Home | About | Recent Issue | Archives | Events | Jobs | Subscribe | ContactBookmark The Sterling Report


A government stimulus package to SaaS companies will help the software industry grow and boost the economy.



Truly Protecting Data in an Open and Collaborative World

By Michael A. Concordia, President, BitArmor

Data breaches are becoming daily news, where organizations put personal information about millions of consumers at risk by not taking adequate responsibility to ensure their protection. Their consequences – which include violations of personal privacy, bank account and credit theft, appropriation of competitive intelligence and compromised national security – have never been fully accounted for, but they are massive and in a growing number of cases, disastrously expensive to remedy.

In fact, a recent report from the Identity Theft Resource Center concludes that the number of breaches in 2008 grew by 47% from the previous year. So have the costs of a breach, which rose from an average of $6.3M per breach to $6.6M, according to the latest Ponemon Cost of a Data Breach study. With organizations facing such massive financial losses, why are these security holes not getting fixed? Is the security industry failing to build effective solutions to address the problems?

Many of the answers to these questions can be traced to organizational issues, technical challenges and the fact that companies may not address the right security threats. At the heart of the matter are four myths about data security. By taking a different approach to data security, not only can we debunk these myths, we can overcome many of the challenges facing IT organizations.
  1. Hackers Are to Blame for the Breaches
    One of the most common misconceptions is about the nature of the enemy. We have been led to believe that most of the attacks are by hackers whose motivation is personal glory. While this might have been the case a decade ago, the current types are members of sophisticated criminal enterprises. They are not after notoriety and fame, they are after money. They get that money by stealing bank accounts, credit cards and intellectual property. Not only are they are highly motivated, they have incredibly advanced tools. In addition, recent surveys also point to an increasing number of breaches caused by insiders – the latest Ponemon Cost of a Data Breach study reveals that 88% of all breaches were caused by insiders.

  2. I Have the Latest Firewalls and Anti-Malware
    This classic ‘moat and castle’ defense provides a sense of false security. While protecting infrastructure is important, it shouldn’t be viewed as the only requirement. The ever changing nature of pathways, storage locations, wireless networks in any organization make it hard to ensure that each point is protected. In addition, data is becoming more distributed and widely shared across a company’s networks and beyond its perimeters, making it more vulnerable than ever. Static technologies do very little to protect mobile data or protect against insider negligence.

  3. Security Is an IT Problem
    This couldn’t be further from the truth. CISOs (Chief Information Security Officers) may have responsibility for data security, however many don’t have the authority to enforce it. Information security is a huge organizational challenge that requires involvement from the very top company since it involves business processes, workflows and user behavior. Technology can only be the foundation from which good security evolves.

  4. Security is about Restricting the Sharing of Data
    This is the most common of all security myths. In fact, security should enable confidence in the sharing of data to those who need it. In this information age, flow of information among organizations, partners and employees are the core foundation for innovation and increased productivity. If security becomes a hindrance to the free movement of information to critical constituents, it will always be ignored or relegated to a less important role. Ensuring security while enabling free information flow is the right approach.
These common misconceptions about security have resulted in technology solutions that are not optimal in truly securing data and enabling organizations to conduct business with confidence. Especially in these times, the business goals of increased revenue and reduced costs can be achieved only through sharing of information with partners and suppliers. Any security solution that does not address this core requirement will eventually come up short.

The only way to ensure data protection while enabling secure collaboration is to protect the data itself; as opposed to protecting the devices that store the data or the networks that data passes through. Today’s data protection solutions are mainly focused on protecting devices or networks; i.e. infrastructure protection similar to traditional ‘moat and castle’ approaches. In light of amazing increases in the mobility, distribution and value of data, more and more IT managers are questioning the viability of only using secure perimeters around stationary computing devices. The pain is particularly acute as the number and size of data files keeps on growing, the number of devices and pathways which store and transmit their information will soar exponentially, making them even harder to anticipate or protect. In today’s distributed world, such defenses are ineffective and increase complexity. An organization has to combine separate security solutions that protect many types of devices and integrate them with another set of security solutions for various types of networks to gain the right protection.

An Alternative Security Approach
The logical alternative is an information-centric security approach to data protection. Here, the data itself is persistently protected and remains protected at rest and in motion. This approach provides device and network independence, since the data always remains protected, regardless of the device it rests on or the network it passes through. This also means that security policies are not set-up at the device or network level, but at the data level. Each data element contains policies that explain the rights of users and the actions that can be taken on that data – and these policies are embedded with the data itself, making data self-protected.

There are significant advantages to the information-centric approach.
  • Align with Business Flows
    Since respective use policies are always with data, it can be shared and collaborated on with more confidence. Legitimate users are not restricted to certain devices or networks since the appropriate security and access policies will ensure and enforce user rights regardless of where the data is. Quite possibly the biggest advantage of this approach is that business can truly own information and its flow. IT can focus on computing devices, servers, networks, etc.
  • Reduce Costs and Complexity
    The information-centric approach negates the requirement to buy and maintain multiple device-centric or network-centric security solutions, which have to be manually integrated to provide broad protection. The information-centric approach protects critical data assets themselves, regardless of the device or network that carries them. An organization can secure data with far fewer solutions.
  • End-User Transparency
    A major cause of data breaches is legitimate users, while trying to be productive, who work around security restrictions. Why would they do such a thing? Because following the security practices dictated is often inconvenient and creates more work for them. A security solution should remain as transparent as possible to end users. If user workflow is not hindered or altered, there is a significantly higher chance that the security program will be effective. Information-centric security can be extremely transparent, since the protection is at the data itself. Users do not have to explicitly make decisions about valid devices, network authentications – all these policies are contained in the data itself and can be configured centrally, thus making it transparent for the end users.
Certain myths are hampering a more effective approach to data security and preventing costly data breaches. Current device and network-centric solutions work only in limited environments and those environments are becoming increasingly irrelevant to most users. Information-centric security solutions will inevitably become the standard for protecting sensitive data and align closely with how organizations collaborate and work. It also offers a more efficient, more cost-effective and a more scalable approach to safeguarding sensitive information.

Michael (Mike) Concordia is the President of BitArmor Systems. He plays a lead role in developing new vertical markets and establishing key customer accounts. Mike previously served as BitArmor’s Vice President of Sales. He has more than 20 years of executive leadership experience at both publicly traded, established companies and early stage startups and a proven track record of building revenue and optimizing sales processes for increased productivity and improved efficiency. Most recently, Mike served as Vice President of Sales for North America with Pittsburgh-based CombineNet. and previously held executive positions in Sales, Management, Finance, Operations and Client Development with Procter & Gamble, The Campbell Soup Company, Godiva Chocolatier – where his reorganization of his division’s sales organization resulted in dramatic increases in annual sales – and The Becker Group. For article feedback, please contact Michael at mconcordia@bitarmor.com

Click to email this article to a friend     Back


  Home | About | Recent Issue | Archives | Events | Jobs | Subscribe | Contact | Terms of Agreement
© 2006 The Sterling Report. All rights reserved.