Last June, Wisegate, a crowd sourced IT research company, surveyed hundreds of its senior-level IT professional members to assess the current state of security risks and controls in business today. The respondents considered malware and breaches of sensitive data to be the primary security risks/threats, followed by malicious outsider risk.
As shared with CSO's readers in April, BYOD and cloud adoption were the top tech trends driving these concerns. Here, we delve deeper into a new trend: how information security professionals are moving toward practices that secure the data itself rather than securing the device. What are these practices and what are their strengths and pitfalls?
Many factors, from BYOD policies to cloud adoption, have opened small holes in the vaults in which organizations store valuable and sensitive data. With many organizations now lacking physical parameters to protect sensitive information and less knowledge as to where data actually resides, IT professionals have turned their efforts to defend the data itself.
Unable to guarantee the integrity of their devices and networks, CISOs are using a new category of security controls known as information protection and control (IPC). Broadly speaking, the protection of data is provided by encryption technologies, while the control is provided by data leak prevention (DLP) technologies.
Data leak prevention
Simply put, DLP can detect when a file with sensitive data is leaving a protected server. Most DLP mechanisms are difficult to configure and make a lot of noise. As a result, most enterprises choose to use DLP technologies to monitor functions, alerting and reporting on potential threats but not shutting down the system. The problem with monitor-only mode is that by the time the security team has seen the alert and reacted accordingly, the hackers have already escaped with the valuable data. While blocking the movement of data interrupts workflow and slows down business processes, monitor mode DLP on its own is not an adequate security control. To truly protect data, DLP technology must be used in a mix of layered defense, including defending the data itself.
Unlike DLP technology, encryption can be used to secure the data. A strong algorithm with an adequate key length will theoretically protect the data forever--wherever it is, and whoever has access to it. Data that has been encrypted is considered regulatory compliant, if and when correct key management is used.
Successful key management is one of major weaknesses of encryption. Managing all of the decryption keys and making sure that only the right people have keys, as well as renewing keys when they expire is one of the most challenging aspects of encryption for an organization. Additionally, encryption can pose practical problems too. While fixed data can be encrypted and stored, the process is too cumbersome for dynamic application data, making it difficult to perform operations.