|
The biggest threat to data security is underestimating the threats, both internal and external, to data security. And as IP networks become the de facto standard for storage extension, broadband wireless and LAN/WANs, ignoring this reality can extract a heavy price down the road.
Assessing the risk comes down to some simple arithmetic: what is your data worth, and what would be the damage if it were compromised? With a new story about data being hacked or tapes falling off a truck seeming to appear on a weekly basis, it makes sense for organizations that deal with highly sensitive data and proprietary intellectual property to take a closer look at the areas of vulnerability on their network. A single breach on these networks can wreak havoc with long-term effects. Lawsuits from customers, degradation of an established brand, fines for non-compliance to government regulations, even jail time for negligent CIOs - these consequences are very real, and often very difficult to overcome.
The truth of the matter is that current security technologies are a good first step, but may pose an unacceptable risk in protecting a company’s data and intellectual property. Companies have done a good job deploying virus protection, firewalls, IDS/IPS solutions, but these only cover established areas. Security conscious technologists need to consider and protect their business against emerging areas of compliance, with data protection being the most essential to a business’ well being. Only data protection throughout the network can safeguard critical and confidential data, regardless of the success or failure of other security technologies and policies. Therefore, data protection is the essential layer of defense.
Data in motion: what’s the worst that could happen?
Networks today are not the isolated, self-contained islands they once were. With Internet gateways and shared infrastructures giving network access to employees that may reside anywhere, customers, contractors and partners, the network has opened up, increasing productivity and security risks.
Network security has relied primarily on keeping the bad guys out with a well-architected perimeter. Hackers, thieves and other ne’er-do-wells seeking to do harm were prevented from getting in, most of the time. However, the nature of networks today is dynamic. While data may spend some time on any number of devices – servers, desktops, disk arrays – some of it is in motion, traveling across the network, all the time.
What happens if all else fails and the bad guys get in? Or, even more probable, what happens when the bad guy is already in? According to the FBI 2004 Computer Crime and Security Survey, more than 70% of security breaches are by insiders.
In the old days prior to all data being digital, the easiest way for someone to gather proprietary information was to insinuate himself into an organization and hang around the water cooler to catch up on what was going on, or to hang around the printer or fax, looking at documents (data) that may be proprietary, confidential or valuable. Nowadays, hanging on the network is the equivalent of hanging around the water cooler, only much more efficient. There is any number of tools available in the public domain that makes it easy to pull data in transit off the network with no one ever knowing. And if you don’t think you have anything valuable enough for someone to want, you may want to think again. There is any number of reasons your information may be an attractive target:
- Intellectual property – your organization’s “special sauce” that gives you critical market differentiation and a leg up on the competition.
- Customer information – personal, financial and/or health information can be very valuable and essential to your business.
- In fact, protecting personal information has kicked off several initiatives to protect consumers from identity theft and protect personal information that spawned a growing number of federal and state regulations, including Gramm-Leach-Bliley, Sarbanes-Oxley and California Senate Bill 1386, with more in development.
- Employee information – personal information such as Social Security numbers, bank account numbers and health information.
- Other secret information – including governmental information regarding homeland or national security, Department of Defense activities or communications, and personal, private data used by any number of agencies.
- Business-enabling information – customer and prospect opportunities, plans and interactions.
|
All networks are untrusted
Most enterprises and organizations with far-flung offices, remote back-up data centers and multiple buildings in a campus setting have a complex network to meet all of their communication and business needs. In fact, more than a single network, it is usually a network of networks that must communicate and share data with one another. This creates a situation where data is physically leaving a protected facility and moving to another. Whether it’s going over the Internet, a service provider backbone or a wireless link between buildings, that data, which has been sacrosanct in the protected environs of the network, has just moved out into the ether where it is available to anyone with the motivation and means to get it.
The Internet is understood to be untrusted. Special precautions are taken when opening up a gateway to the Internet, including firewalls, intrusion detection and virus protection. However, a wide range of networks – in fact, all networks – should be untrusted, and treated as such. Go back to the fundamentals of risk assessment and you’ll see that the more sensitive the data, the more untrusted the network – any network.
Data protection – the primary layer of defense
Understanding that data in motion is vulnerable both on and off the network begs the question of how to protect it. Your data is running around the network in packets that contain addresses, protocol ids, and the actual data. If you protect the packet’s content from its source to its destination you have created an excellent foundation for a secure network.
There are three main aspects that need to be addressed for data protection on the network:
1 Confidentiality – Keep your data private
2 Authentication – Trust your sources
3 Integrity—Trust your data
To improve security and protect data as it transverses the network, IP Security (IPSec), defined by the Internet Engineering Task Force (IETF), is the accepted and established standard for protecting data in transit over both internal and external networks and provides the three levels of security required for compliance. In fact, Gartner considers IPSec to be the heavyweight solution for data protection.
Customers should deploy data encryption solutions, such as IPSec integrated into security gateways, as an essential layer of defense against the threats that many businesses face today. Data protection solutions should be implemented to:
1 Protect data storage
2 Protect data over 3rd party networks
3 Secure sensitive virtual networks
4 Secure wireless end-to end
About the Author:
Brandon Hoff is vice president at CipherOptics(http://www.cipheroptics.com).
Go Back
|
