Protection SchemesBy Samuel Greengard | Posted 2010-10-12 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Web 2.0 ratchets up capabilities and opportunities, but the open and interactive nature of the technology also creates risks. Security is the foundation of any successful Web 2.0 initiative.
One thing that makes security so difficult in the Web 2.0 world is that it typically spans so many different applications and services. There’s no way for a single development team or security group to oversee an entire enterprise. As a result, Safelight’s Cheyne says, there’s a need to “really lock down applications and add security as developers build and introduce systems.”
It’s also critical to conduct a full set of tests before any new application enters the picture. “It’s important to conduct a secure code, design and architecture review—and run a vulnerability scan,” he adds.
The goal, Cheyne says, is to identify data floating around in various systems—including those connected to outside organizations or available to customers, business partners and others—through Web 2.0 applications. It’s also vital to gauge how sensitive the data is, who potentially has access to it and what could happen if the data falls into the wrong hands.
At Community Options for Families and Youth (COFY), a not-for-profit Walnut Creek, Calif., organization that assists families and children subjected to violence and crime, the need for data security is paramount. What’s more, a cloud environment that’s used to store documents magnifies the risks.
By law, the organization must document every conversation and interaction with clients and maintain confidentiality according to HIPAA (Health Insurance Portability and Accountability ACT) compliance requirements. Supervisors must access and review notes from various locations.
“In the past, we took the risk of e-mailing password-protected documents and sharing them using encrypted flash drives,” recalls Rick Quisenberry, a behavioral therapist who supports the organization’s IT environment. “It was inefficient and unsecure.”
COFY required a cloud-based file server that could sync files from offline storage devices to the cloud so that 30-plus staff members could easily share the data. As a result, it turned to cloud-services provider Egnyte.
By keeping a copy of the data in the cloud, as well as on a local device, caseworkers now have instant access to data whether they’re in the office or in the field. The data, upward of 500 documents each month, is encrypted and password-protected.
The system also allows therapists to write, edit and save documents directly on the server rather than on their local PCs and Macs. At the same time, the system generates an e-mail or text notification and sends it to the appropriate person if a change takes place. In addition, employees carry encrypted flash drives, with which they can access files securely if they lack an Internet connection.
“The system has saved us money and has greatly simplified security,” Quisenberry says.
A Comprehensive Strategy
Like Huntington National Bank and COFY, many organizations recognize the value of identity management, authentication, encryption and other access controls. However, these methods are only part of a comprehensive Web 2.0 protection strategy, says PricewaterhouseCoopers’ Loveland.
Data loss prevention (DLP), which tracks the flow of sensitive documents and data, is another key consideration. It controls who accesses data and where it’s allowed to go by monitoring and locking down endpoints.
Likewise, organizations are turning to e-discovery and digital rights management (DRM) software to control the flow of documents, audio, video and other types of intellectual property. In some instances, these applications run in a cloud environment, but the technology can also help track data flow into social networking sites and other Web 2.0 tools by producing an audit trail and a record of all change actions.
For example, at Roke Manner Research, a leading U.K. technology research and development center, the need to manage highly sensitive information—including documents and data from clients in military defense—is of the utmost importance. “A data breach could result in damage to the reputation of the company and subsequent loss of further orders,” explains Rob Matthews, IT security officer. With 430 employees and 1,200 PCs, he doesn’t take the task of securing systems lightly.
In 2005, Matthews began looking for an endpoint-security solution. He opted for a Safend Protector, which secures all physical and local ports, including USB, Firewire, PCMCIA, wireless endpoints (including Wi-Fi, Bluetooth and IrDA), and removable storage devices (including smartphones, iPods and flash drives).
The system also uses endpoint monitoring and device identification to block keyloggers and other malware. “The monitoring and alerting functions have already proven useful and assist in identifying where we might have problems,” he says.