Security in the new information age
Conducting business has been made easier by new technologies which allow content to be created and distributed effortlessly. However, as Claudio Scarabello writes, it is difficult to control where data ends up when information is shared with partners, suppliers and customers.
As technology accelerates the flow of information, IT leaders are forced to be more creative to pre-empt new security threats and safeguard information assets. It is important to distinguish between real and perceived threats.
Here are some examples of how businesses should evaluate and address security risks.
Protecting collaborative development
More companies have realised the value of collaborative development through partnerships, as it enables them to respond to customer needs more efficiently and effectively. Despite the many advantages of partnerships, they can also present risks to resources, data and access to customer information since it must be shared with these third parties.
The 2009 Verizon Business Data Breach Investigations Report (DBIR) found that 32 per cent of data breaches involved business partners. Additional findings showed that many attacks originated from network connections, data, systems and user privileges that companies weren’t even aware existed. With more companies allowing their business partners to access their systems and data, these numbers may easily increase.
There are a number of vulnerabilities with outsourced relationships. Partner access can remain available after a project has ended, or data that is not required may be retained in systems. Some audits have uncovered examples where partners, who were supposed to have access only to specific machines, were given broad network access through a VPN.
Companies need to assess the potential security risks associated with entering a partnership. Giving partners access to systems or to move data presents risks if not properly managed. Businesses should know what kind of security is employed on the partner side and how the data will be accessed or retained. Security features should be wrapped around sensitive data using encryption or digital rights management (DRM).
Once risks and vulnerabilities are identified, formal policies must be implemented and agreed to by the partner. It is important to have policies and processes to ensure partners have adequate security measures in place. Stringent processes, partner assessments and periodic audits can reveal policy compliance issues and potential threats. Regular audits should be automated to proactively identify and respond to policy violations.
Moving IT into the cloud
Just about any IT service, from managing or delivering IT infrastructures, communications, networks and applications to platforms, can now be outsourced. Outsourcing reduces IT capital costs as these infrastructures are owned by providers and shared by users. Companies can adopt a pay-as-you-go cost model to deploy additional resources as required to scale their requirements accordingly. As more of the IT environment moves to the cloud, Gartner has predicted that by 2012, 20 per cent of businesses will own no IT assets.*
While businesses see great value in cloud-based services, there are concerns about security. Cloud-based services are only separated by virtual boundaries from information from different companies residing on the same server. The more detail a potential vendor can provide, the easier it will be to determine the real risk of moving a specific application or data centre into the cloud.
Cloud service providers are responsible for maintaining security systems and it is important for businesses to select providers with security expertise in PCI, DSS, HIPAA, GLBA or EUDPD. Businesses should also look for providers that have information security standards certifications such as PCI, SAS70, HITRUST CSF and ISO27001. Providers should be subject to regular security assessments from third parties or internal security teams and have a plan to respond to critical security incidents within specific timeframes.
Securing unstructured data and secrets
Today, data is no longer confined to large structured databases or corporate-controlled applications. It can also be found on laptops, handheld devices, social networks or online applications. While unstructured data from social networks represents increased intelligence opportunities for marketers, the contextual intelligence that can be gained from combining structured and unstructured data can pose risks as it yields richer insights. Unstructured data and increased data volumes present major risks, especially as 80 per cent of data growth in the next five years is expected to be unstructured data.**
These increased risks can translate to unintended leaks of new product details, source code, construction plans, factory layouts or sales and revenue forecasts.
It is a huge security challenge to secure vast amounts of unstructured data. Companies should start with a data governance program that develops regulations that define proper usage and distribution of sensitive information. Using data discovery, companies can secure unstructured data by identifying the types of at-risk information and where this information is created, stored and moved around.
Companies can establish policies to protect intellectual property and connections that could potentially be attacked. All employees should receive training to understand these risks and help them to protect themselves against potential threats and leaks. Companies should also consider data loss prevention, encryption and DRM to monitor and protect data.
Conclusion
Data breaches can have catastrophic impacts on corporate reputation and stock price. As a result, security managers need to engage with the business unit leaders to understand the evolving risks and to collaborate on security strategies. Each company needs to sit down to have an educated discussion about the risks, the costs to manage risks and the level of restrictions to be built.
*Gartner’s Top Predictions for IT Organizations and Users, 2010 and Beyond: A New Balance, Gartner, Inc., December 2009.
**Technology Trends You Can’t Afford to Ignore, Gartner, September 2009.
ABOUT THE AUTHOR: Claudio Scarabello is the Verizon Business global product manager for governance, risk and compliance. He is responsible for analysing market trends and working with the strategy group to develop solutions to address the challenges of the extended enterprise.
This article first appeared in Australian Security Magazine, Sept/October 2010 issue.