Got Enterprise Data Protection?

Organizations need to take a data-centric approach to achieve true Enterprise Data Protection

Tags: EncryptionSafeNet Incorporated
  • E-Mail
Got Enterprise Data Protection? Companies need better understanding to achieve Enterprise Data Protection, says Moorcones.
By  Joe Moorcones Published  October 10, 2010

Thumb or click through any mainstream publication and you’ll see a rising number of information security attacks on commercial businesses and government entities, resulting in large data breaches and worsening public anxieties. Even enterprises that understand the seriousness of these threats and have security defenses in place are at risk of being compromised.

Since ignorance is no longer an acceptable reason for an enterprise or government agency to inadequately protect its data—or comply with industry mandates to do so—you can’t help but wonder: where do they go wrong?

Consider this: Today, data management extends not only to widely distributed locations and workforces, but also to partners, vendors, and shared service providers. As data is collected, shared, processed, and stored over increasingly complex networks, companies face much greater risk of data theft, loss, and leakage.

Traditional perimeter defenses, such as firewalls, intrusion detection, and anti-virus software, no longer address today’s many data protection pain points. In order to augment these defense measures—and to meet compliance mandates in the short-term—many enterprises take a tactical approach to data security by implementing multiple point products. This piecemeal deployment scheme offers little protection, is difficult and costly to manage, and does not provide a framework for future growth.

In order to address these challenges, organizations need to take a data-centric approach to achieve true Enterprise Data Protection (EDP)—a strategy that protects the data itself from the core of the enterprise, where key data repositories exist, all the way to its edge, where the data is utilized. EDP considers data in motion, at rest, and in use—across databases, applications, networks, files, networks, endpoint devices, and removable media. The solution is comprised of encryption, secure key management, centralized policy and controls, and ongoing management practices.

Enterprise Data Protection begins with data discovery and classification, where it is determined what data needs to be secured. Monitoring and reporting capabilities are also required to ensure integrity and accountability of data so that enterprises can clearly understand their security and compliance postures. Any data that poses a risk, has downstream legal consequences to the business, or affects the value and/or liability of a company is sensitive and must be protected.

Data exists in three distinct states: Data in motion, data at rest, and data in use. Once your data is discovered and classified, it must be encrypted.

Encryption is the most important element to ensuring data’s security. Encryption is the process of transforming information to make it unreadable to anyone except those possessing a special key for decryption. Security must follow the data via encryption and not just rely on a protected infrastructure. Encrypting data ensures that it cannot be compromised while it’s moving over networks, resting on databases or laptops, or being used on workstations.

By using a foundation of data encryption to protect the data itself, organizations can ensure the privacy and control of that information wherever it goes. Since that same foundation can be used for multiple applications across the enterprise, organizations can increase operational efficiency while ensuring privacy, managing risk, and achieving regulatory compliance.

At the heart of EDP are the secret cryptographic keys used for encrypting and decrypting sensitive data. Enterprises must deploy a key management solution that enables administrators to manage keys from a single central authority. A good key management system should also let you know what other devices have copies of a key.

Ideally, a key management solution would set limits on how long those other devices can keep copies of a given key, although this requires some trust that the other device will actually delete the copy. The central authority may decide to delegate authority to other parts of the organization, but should have the ability to take back control in the event of system abuse or failure. Centralized logging and auditing is also enabled so that all user and administrator actions can be tracked.

Most enterprises will have considered each of these phases when employing key management—creation, storage, archival/backup, distribution, rotation, expiration, and deletion. All of the phases in this key management life cycle need to be implemented in line with policies that map to the business and security requirements of the enterprise.

A policy-based management system allows administrators to define rules and manage them in the policy system. These rules take the form of "if condition, then action." A condition may be a user or group, time of day, application type, or network address. Policy rules are then distributed to network resources. Policy-based management systems are best for large networks, where large numbers of devices are easier to manage from a central location.

Controls are essential to audit, log, and monitor network activity. An enterprise should be able to use multi-credential techniques—three-factor authentication, as well as “k of n” practices, where a certain number of users must authorize a certain operation such as a policy change—to protect against malicious administrators who might attempt to grant themselves unauthorized access to create or delete keys. This level of granular access control enables organizations to control and closely monitor administration operations, and significantly reduce the risk and exposure from internal attacks.

Enterprise Data Protection also lays down the foundation for future expansion and integration. As enterprises grow, as the IT environment diversifies, as data privacy needs increase, and as the compliance landscape evolves, new types of data or data elements need to be secured. An organization may need EDP today to safeguard credit card data and achieve PCI compliance, but must consider a scalable solution that will safeguard HR data, PII, and flat files, as well as new applications and databases introduced into the data environment.

Lastly, an effective EDP strategy includes ongoing training for the security administrators and ongoing management of the system. This includes automating processes such as key rotation, to implementing separation of duties in order to prevent an administrator from having sufficient permissions to carry out an internal attack. In other words, one administrator might only be given access to network configuration functions, while another might only be given access to certificate management controls.

When selecting data security solutions, enterprises often go wrong by not considering how to properly organize their organization’s data; by not understanding how their data and its respective solution are managed; by not seeking standards-based technologies that work together; and by not insisting that proper planning and cooperation occur. Simply put, enterprises don’t consider true EDP.

Enterprise Data Protection ensures an effective security solution that reduces the complexity, management, and maintenance costs of the organization’s IT infrastructure; it provides an integrated security platform with centralized policy management and reporting for seamless, cost-effective management of encrypted data; it establishes a foundation for addressing future data protection needs, business processes, and regulatory compliance mandates—and by thwarting data breaches, mitigates negative publicity about your enterprise.

Joseph J Moorcones, vice president and general manager, SafeNet, Inc.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code