Securing your Digital Fortress
Jim Harris in Sponsored Blog Posts tagged Data Security, Enterprise CIO Forum, HP Tuesday, September 13, 2011 at 11:00AM This blog post is sponsored by the Enterprise CIO Forum and HP.
Although its cyber-security plot oversimplifies some technology aspects of data encryption, the Dan Brown novel Digital Fortress is an enjoyable read. The digital fortress of the novel was a computer program thought capable of creating an unbreakable data encryption algorithm, but it’s later discovered the program is capable of infiltrating and dismantling any data security protocol.
The data aspects of enterprise security are becoming increasingly prevalent topics of discussion within many organizations, which are pondering how secure their digital fortress actually is. In other words, whether or not their data assets are truly secure.
Most organizations focus almost exclusively on preventing external security threats, using a data security model similar to building security, where security guards make sure that only people with valid security badges are allowed to enter the building. However, once you get past the security desk, you have mostly unrestricted access to all areas inside the building.
As Bryan Casey recently blogged, the data security equivalent is referred to as “Tootsie Pop security,” the practice of having a hard, crunchy, security exterior, but with a soft security interior. In other words, once you enter a valid user name and password, or as a hacker you obtain or create one, you have mostly unrestricted access to all databases inside the organization.
Although hacking is a real concern, this external focus could cause companies to turn a blind eye to internal security threats.
“I think the real risk is not the outside threat in,” explained Joseph Spagnoletti, “it’s more the inside threat out.” As more data is available to more people within the organization, and with more ways to disseminate data more quickly, data security risks can be inadvertently created when sharing data outside of the organization, perhaps in the name of customer service or marketing.
A commonly cited additional example of an inside-out threat is cloud security, especially the use of public or community clouds for collaboration and social networking. The cloud complicates data security in the sense that not all of the organization’s data is stored within its physical fortresses of buildings and on-premises computer hardware and software.
However, it must be noted that mobility is likely an even greater inside-out data security threat than cloud computing. Laptops have long been the primary antagonist in the off-premises data security story, but with the growing prevalence of smart phones, tablet PCs, and other mobile devices, the digital fortress is now constantly in motion, a moving target in a hyper-connected world.
So how do organizations institute effective data security protocols in the digital age? Can the digital fortress truly be secured?
“The key to data security, and really all security,” Bryan Casey concluded, “is the ability to affect outcomes. It’s not enough to know what’s happening, or even what’s happening right now. You need to know what’s happening right now and what actions you can take to protect yourself and your organization.”
What actions are you taking to protect yourself and your organization? How are you securing your digital fortress?
This blog post is sponsored by the Enterprise CIO Forum and HP.
Related Posts
Are Cloud Providers the Bounty Hunters of IT?
The Diderot Effect of New Technology
The IT Consumerization Conundrum
The IT Prime Directive of Business First Contact
A Sadie Hawkins Dance of Business Transformation
Are Applications the La Brea Tar Pits for Data?
Why does the sun never set on legacy applications?
The IT Pendulum and the Federated Future of IT
Reader Comments (5)
From the LinkedIn Group for Enterprise CIO Forum, Pearl Zhu commented:
“Hi, Jim, as usual, enjoy your blog, in this one, you extend your data lens into data security/privacy issues in the digital age, which is one of the top challenges facing today’s businesses.
Cloud/Mobile/Social: all these latest technologies make business and our life more enriched, but on the other hand, this open environment makes the business environment more vulnerable from the security perspective, as you pointed out, not only outside-in data flowing, more critically inside-out — many data breaches are caused by internal activities.
I think a modern security approach needs to become an integral part of GRC, and may also need to work more seamlessly with other technology such as analytics/BI/BPM, in order to deliver a more optimized and holistic solution.”
And I responded:
As always, thanks for your great comment, Pearl.
Yes, we have to take the good with the bad in the more open business environment enabled by cloud, mobile, and social technologies, which requires a modern data security model that can protect us from the bad without being overprotective to the point of inhibiting the good.
Best Regards,
Jim
And Paul Calento responded and shared some enterprise security research from HP:
“The question that I have related to your excellent blog, Jim, is whether anyone is planning on CUTTING their enterprise security budget, and why. Came across a piece of HP research where (not surprisingly) half of the respondents ranked security as a top priority for 2012 and a similar number where planning increased spending.
I’m wondering about the other half that isn't.”
