Although its cyber-security plot oversimplifies some technology aspects of data encryption, the Dan Brown novel Digital Fortress is an enjoyable read. The digital fortress of the novel was a computer program thought capable of creating an unbreakable data encryption algorithm, but it’s later discovered the program is capable of infiltrating and dismantling any data security protocol.
The data aspects of enterprise security are becoming increasingly prevalent topics of discussion within many organizations, which are pondering how secure their digital fortress actually is. In other words, whether or not their data assets are truly secure.
Most organizations focus almost exclusively on preventing external security threats, using a data security model similar to building security, where security guards make sure that only people with valid security badges are allowed to enter the building. However, once you get past the security desk, you have mostly unrestricted access to all areas inside the building.
As Bryan Casey recently blogged, the data security equivalent is referred to as “Tootsie Pop security,” the practice of having a hard, crunchy, security exterior, but with a soft security interior. In other words, once you enter a valid user name and password, or as a hacker you obtain or create one, you have mostly unrestricted access to all databases inside the organization.
Although hacking is a real concern, this external focus could cause companies to turn a blind eye to internal security threats.
“I think the real risk is not the outside threat in,” explained Joseph Spagnoletti, “it’s more the inside threat out.” As more data is available to more people within the organization, and with more ways to disseminate data more quickly, data security risks can be inadvertently created when sharing data outside of the organization, perhaps in the name of customer service or marketing.
A commonly cited additional example of an inside-out threat is cloud security, especially the use of public or community clouds for collaboration and social networking. The cloud complicates data security in the sense that not all of the organization’s data is stored within its physical fortresses of buildings and on-premises computer hardware and software.
However, it must be noted that mobility is likely an even greater inside-out data security threat than cloud computing. Laptops have long been the primary antagonist in the off-premises data security story, but with the growing prevalence of smart phones, tablet PCs, and other mobile devices, the digital fortress is now constantly in motion, a moving target in a hyper-connected world.
So how do organizations institute effective data security protocols in the digital age? Can the digital fortress truly be secured?
“The key to data security, and really all security,” Bryan Casey concluded, “is the ability to affect outcomes. It’s not enough to know what’s happening, or even what’s happening right now. You need to know what’s happening right now and what actions you can take to protect yourself and your organization.”
What actions are you taking to protect yourself and your organization? How are you securing your digital fortress?