|
 |
|
General Information
|
Add To My Personal Library |
August 17, 2007
• Vol.29 Issue 33
Page(s) 26 in print issue
|
Data Security: Are You Taking It Seriously Enough?
Take Steps To Protect Your Sensitive Information
|
An ecommerce site exposes the credit card numbers of its customers. Hackers steal passwords and other confidential information from the U.S. Department of Transportation, HP, and consulting firm Booz Allen, among others. The list of data security breaches lengthens by the day. In many cases, social engineering is the initial cause, but given how common social engineering ruses are, why have organizations exhibited such incompetence in guarding against such contingencies, let alone for all the other dangers out there?
Slavik Markovich, vice president of research and development and CTO of database security provider Sentrigo (www.sentrigo.com), says the problem is a multithreaded one: a lack of recognition of how great the problem of data security is, a lack of know-how in tackling it, and pressures on enterprises to be more open in their business practices, which are at odds with maintaining a secure environment.
“Hacking has moved from being the hobby of anarchist computer geeks into the realm of organized crime. Where there is an opening, someone will eventually find it and exploit it,” Markovich says. “And data quantities are growing immensely [and] moving around on so many platforms. Just think of how many companies and organizations have had access to your credit card details in the past year. It’s staggering.”
 False Dichotomies
Terry Daus, vice president of security at IT solutions and strategies provider Fusion-Storm (www.fusionstorm.com), says that too many organizations fail to take data security as seriously as they should because decision makers think it costs too much to do so. Money earmarked for purchasing data security solutions or designing data security policies and processes is not viewed as contributing to the bottom line. The irony, of course, is any data lost from a security breach costs more than securing the data in the first place.
Moreover, explains Markovich, an organization can take a host of measures that would cost little or, in many instances, nothing. “Even before technological solutions come into play, there are procedures that should be implemented—for instance, using the ‘least privilege’ principle, where users get access according to the minimum required for their work, or holding frequent internal security audits,” Markovich says. He adds that managed security services are a viable option for instituting effective security policies for companies that do not have the needed in-house expertise. Meanwhile, several open-source and other tools are available to organizations at no cost, from the antivirus and antispam tools to database-monitoring tools and firewalls, he says.
Initial Steps To Take
Markovich recommends several steps to instituting an effective and coherent data security strategy. First off, organizations must determine which information needs protection and where it resides within the network because too many enterprises are not cognizant of how far confidential data is spread across their organizations.
Markovich then recommends that organizations apply the Pareto principle (also known as the “80/20 rule”) to suss out where the most sensitive data originates (usually in databases) and strive to protect that. Then organizations need to define ways in which to confine the distribution of data to the necessary minimum and ways in which to enforce them on an ongoing basis, Markovich says.
Standardization Challenges
Daus says that lack of standardization within a given company, or even within data centers inside a given company, remains a challenge. In his view, companies should move toward implementing ITIL (Information Technology Infrastructure Library) standards, which comprise processes and best practices for standardization and greater data security.
Meanwhile, individual data centers within an organization need to fall under centralized management because those that are not hinder a company’s ability to obtain efficiencies for such standards and prevent the company from being able either to enforce software standards or automate certain processes developed from these standards, Daus explains.
Moreover, there often is a disconnect between IT departments and C-level executives within an organization. Typically the IT department is aware of exploits, hacks, and other technological threats, while C-level executives understand that a security breach can harm a company’s reputation and brand, undermine regulatory compliance policies, and lead to legal liability.
“When a disconnect exists, it is in translating the C-level priorities to actionable priorities for IT,” says Markovich. “The ‘Who moved my cheese?’ scenario often happens, where IT is still spending budgets and efforts on coping with last year’s threats, while the threat landscape has changed, or continuing to invest efforts in raising regulatory compliance ‘A’ from 95 to 97%, while regulatory compliance ‘B’ is struggling to reach 20%.”
Markovich urges companies to have an established, formalized, and continuous dialogue between the abovementioned groups, with periodic reviews and reprioritization. Markovich says, “This is the only way in which IT can edify executives on trends in the threat landscape and where executives clarify strategic priorities to IT.” 
by Robyn Weisman
Data Security In Action
Zoot Enterprises (www.zootweb.com) takes its data security seriously, which, given its business, has to be a relief for most everyone. Zoot is the ASP (application service provider) responsible for letting financial institutions know your creditworthiness—in other words, everything about your financial history, from your Social Security number to whether your ratio of debts to assets qualifies you for a low-interest loan for that new Lexus. And it typically provides that data three to four seconds after a request has been submitted, says Zoot CTO Tony Rosanova.
Rosanova says his company’s motivation for keeping its data safe is simple. “Our names are in our systems, too, and we don’t want our data compromised. I’m paranoid, frankly,” he says.
Zoot uses ironclad standards, mechanical controls, and continual auditing to ensure that its data is safe, says Rosanova. For example, Zoot publishes a rule that a password for a given financial process must be a minimum of eight characters of letters, numbers, and symbols. If a user fails to follow these rules, mechanical controls reject the password, preventing the user from performing this process. And its regular use of independent third-party audits makes sure that this password policy, among other standards, remains effective in what it protects.
Zoot’s data security policies and processes go above and beyond the standards required by its customers, partially to avoid having to deal with multiple sets of standards based on individual client requirements. In addition to adhering to international accounting, auditing, and security standards, the company belongs to BITS, a financial industries consortium dedicated to improving and unifying data security policies within this industry, as well as keeping its members abreast of any security breaches or other events that need to be addressed. Rosanova says, “BITS helps us all raise the bar on each other.”
|
|
|