Research Link (PDF Document): http://www.hp.com/hpinfo/newsroom/press_kits/2011/risk2011/NA_Risk_Survey.pdf
Interesting thoughts, Jim. I've never heard the "Tootsie Pop security" phrase before, but it describes the challenge perfectly.
There's two points I'd like to add:
- As you're alluding to, the time to think about the what if element of security is before it happens, not afterwards. Oak Ridge, Citibank, RSA, etc. are all highly secure organisations, yet all had their internal security exposed. It's critical that organisations recognise the internal threat can't be solved solely via policy and process; if memory serves, all three of these breaches were tightly targeted spear phishing attacks using zero day exploits, where the staff were fooled into opening attachments they thought were sent internally. Once companies understand this, I expect to see:
1) An increase in the internal use of 2-factor authentication
2) Physical separation of storage so highly confidential data is more tightly restricted
3) Introduction of dedicated hardware infrastructure such as InfoSphere Guardium or the like (I saw a demonstration of that recently which is why it pops into mind; I've never seen it used in the front line)
- Companies who have outsourced their enterprise security should re-read the fine print carefully to confirm their vendor is covering both external and internal threats. Many vendor agreements will predate the recent escalation in frequency and severity of internal security breaches, and I expect a lot of companies will only find out once it's too late that their vendor was only managing the hard, crunchy exterior, and was leaving the soft interior to them.
Hi Jim,
Good analogy! It seems that many organisations are using the model that you are caricaturing. I see it here quite a bit.
An interesting additional complication that this approach throws up is that it implicitly treats all of your information system assets as equivalent from a security and risk perspective, when that is clearly not true. Some of your systems within that hard exterior are more valuable, more sensitive or more vulnerable than others.
For instance, sensitive or damaging customer (or in my case citizen) data is more important than mundane HR or property data. Yet the hard exterior model treats them all equally, or means that you are effectively paying to secure all of your information assets at the level of the most valuable - potentially rather costly!
One of the approaches you don't mention is abandoning the perimeter fence model of security/defence, and instead moving to models where each asset (either individually or in zones) is secured at the appropriate level for that asset. I think that these sorts of models will become more prevalent as we face the proliferation of different devices and platforms in the enterprise, and the sort of Bring Your Own Device approaches that many organisations are examining. If you don't own or manage your perimeter, securing the data or application itself becomes more important.
Great post as ever Jim.
It's such a paradox that in the past for certain roles I've had to wait literally months to have security checks completed before being granted access to a building, meanwhile, on my very first day a DBA turns up with an entire set of system data on a USB drive "so I can have a good look at it".
Great reminder that security is rarely viewed as a data quality dimension but it should take its place up there with quality of accuracy, completeness and trust etc. Security is obviously notoriously difficult to manage and measure, but as those like your recent guest expert Daragh O Brien will testify, it has massive ramifications if ignored.
Thank you very much for your excellent comments, Richard, Doug, and Dylan.
@Richard — Thanks for providing additional examples and aspects of the internal security challenge, which is often overlooked by many organizations. For example, when cloud computing is criticized, its naysayers often use data security as its primary detractor, arguing on the assumption that data stored within the organization, using its on-premises hardware and software, is unquestionably more secure—an assumption that seems to be accepted at face value by many executives. However, as you noted, many of the recent data breaches were not cloud breaches. The point, of course, is that wherever data resides, it must be secured, and too many organizations are paying too little attention to data security.
@Doug — Excellent point about the oversimplification of approaching enterprise data security with a perimeter fence model. As you noted, there will be different security levels necessary for different data assets, and therefore a security zone model makes more sense, where you focus more on securing specific data or applications, and less on securing the perimeter.
@Dylan — Yes, as a consultant, I have often encountered the security paradox you described. I have been on short-term projects where I had to be escorted all throughout the building by an employee with a security badge, and had to have an employee log me into a computer, using their user name and password, so that I could access the data I would be working with. And yes, I was allowed, even encouraged, to copy data onto a USB drive so that I could work on my personal laptop computer, which I walked out the door with every day. There were even times when I was asked to work offline from either the hotel or home so that I would not inconvenience the employees who had to escort me through security. Although I obviously signed all the necessary legal documents (non-disclosure, non-compete, data privacy, etc.) and had no nefarious intent, why weren’t these organizations concerned about someone stealing my laptop or my USB drive?
Even if an organization does a better job securing the access of non-employees, the rise of personal mobile devices (laptops, smart phones, tablets, etc.) among employees is still a significant, and often overlooked, security concern.