Most organizations tend to both overemphasize and oversimplify outside-in data security using a perimeter fence model, which, as Doug Newdick commented, “implicitly treats all of your information system assets as equivalent from a security and risk perspective, when that is clearly not true.” Different security levels are necessary for different assets, and therefore a security zone model makes more sense, where you focus more on securing specific data or applications, and less on securing the perimeter.
“I think that these sorts of models will become more prevalent,” Newdick concluded, “as we face the proliferation of different devices and platforms in the enterprise, and the sort of Bring Your Own Device approaches that many organizations are examining. If you don’t own or manage your perimeter, securing the data or application itself becomes more important.”
Although there’s also a growing recognition that inside-out data security needs to be improved, “it’s critical that organizations recognize the internal threat can’t be solved solely via policy and process,” commented Richard Jarvis, who recommended an increase in the internal use of two-factor authentication, as well as the physical separation of storage so highly confidential data is more tightly restricted within a dedicated hardware infrastructure.
As Rafal Los recently blogged, the costs of cyber crime continue to rise. Although the fear of a cloud security breach is the most commonly expressed concern, Judy Redman recently blogged about how cyber crime doesn’t only happen in the cloud. With the growing prevalence of smart phones, tablet PCs, and other mobile devices, data security in our hyper-connected world requires, as John Dodge recently blogged, that organizations also institute best practices for mobile device security.
Cloud, social, and mobile technologies “make business and our life more enriched,” commented Pearl Zhu, “but on the other hand, this open environment makes the business environment more vulnerable from the security perspective.” In other words, this open environment, which some have described as a multi-dimensional attack space, is good for business, but bad for security.
Most organizations already spend a fistful of dollars on enterprise security, but they may need to budget for a few dollars more because the digital age is about the good, the bad, and the secure. In other words, we have to take the good with the bad in the more open business environment enabled by cloud, mobile, and social technologies, which requires a modern data security model that can protect us from the bad without being overprotective to the point of inhibiting the good.