No news is good news, at least when it comes to securing sensitive company data. However, the lengthening roll-call of companies struck by embarrassing foul-ups involving the loss of sensitive information is testament to an increasing problem.
IT advisory group Gartner calls the current situation a “data loss epidemic”. In September 2006 alone, household names such as General Electric, Chase Card Services, Wells Fargo and the Royal Bank of Scotland suffered data loss incidents. They join an increasingly crowded ‘Hall of Shame’.
The costs associated with such losses are not easily quantified – the calculations must account for things such as brand damage, potential litigation, compensation and fines. And the result is that business leaders are looking to apportion blame; the CIO is in the firing line.
According to Hugh Jenkins, enterprise marketing director of Dell UK, these “well publicised incidents have served to improve awareness, from the top down, [and] that organisations need a far more systematic approach to securing data.”
But that still leaves unanswered the question of how that information can be secured. To date, businesses have invested in security perimeters – defences designed to keep intruders out. This approach provides a degree of protection, but it cannot address the problems of internal threats, whether that is from a malicious employee looking to steal company secrets or simply a careless one, capable of leaving a laptop in a taxi.
Storing up problems
IT decision makers are increasing looking to secure their data while its at rest, and that has alerted the storage vendors to an opportunity. As Rob Sadowski, senior manager of information security product marketing at storage giant EMC, observes: “They’re turning to us and saying ‘You’ve been helping me manage my information, and helping me maximise it. Now I need help with security and in keeping that data confidential’.”
This shift in priorities provides the context for EMC’s $2.1 billion acquisition of RSA Security in September 2006. EMC is not the only vendor to see the opportunity to bring storage and security together: security specialist Symantec acquired Veritas in 2004; likewise Network Appliance spent $272 million on storage encryption developer Decru.
This approach provides organisations with twin benefits: they can rationalise the number of vendors they have to deal with, making it simpler to build a secure infrastructure; and security becomes an integral part of the IT architecture. “Customers don’t want [security] bolted on,” says EMC’s Sadowski.
The foundations for building a secure infrastructure have often relied on technologies such as access control, authentication and encryption, to secure data. But there has been a tendency to treat these technologies as point solutions, not looking at the wider picture, says Scott Petry, founder and CTO of messaging security vendor, Postini. Security should be conceived as a “pyramid”, allowing “multiple layers of security”.
This pyramid covers the range of technologies needed to provide comprehensive data security, but it is not sufficient, says Paul Stamp, a senior analyst at Forrester Research. CIOs have historically taken an infrastructure-based approach to security, but it needs to become more “data-centric”.
In the data-centric model, organisations identify the resources that require protection, and they assign permissions to access that data, based on organisational roles. The security tools then complement this approach, he adds.
The consequence a data-centric approach to security is an increased reliance on encryption. Historically, data encryption has had limited take-up, usually only being employed for data in transit. Now enterprises are looking at encrypting entire hard drives, or tape libraries.
And as Kevin Brown, vice president of marketing for Decru points out, widespread use of encryption may help to secure the substance of the data itself, but this does not make it a panacea. Brown warns that organisations must take care to adequately assess the level at which encryption should be applied to the data because managing the decryption keys can often prove a problematic by-product of the encryption process.
Poor management of the decryption keys can obstruct availability of the data, or jeopardise the security measures put in place if mishandled or mislaid. The situation is further complicated by the need to standardise encryption across applications, file servers, databases and storage arrays.
Today’s encryption vendors such as nCipher, Ingrian Network and Decru are moving towards this approach, says Forrester’s Stamp. He urges business leaders to enforce standards so that everyone within the enterprise is using common encryption and key management mechanisms. “Then, when selecting commercial applications, make compatibility with your encryption infrastructure a priority.”
With the key management piece in place, encryption techniques can be fully exploited to offer a more holistic line of defence, beneath access controls, authentication and auditing techniques, and the companies’ firewall.
This has led some observers to conclude that the ideal of a secure infrastructure is within reach. As Guy Bunker, chief scientist at Symantec says: “There is sufficient technology to help secure data; the places where we’re not satisfactorily covered is basically education.”
But not everyone is so optimistic. The final stage to Forrester’s data-centric security model requires enterprise rights management (ERM) technology to provide process-level security. Whereas encryption will provide controls over who can access data, this will dictate what a user can do with the information once they have accessed it. To date, ERM deployment has been limited to audiences dealing with sensitive or confidential data. And while implementations of ERM have been possible, enterprise-wide deployment would need seamless access to stored data. That means the ability to treat the storage infrastructure as a homogeneous entity – something not currently possible for most organizations.
Forrester predicts that overcoming technical barriers will delay widespread adoption of ERM until 2009. Until then, there will continue to be the risk of sensitive data falling into the wrong hands, and the bad publicity that will inevitably follow.