Data Behind the FirewallBy Doug Bartholomew | Posted 2008-03-26 Email Print
What measures can organizations take to improve the security of at-rest customer, product and employee data? Experts weigh in.
Baseline: Is data inside the firewall secure?
Woo: Generally, I’d say yes. Basic directory services such as Active Directory and LDAP, for example, provide the necessary security measures for most companies to ensure that only the appropriate personnel can access the necessary information. LUN mapping provides a similar level of security for application security.
What it doesn’t address is data mobility. Once data is available to be accessed, it doesn’t stop users from taking it away with them on a thumb drive or by burning a CD/DVD. The only way to do that is to disable USB ports, and have diskless laptops and workstations. And frankly, that isn’t sufficient, because data can be emailed out of an organization.
This is perhaps the biggest hurdle facing the mobility of workers and the 24/7, anytime, anywhere access of data. Virtual desktop environments, such as VMWare’s VDI infrastructure and Citrix with Xen and other technologies, limit physical access, but this doesn’t address the email-ability of data.
Proctor: There’s no such thing as ‘secure.’ It’s a question of whether it’s secure enough, and against which threats.
Organizations can’t protect themselves entirely, so they have to make good, defensible decisions so they have sufficient protection from reasonably anticipated threats. Based on the value of the data and the threats they are facing, this is going to be different for every organization. Most organizations recognize today that firewalls alone are not sufficient protection.
Baseline: What trends do you see evolving for keeping internal data secure?
Proctor: Regulatory mandates like HIPAA, GLBA, and SOX and other demands like PCI prescribe several different types of controls to protect data inside the firewall. These include controls such as monitoring administrators, regulating access, segmenting the network, data loss prevention, stored data encryption, anti-virus, and having good policies, to name a few.
The major trends are focused on developing good governance and risk management. Organizations are improving the maturity of their programs so they can stop being reactive to security situations and become more proactive.
Woo: Existing data security measures continue to be the norm, although there is significant investment in time being made in taking a look at data encryption as an added form of security. I don’t see a trend toward mass adoption of encryption yet, although the desire to move that way is certainly very strong.
Baseline: What should organizations do to ensure that their internally stored enterprise data is secure?
Woo: The implementation of object- (read: file) based data encryption, augmented with enterprise-wide data access/mobility policies is the best form of protection. Greater efforts will be necessary by the industry as a whole to provide and enforce inter-enterprise policies.
Proctor: They should do a good risk assessment to determine the level of protection, identify threats and gaps, and develop a remediation plan. There is not one list of technologies that all companies should implement for all situations. They have to address the standard of due care and be able to pass their internal and external audits.