Data-centric security

Sunday, June 06, 2010

Eli Talmor

IT security professionals engaged in a game of cat and mouse with hackers as fast as they deploy security countermeasures, these rogue elements discover loopholes or entirely new avenues of attack. Traditional security methods have relied upon closely guarding the perimeter of a company's network.

The continuously escalating and mutating threat environment has led many firms to layer security countermeasures one upon another; starting with firewalls, companies have added intrusion detection and prevention systems, malware filters, client-side firewalls, and encrypted network tunnels.  Networked business can create a virtual fortress around its infrastructure but still must share information with mobile employees, external business partners, and remote customers.

In most organizations, 70-90% of business data is in an unstructured or semi-structured state and recent research indicates that only 23% of organizations feel this data is properly protected. Unstructured data includes Word and Excel documents, images BLOBs (Binary Large Objects), not to mention the billions of emails and instant messages generated every day. Much of this is sensitive data, such as personally identifiable information (PII) and intellectual property (IP) that must be protected with appropriate measures.

Another challenge of unstructured data is that the data must support multiple distribution needs: from enterprise servers, to laptops, to USB drives, through email or on top of cloud storage.

Many businesses now realize that rather than continuing to add layers of infrastructure security, it's more effective to protect critical data throughout its life cycle, regardless of where it resides or moves. This concept of protecting data rather than devices is known as data-centric security.

Data-centric security must provide data protection at rest (storage) and transit. The unstructured data that requires protection is encrypted before it is transferred or stored.

Paul Stamp from Forrester Research said that: "In an evolving, more complex business and IT environment, organizations need to work toward a more data-centric approach to protecting the most sensitive information. Sensitive data needs to be encrypted as close to its point of creation as possible, and decrypted as close to its point of use as possible."

In practical applications: the point of creation is one user's PC and point of use is same user's PC or other user's PCs. Data is created and used in decrypted form only using computer software residing on user's PCs. Therefore for security reasons - decrypted data must be manually destroyed after creation and/or use.

Any data-centric technology must include: data rights management, real-time strong authentication and encryption.

Not everyone is a technology guru. Most users concentrate on getting their work done, not on the underlying technology powering that work. And when security solutions are deemed too difficult to use, many users will circumvent the solution as well as the security. Data rights management and strong authentication require user intervention and therefore cannot be transparent. The issue is how easy these steps for users. Reviewing the example below:

We see that creating encrypted file, including the steps of:

  1. Choosing file for encryption,
  2. Defining Rights Management Rule
  3. Defining file sensitivity (medium or high)

takes   ~15 sec of your user's time.

Deleting un-encrypted file after encryption will take another ~5sec of user's time.

Preparing for use and decrypting encrypted file we will take steps of:

  • 1. Choosing file for decryption
  • 2. User's strong authentication.

takes ~10 sec of user's time.

Deleting un-encrypted file after viewing will take another ~5sec of user's time.

So encrypting/decrypting routine of medium to high sensitivity files will take ~20-25 sec.

Overall this scheme is applicable across the board, independent of enterprise infrastructure and for any type of unstructured data.

What is missing from this discussion: transaction-based data. Transaction-based data must be protected in real-time, from being modified by malware and not only from being stolen. This will be discussed separately.

Enterprise Security Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.