Top SecretBy Baselinemag | Posted 2006-11-21 Email Print
High-profile data breaches have apparently caught the attention of corporate America. Most big companies expect to boost security spending in 2007.
Traditional network security technologies, like firewalls, are designed to stop attackers from infecting or stealing corporate data. The next big project: getting a read on all data flowing out of the network.
Stephen Escher, senior network security manager for Hilton Grand Vacations, which runs resort time-share and ownership programs, is looking at various methods of scanning outbound e-mail to flag anything that resembles a customer's credit card number or Social Security number.
"What we're looking at right now is a centralized platform that can catch data before it goes out," he says.
For Hilton Grand Vacations, a 3,000-employee subsidiary of Hilton Hotels, losing a laptop with sensitive data would be a much bigger deal than a machine becoming disabled from an Internet-borne virus, according to Escher. To protect data on mobile computers, his group plans to use the BitLocker encryption feature in Windows Vista, the next version of Windows slated to ship by the end of 2006. "The appeal of BitLocker is that it's built into the OS [operating system]," Escher says. "There's no additional software."
Privacyspecifically, identity managementis a key concern for Fox Entertainment Group, the Los Angeles-based subsidiary of News Corp. that produces movies and operates several broadcast TV stations.
Henry Bagdasarian, director of information technology in the company's corporate audit group, says the challenge for Fox Entertainment Group is to apply a consistent policy across five different business units that operate in 80 countries.
What's tricky is being able to navigate the different business processes while ensuring a baseline security standard. "We don't want to be the typical corporate guys who dictate, 'Here's how you do your business,'" Bagdasarian says. By June 2008, Fox Entertainment Group expects to have standardized on Oracle's JD Edwards EnterpriseOne accounting system. That, Bagdasarian says, will enable the same security policies to be in place across the globe, instead of individual administrators basing policy on how they interpret the corporatewide policy.
Bagdasarian has also been thinking a lot more about privacy since July 2005, when News Corp. spent $580 million to buy MySpace, the social networking site that is now a division of Fox Entertainment Group. In MySpace's case, the site needs to protect the identity of its more than 100 million members, many of whom are teenagers. "We want to make sure we're not violating any [privacy] laws," Bagdasarian says.
The particular issue with MySpace is age verification. As Bagdasarian puts it, "It's not just making sure the 16-year-olds are 16, it's also making sure the 42-year-old is actually 42and not posing as a 16-year-old." The solution? There isn't a bulletproof one yet. One proposal would have required everyone who signs up on MySpace to register with a valid credit card. However, Bagdasarian says, "That would be a blow to our business because not everybody has a credit card."
As similar social networking technologies start permeating enterprise networks, too, other information security managers will be facing many of the same issues. According to the CIO Insight survey, 75% of respondents at large enterprises agree that so-called Web 2.0 technologies like blogs and social networks will "significantly increase our security risk" in the next three years.
"As a general rule," Bagdasarian says, "as you increase the number of ways you communicate, there's more chance of information security being breached."