There’s one thing that is certain about data, you can’t do business without it. And it’s likely that dozens upon dozens of people, from employees to partners, need access to data if you want to keep your business moving forward. Another thing that is certain about data is that its street value has increased dramatically—-raising the data theft game to a whole new level of play.
If your business relies on sensitive data like credit card numbers, social security numbers or account numbers, it’s likely that you have two huge business issues that are creating some daunting challenges for your IT department—data protection and data compliance. Easy access to electronic information and data protection are natural enemies—at least in the way that enterprises have looked at data protection in the past. The old view required companies to focus on keeping bad people away from valuable and sensitive data assets by creating systems that could distinguish “authorized” users from “unauthorized” users. The problem is that smart thieves have devised ways to obtain credentials and bypass security layers that have no way to recognize the difference between an authorized user and a masquerader (with malicious intent).
If traditional security methodologies are not able to stem the data breach tide, how is it possible to ensure data protection in this age of increasingly sophisticated thieves and wider access to information in corporate data centers? For that matter, how can an enterprise comply with dozens of regulations created to address threats to sensitive data? Recognizing that data is a valuable corporate asset— like cash in the bank—is the first step. This sounds elementary, but most of the people who use data don’t view it that way. Changing the way that we think about data helps in visualizing how it should be protected. Every company has clear guidelines for how they handle money— who can access money and what they can and cannot do with it.
They also have processes for how funds are tracked, documented and reported. In the world of data those processes are called data governance.
An effective data governance strategy has an enormous upside.
Effective translates to forward-thinking data governance frameworks that accommodate a myriad of compliance regulations and an ever changing information security environment. These governance programs are holistic in nature and balance people systems, processes and training on the correct handling of corporate data. They typically include strategies for automated ways to understand what is happening to data and best practices for responding to data threats as they materialize. Data governance programs have the potential to provide improved control over one of businesses’ most valuable assets – data.
And companies that have insight into and control over how data is used have a powerful competitive advantage.
To achieve greater insight into what’s happening with critical data, forward thinking enterprise have turned to data auditing and monitoring technologies. Unlike credentialing and blocking technologies, data and database auditing and monitoring solutions were designed to watch user activity with data and analyze what’s going on with the data—in real-time. Watching data sounds like it should be simple, but it is a technically challenging activity requiring automated ways to recognize specific kinds of information across a variety of data stores and a large number of users. More challenging, it requires the ability to analyze what data activity means in relation to who is using it, what their data usage habits have been in the past and what the enterprise considers acceptable usage for this data.
This new data security model that relies on seeing what is happening to data as it happens, rather than anticipating malicious activity and designing counter-measures to prevent it is sometimes referred to as “trust but verify.” Companies must still provide and manage user credentials, but in addition they monitor the activity of authorized users as they access data and analyze what the user’s behavior means.
It works much like an intelligent surveillance camera to track user activity, detect unusual or dangerous activity and send the
information back to security or compliance practitioners.
Essentially, it compares the current data access with the “typical”
behavior of this user and the company policy on access to the data, as the data is being accessed. If, for example, someone accesses sensitive data that they have never accessed before, downloads significantly larger amounts of data than they typically download or accesses data from another location, these technologies pick up on the anomalous activity and take action in the form of alerts to appropriate personnel or security systems.
Since a large percentage of data theft is initiated by users who either have credentials (malicious insiders) or obtain credentials
(masqueraders) to access data, monitoring what users are doing- particularly with sensitive and/or regulated data-is the only way to know what is happening with that data as it’s happening. There are ways to ferret out information about data access using logs, but this is a time consuming, manual process that provides information considerably after the fact and lacks the analytics to put the access information into the context of past user behavior or company policy. One of the reasons that data auditing is becoming a key part of defense-in-depth enterprise security architecture is that if you look back and review numerous recent insider security breaches it becomes obvious that if these enterprises had a real-time data auditing and protection system in place, the brand and financial impact could have been greatly reduced.
A large financial services organization in the east looked to data auditing because they needed easy access to data while ensuring the privacy of data for customers and the integrity of data for Sarbanes Oxley (SOX) initiatives. Locking data up wasn’t an option. They felt that they needed enhanced visibility into operational trends to mitigate business risks such as data breaches and that the result of increased visibility would preserve customer confidence and brand integrity. They viewed data auditing as along-term strategic initiative that would allow them to achieve greater control over data assets and ultimately competitive advantage. They had challenges to overcome including a vendor and version diverse data center, the need to monitor outsourcing partners and the need to monitor and audit multiple data centers—including other companies during M&A (merger and acquisition) activities. A data auditing solution was able to meet their criteria.
This company is on the leading edge of a trend toward a more strategic way of looking at data security and enterprise data governance. It is this type of forward-thinking view of data assets — maximizing the use of data assets for all shareholders while keeping those assets safe, private and intact — that ultimately will result in competitive advantage.
|
