organizations are starting from different points. Most fundamental is determining the assets that are valuable and worth protecting for each particular organization.” BYOD and Cloud:The Latest Wrinkle While data security proponents continue to address the challenge of raising awareness, new dynamics — particularly in the mobile “bring your own device” trend and cloud computing—are introducing new vulnerabilities. “VPN access, portable devices such as laptops, smartphones, and tablets, and cloud computing may have increased business efficiency and responsiveness, but they have also introduced a host of additional security risks,” Michael Fiore, managing director of CBIZ Risk & Advisory Services, points out. “These risks include the loss of the physical layer of security over organizational information and, and the increased complexity of the IT infrastructure. Keep in mind that many organizations still suffer from basic vulnerabilities, such as improper access control management and improper patch management, the task of achieving adequate security in these new environments can seem rather daunting,” he adds. “The BYOD and highly mobile workforce has been a game changer when it comes to protecting extended data,” David Baker, chief security officer for Okta, tells DBTA. “While some enterprises are trying device data encryption and remote management software, the control is not the same. Mobile device management, or MDM, is still young and by extension, so is the ability to protect the extended data on those devices. In addition to the mobile devices, you have users saving data to their own personal cloud storage — on sites such as YouSendIt, iCloud, and DropBox. Enterprises need to be able to track, manage, and protect that extended data.” Cloud may pose additional data security risks, but virtualization itself may be the greatest challenge, Tim Richardson, practice head for security and compliance at Akibia, tells DBTA. This ties back to concerns about data leaving or being replicated beyond more secure data centers — and being sent to other parts of organizations, or to outsourcers and partners. “Organizations have evolved their compute infrastructures using virtualization technologies and now have the ability to move, add and change their compute environment nearly on-demand. As a result, many of the perimeter-based security solutions have become an obstacle to the mobility of these compute infrastructures — whether those are on-site, in the cloud, or some other compute infrastructure that the client wants to use.” Secure Steps Industry experts say there are ways for organizations to better improve data security. First, as Durbin points out, there has to be acceptance that everything can’t be locked down and made completely invulnerable. “Some organizations have adopted an approach to security that we refer to as ‘resilience,’ ” he explains. “This is an acceptance of the fact that total security can never be attained, and what is required is an approach to security that sets out means of mitigating the impact of any one breach on the overall enterprise and its ability to go about its business. Post incident review is key to the successful management of security and risk in this way.” “My advice is to assume breach,” says Baker. “In other words, assume that somebody is already on your network, or has access to employees’ devices. Then work backward from there. Encrypt everything as much as possible. Use services that allow viewing of sensitive data without actually downloading it to your device.” Education, training, and awareness are also key. “Employee education at all levels of an organization is an essential component of every company’s security response plan to help mitigate attacks and threats,” Glenn says. “When it comes to enterprise security, your employees are your biggest vulnerability,” Baker states. “Hacks and attacks that target employees are quickly on the rise and proving more successful in accessing sensitive data that software and device exploitation. Multifactor authentication that is being built into MDM or popular cloud services is helping thwart this. When an enterprise gives their workers the freedom to bring their own device and work from home, IT managers should educate their workers on the services you use to protect your and their data.” Ultimately, efforts to achieve data security lead to increased performance for the business as well. “Every journey, no matter how long, begins with a single step,” says Fiore. “In our world, that first step is a risk assessment. Ideally, those charged with securing organizational information will already have the support of management when beginning a risk assessment. Although this can often be an intensive process, it is not without tangential benefits, including increased integration between the business and IT, and enhanced visibility into business continuity management via through the identification of critical information assets and related processes.” In addition, security efforts implemented via automation or infrastructure changes, such as automated log analysis and correlation, virtual desktop infrastructure, or server virtualization, “can bring with them operational efficiencies that, over time, defray the cost of the security investment,” Fiore adds. There also needs to be a consensus that data security is more than something only the IT department should be worrying about. “Communicate the business value associated with protecting corporate information, and to quantify the risk in business terms, rather than IT jargon,” Blackmer advises. “Often times, the IT department thinks that the technical reasons speak for themselves, but management doesn’t understand these benefits. You need to say ‘it will cost you this much money’ or ‘it will take down this part of the business,’ ” he tells DBTA. When it comes to explaining the urgency of data security, “focus on what matters most to the business, customers and competitors,” says Rainer Enders, CTO at NCP Engineering. “Find out the perceptions or requirements of customers, demonstrate impact and effects of security breaches, and put them in perspective to revenue and profit of the business. Determine the value of the business that is attached to its reputation. Study the efforts and security issues of competitors in your business segment and illustrate how they apply to your own operation.” The problem is that “some executives mistakenly believe that suffering a data breach would be less expensive than the cost of implementing security solutions and being compliant,” adds Bob Janacek, co-founder and CTO, DataMotion. “IT and data management professionals should impress upon them that the price they’ll pay for a data breach goes far beyond compliance fines. In addition to investigation and legal fees, and costs associated with new prevention efforts, there’s also a tarnished reputation to consider, which can lead to loss of customers and decreased sales.” In addition, it’s important to get to know vendors and their security practices as well as possible. “We see executives going for site visits, or doing some level of remote review of those vendors,” Aaron Schamp, partner for risk assurance at PwC, tells DBTA. If an organization can protect its data from the moment it’s captured until termination, the potential benefits are huge, says Bower. “These include massive cost savings across an entire gamut of privacy regulations under one umbrella; reduced risk; less pressure on IT security budgets; and decreased stress for the lines of business heads who worry about whether they’re going to be the next breach victim. For DBAs it’s also a great thing—they don’t have to take additional responsibility for compliance and risk, and can focus on ensuring that critical databases continue to drive business growth and productivity rather than slow it down. And chief information security officers who embrace data-centric security sleep better at night—it’s as simple as that.”