Ponemon Institute recently presented the report The State of Data Security Intelligence. The report asked one major question: “What keeps IT practitioners up at night?”
© Jelica Videnovic
The answer: Data that is outsourced to cloud.
This concern has increased significantly from last year. Not knowing where sensitive or confidential data is located, according to 64 percent of respondents, has them worried. This is followed by temporary worker or contractor mistakes (55 percent of respondents) and not knowing the data risk (52 percent of respondents).
Cloud is the biggest worry
Gartner released the report Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.” A recent Gartner report concluded that “Cloud Data Protection Gateways” provide a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files stores of data and use cases.”
Where is my data?
Many organizations are under pressure by new regulations and the current threat landscape and unable to answer the following questions: What is their critical value data? Where is it located? Who has access? And what do those with access do with the data? Without knowledge of what you are attempting to protect, the threat cannot be managed.
A proactive approach to securing our data
We cannot afford to stay on our current path of reactionary data security. It's simply not effective. Until we start adopting a proactive approach and really securing our data, this dangerous trend of exploding data breaches will continue, and public trust will continue to dwindle until it disappears altogether. We have the technology and the knowledge to start making changes now, to catch up to the attackers, and even surpass them – we need only realize that it takes the same motivation and determination to protect our data as they have to steal it.
Network defenses are not effective
The Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.” We have seen that that “network defenses” are not effective against “very sophisticated external cyberattacks.”
Data-Centric Security
IT security has historically concentrated on protecting systems rather than the actual data, but since this has proven inadequate, organizations should consider a data-centric security approach that protects from a variety of attack vectors with different levels of granularity to control and monitor access to data as necessary without impacting business systems.
I found great advice in a Gartner report, covering solutions for Data Protection and Data Access Governance. The title of the report is Market Guide for Data–Centric Audit and Protection. The report concluded that “Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act.”
Many CISOs worry about Managing Data Security
Managing security is a considerable and difficult in large complex enterprises running multiple systems and technologies in many locations. Securing massive amounts of structured and unstructured data in relational and nonrelational databases presents a unique set of complex challenges in its own right. Data Security Policy is a critical area many CISOs and CDOs worry about, how to scale through automated intelligence.
There is a need to provide Easy Discovery of new data, Easy Onboarding of new users and Easy Policy definition & deployment. Current approaches cannot provide the needed Agile Security, Large Scale Security or Security Metrics. There is a need to constantly minimize time before new data is protected in the Enterprise.
How important would it be to your organization to automatically generate metrics for data security, including time to onboarding of new users and new data, for protecting new data in the enterprise?
Comprehensive data discovery
A good first step is comprehensive data discovery, determining what types of sensitive data exist in an enterprise and where they are. It is then possible to identify how the data is used, when it needs to be protected, and which method will be best to do that.
How important would it be to your organization with automated discovery of old and new sensitive or regulated data across your data stores?
Machine Learning
The discovery process can automatically suggest how the data should be protected, using different rules for credit card data, social security number and user names, passwords and other data classes. Rules can be reused from existing policies. Dynamic Learning about User & Roles can be gathered from different sources. Data Schemas and User Privileges can be learned from Data Stores. Data Access patterns can be learned from Database Logs and other sources.
How important would it be to your organization with automated onboarding of new users and new data that propose or generate roles, policy rules & policy deployment?
The difference between compliance and security
Are we compliant?
How important would it be to your organization to automatically generate Compliance Report for all sensitive or regulated data that you are liable of?
Governments and regulatory authorities around the world are redoubling their efforts to reform and mandate privacy and data protection in an attempt to control the misuse of information by hackers who value data as much as organizations do. While everyone should be compliant with current regulations, they should be viewed as a baseline, or bare minimum, of security, from which to develop a proactive plan to protect their data.
The bad guys are winning
Verizon 2015 Data Breach Investigations Report (DBIR) concluded that the “overall trends in the threat actors haven't shifted much over the last five years,” and “RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year,” and “key differences between the malcode of 2005 and malware of 2014 are that the older viruses were noisy e-mail worms with varying backdoor capabilities, whereas the common components of the 2014 top seven involve stealthy command-and-control botnet membership, credential theft, and some form of fraud.”
The Verizon 2014 Data Breach Investigations Report (DBIR) concluded that after analyzing 10 years of data, we realize “most organizations cannot keep up with cybercrime – and the bad guys are winning.” We must develop new tools to make this as painless as possible for businesses, while making it as painful as possible for the attackers.
Malware in high-profile retail data breaches
McAfee Labs researchers have analyzed the threats and seen a steady growth in malware. Malware tries to hide from its victims. Sophisticated malware can be difficult to detect and may even be signed by trusted (stolen) certificates. Signed malware, which poses as approved legitimate software, continues to set records, increasing by almost 50 percent during 4th quarter 2013. Even if the malware is detected it could be hard to notice in the noise from state of the art malware detection systems. Several major data breaches had this type of situation.
Enterprises are replacing encryption with tokenization
Aberdeen Group reported 50% lower level of security breaches in organizations that are using tokenization. The study found that nearly half of all respondents are currently using tokenization for something other than cardholder data. Aberdeen Group also reported a trend that enterprises are increasingly replacing encryption with tokenization. Tokenization can protect the data flow from attacks, including malware that is attacking data in memory, used in high-profile retail data breaches. Forrester is saying “Prioritize tokenization to secure the payment chain,” and the there is a good reason to replace some encryption with tokenization and good reasons that PCI DSS is recommending tokenization over encryption. Visa, Amex, MC, ApplePay and others are now replacing some encryption with tokenization. Industry standards for tokenization are now in development by ANSI X9, PCI DSS, EMVCo (Visa, Amex, MC) and others.
Risk aware data security
There is a need to learn data usage patterns, user behavior and provide risk management based on this data. There is a need to enhance risk management based on an external view from outside the Enterprise and deliver a Security Aware Policy that is responding to changes in Threats.
How important would it be to your organization to have a Risk Aware Data Security Policy that is responding to changes in the Threat landscape, internally and externally?