|
|
| Home - Industry Article -
March 09 Issue |
Truly Protecting Data in an Open and Collaborative World |
By Michael A. Concordia, President, BitArmor
Data breaches are becoming daily news, where
organizations put personal information about millions of
consumers at risk by not taking adequate responsibility to
ensure their protection. Their consequences – which include
violations of personal privacy, bank account and credit theft,
appropriation of competitive intelligence and compromised
national security – have never been fully accounted for, but
they are massive and in a growing number of cases, disastrously
expensive to remedy.
In fact, a recent report from the Identity Theft Resource Center
concludes that the number of breaches in 2008 grew by 47% from
the previous year. So have the costs of a breach, which rose
from an average of $6.3M per breach to $6.6M, according to the
latest Ponemon Cost of a Data Breach study. With organizations
facing such massive financial losses, why are these security
holes not getting fixed? Is the security industry failing to
build effective solutions to address the problems?
Many of the answers to these questions can be traced to
organizational issues, technical challenges and the fact that
companies may not address the right security threats. At the
heart of the matter are four myths about data security. By
taking a different approach to data security, not only can we
debunk these myths, we can overcome many of the challenges
facing IT organizations.
- Hackers Are to Blame for the Breaches
One of the most common misconceptions is about the nature of the
enemy. We have been led to believe that most of the attacks are
by hackers whose motivation is personal glory. While this might
have been the case a decade ago, the current types are members
of sophisticated criminal enterprises. They are not after
notoriety and fame, they are after money. They get that money by
stealing bank accounts, credit cards and intellectual property.
Not only are they are highly motivated, they have incredibly
advanced tools. In addition, recent surveys also point to an
increasing number of breaches caused by insiders – the latest
Ponemon Cost of a Data Breach study reveals that 88% of all
breaches were caused by insiders.
- I Have the Latest Firewalls and Anti-Malware
This classic ‘moat and castle’ defense provides a sense of false
security. While protecting infrastructure is important, it
shouldn’t be viewed as the only requirement. The ever changing
nature of pathways, storage locations, wireless networks in any
organization make it hard to ensure that each point is
protected. In addition, data is becoming more distributed and
widely shared across a company’s networks and beyond its
perimeters, making it more vulnerable than ever. Static
technologies do very little to protect mobile data or protect
against insider negligence.
- Security Is an IT Problem
This couldn’t be further from the truth. CISOs (Chief
Information Security Officers) may have responsibility for data
security, however many don’t have the authority to enforce it.
Information security is a huge organizational challenge that
requires involvement from the very top company since it involves
business processes, workflows and user behavior. Technology can
only be the foundation from which good security evolves.
- Security is about Restricting the Sharing of Data
This is the most common of all security myths. In fact, security
should enable confidence in the sharing of data to those who
need it. In this information age, flow of information among
organizations, partners and employees are the core foundation
for innovation and increased productivity. If security becomes a
hindrance to the free movement of information to critical
constituents, it will always be ignored or relegated to a less
important role. Ensuring security while enabling free
information flow is the right approach.
These common misconceptions about security have resulted in
technology solutions that are not optimal in truly securing data
and enabling organizations to conduct business with confidence.
Especially in these times, the business goals of increased
revenue and reduced costs can be achieved only through sharing
of information with partners and suppliers. Any security
solution that does not address this core requirement will
eventually come up short.
The only way to ensure data protection while enabling secure
collaboration is to protect the data itself; as opposed to
protecting the devices that store the data or the networks that
data passes through. Today’s data protection solutions are
mainly focused on protecting devices or networks; i.e.
infrastructure protection similar to traditional ‘moat and
castle’ approaches. In light of amazing increases in the
mobility, distribution and value of data, more and more IT
managers are questioning the viability of only using secure
perimeters around stationary computing devices. The pain is
particularly acute as the number and size of data files keeps on
growing, the number of devices and pathways which store and
transmit their information will soar exponentially, making them
even harder to anticipate or protect. In today’s distributed
world, such defenses are ineffective and increase complexity. An
organization has to combine separate security solutions that
protect many types of devices and integrate them with another
set of security solutions for various types of networks to gain
the right protection.
An Alternative Security Approach
The logical alternative is an information-centric security
approach to data protection. Here, the data itself is
persistently protected and remains protected at rest and in
motion. This approach provides device and network independence,
since the data always remains protected, regardless of the
device it rests on or the network it passes through. This also
means that security policies are not set-up at the device or
network level, but at the data level. Each data element contains
policies that explain the rights of users and the actions that
can be taken on that data – and these policies are embedded with
the data itself, making data self-protected.
There are significant advantages to the information-centric
approach.
- Align with Business Flows
Since respective use policies are always with data, it can be
shared and collaborated on with more confidence. Legitimate
users are not restricted to certain devices or networks since
the appropriate security and access policies will ensure and
enforce user rights regardless of where the data is. Quite
possibly the biggest advantage of this approach is that business
can truly own information and its flow. IT can focus on
computing devices, servers, networks, etc.
- Reduce Costs and Complexity
The information-centric approach negates the requirement to buy
and maintain multiple device-centric or network-centric security
solutions, which have to be manually integrated to provide broad
protection. The information-centric approach protects critical
data assets themselves, regardless of the device or network that
carries them. An organization can secure data with far fewer
solutions.
- End-User Transparency
A major cause of data breaches is legitimate users, while trying
to be productive, who work around security restrictions. Why
would they do such a thing? Because following the security
practices dictated is often inconvenient and creates more work
for them. A security solution should remain as transparent as
possible to end users. If user workflow is not hindered or
altered, there is a significantly higher chance that the
security program will be effective. Information-centric security
can be extremely transparent, since the protection is at the
data itself. Users do not have to explicitly make decisions
about valid devices, network authentications – all these
policies are contained in the data itself and can be configured
centrally, thus making it transparent for the end users.
Summary
Certain myths are hampering a more effective approach to data
security and preventing costly data breaches. Current device and
network-centric solutions work only in limited environments and
those environments are becoming increasingly irrelevant to most
users. Information-centric security solutions will inevitably
become the standard for protecting sensitive data and align
closely with how organizations collaborate and work. It also
offers a more efficient, more cost-effective and a more scalable
approach to safeguarding sensitive information.
Michael (Mike) Concordia is the President of BitArmor
Systems. He plays a lead role in developing new vertical markets
and establishing key customer accounts. Mike previously served
as BitArmor’s Vice President of Sales. He has more than 20 years
of executive leadership experience at both publicly traded,
established companies and early stage startups and a proven
track record of building revenue and optimizing sales processes
for increased productivity and improved efficiency. Most
recently, Mike served as Vice President of Sales for North
America with Pittsburgh-based CombineNet. and previously held
executive positions in Sales, Management, Finance, Operations
and Client Development with Procter & Gamble, The Campbell Soup
Company, Godiva Chocolatier – where his reorganization of his
division’s sales organization resulted in dramatic increases in
annual sales – and The Becker Group. For article feedback,
please contact Michael at
mconcordia@bitarmor.com
 
|
|
|
