Security Steps 7 and 8

By Ericka Chickowski  |  Posted 2009-03-20 Print this article Print

Here are 10 ways to protect your company’s data.

One way a number of organizations are trying to apply an information-centric security approach is through the use of data leak protection (DLP). According to Rich Mogull, founder of Securosis and former Gartner analyst, a DLP product is defined as one that’s based on central policies that identify, monitor and protect data at rest, in motion and in use through deep content analysis.

The DLP sweet spot so far has been with structured data that regulations have mandated must be protected. “Initially, people who are deploying this are more focused on things like protecting credit card numbers and Social Security numbers,” Mogull says, “because that’s where they perceive their biggest risk.”

Some experts believe that DLP may be a bit of a one-trick pony in that aspect, though. For example, Sonnenschein’s Hansen says his company has looked into DLP but decided against the technology because it was very expensive and couldn’t protect the firm’s unstructured intellectual property information that floats around in Word and Excel documents. He believes the future is in digital rights management technology, which he thinks will offer security managers more control and flexibility.

Corporate databases are the biggest treasure trove of sensitive information, yet database security is often neglected by organizations more concerned with network defenses, endpoint management and the like. This is made even more dangerous by the fact that many enterprise databases are run by legacy applications that were developed in a time before open systems and constant information sharing across networks.

Organizations need a way to monitor who has access to information stored in databases and what these employees do with the data. Many enterprises are using database monitoring and security tools to accomplish this task.

“We have some legacy applications [for which], because of performance reasons, the actual database logs were not turned on,” says McPhedran of Aegon. The company uses a product called Imperva SecureSphere to monitor database activity, look for anomalies in use patterns and flag flagrant policy violations.

As McPhedran puts it, it’s a matter of trusting employees while simultaneously verifying that they are doing the right thing. At first, he got some pushback from executives and human resources managers who said, “We trust our employees.”

“Well, that’s an interesting statement,” McPhedran responded, “but do you want to bet your salary and bonus on it?”


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.