Data at rest is data at risk--take steps to secure it.Recent high profile breaches of enterprise networks have proven that perimeter protection such as firewalls and intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. cannot completely secure digital assets. To ensure that sensitive information is truly safe from threats emanating from both inside and outside of the organisation data must be encrypted. The obvious candidate for a company who missed out on the benefits of encryption is discount retail giant TJX, whose recent tale of woe must have sent chills up the spines of many CIOs. It's a story that just keeps getting worse--we're learning that the retailers' network was apparently breached multiple times back in 2005, not just during May 2006-January 2007 as originally thought. Information concerning credit and debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. transactions dating from 2007 all the way back through 2003 may have been compromised. TJX has already taken a fourth-quarter charge of about $4.5 million for costs solely related to the hack--a figure that is likely to increase as the investigation and remediation continues. Had TJX encrypted its stored data this would not be so serious an issue. While no one wants hackers rummaging around in their network, it's certainly less stressful to know that anyone who has managed to penetrate your network can't access any of your data. But rare is the case of lost backup tapes or a penetrated network where a company spokesperson can say--"the data was encrypted so it's quite safe, totally inaccessible to anyone but our authorised users." Instead we read the same sad lines again and again; an executive quoted as saying the whole situation is utterly unacceptable, totally not up to the company's high standards, but it's being addressed and the company will pay for six months of credit monitoring for customers whose personal data was exposed. (TJX didn't even offer to pay for monitoring). Those blustering blus·ter v. blus·tered, blus·ter·ing, blus·ters v.intr. 1. To blow in loud, violent gusts, as the wind during a storm. 2. a. To speak in a loudly arrogant or bullying manner. press releases may have been fine a few years ago. But customers are getting mad as hell and they aren't going to take much more of this nonsense. Lawmakers, sensing the shifting zeitgeist, are moving to pass legislation that will increase penalties for companies that expose personal data. Organisations who encrypt data only when it is in transit are also likely to be violating the data security regulations affecting their industry. They are also opening themselves to corporate espionage and a myriad of hack attacks, with the ensuing en·sue intr.v. en·sued, en·su·ing, en·sues 1. To follow as a consequence or result. See Synonyms at follow. 2. To take place subsequently. litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. , damaging publicity, financial penalties, and loss of customer trust. All it takes is one zero-day attack See zero-day exploit. to ruin a corporation's good reputation. Encryption of data at rest should be a given by now--it's not an extra layer of protection; it's a necessary layer of protection. Data at rest is data at risk--a moving target is much harder to hit so most criminals and snoops SNOOPS - Craske, 1988. An extension of SCOOPS with meta-objects that can redirect messages to other objects. "SNOOPS: An Object-Oriented language Enhancement Supporting Dynamic Program Reeconfiguration", N. Craske, SIGPLAN Notices 26(10): 53-62 (Oct 1991). would rather pull information from a database than try to grab it while it's being transmitted or transported. So why doesn't every corporation encrypt stored data? Some simply don't budget for in-depth security until their network has already been breached. Others worry about encryption having an adverse impact on network performance, backup speed and restore times, or are concerned that encrypted data won't be accessible when and as needed as needed prn. See prn order. . While all of these concerns were once valid, virtually all have been addressed by new solutions that provide unified encryption across the entire distributed enterprise with no performance penalties or end user hassles. These aren't single-trick solutions either, the best ones dovetail dovetail (dov´tāl), n a widened or fanned-out portion of a prepared cavity, usually established deliberately to increase the retention and resistance form. encryption and decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. with user access policies, handle some of the trickier key management chores and make the entire encryption process transparent and seamless. Evaluating Encryption Solutions Until recently, data backup and archiving was a straightforward procedure. All data was captured on a regular basis and dumped onto a rotating set of back-up tapes, and then organised--or at least stored--in the data centre. About the only thing a company had to decide was where to house their off-site archives. Things have changed--now many data centres are moving towards a mixed environment of disk-based archives for fast system restores plus tape for long-term archival storage. New privacy and reporting laws (e.g. Payment Card Industry, Sarbenes-Oxley and the Data Protection Act) have also altered what sort of information companies opt to store, for how long and on what types of media they need to store it. Some regulations require certain types of critical records to be stored on archival media that cannot be altered or easily tampered with. The old "save everything" method of backing up is no longer viable, due to the sheer amount of data that most corporations generate and the legal liabilities inherent in keeping every scrap of information readily accessible in long-term archives. Instead companies must develop data retention and destruction policies that define what exactly needs to be saved and for how long. Even then, not every email and memo may need to be protected--only the most critical data such as customer records, financial information and the like needs to be encrypted. Companies that encrypt every single scrap of data are the ones that complain that their systems get bogged down. Obviously a successful encryption plan doesn't centre on simply choosing a solution to use. First enterprises must identify what data needs to be encrypted and where it resides, and then choose the encryption technology that suits the company's needs. [Diag 1 Conduct a Data Protection Inventory] Hardware versus software encryption Organisations must also decide whether to deploy hardware or software-based encryption. In general hardware-based solutions are faster than software encryption, and don't drain the network's shared memory (1) Using part of main memory to support a low-cost display circuit that does not have its own memory. See shared video memory. (2) The common memory in a symmetric multiprocessing system that is available to all CPUs. See SMP. 1. . The tradeoff is cost and sometimes lack of scalability. Software encryption is less expensive, but may take too much time and computing power when large backups from a busy network are being encrypted. Happily newer, more advanced solutions now exist that offer the benefits of both hardware and software encryption, using the database server as the platform for encryption services. When the application calls for secure information, the encryption service requests the encrypted data from the database server, performs a local decryption, and returns clear-text information to the calling application. Network overhead is eliminated, performance is faster than that delivered by attached devices and there's no need to invest in a slew of separate devices to perform encryption. Since much of the information that needs to be encrypted will obviously be stored in databases, enterprises might choose to focus on finding a solution developed with database encryption in mind. Look for solutions that allow encryption of data at the column level within a database table as this has proven to be the most effective and efficient way of encrypting data. Companies can chose the fields containing the most sensitive data and encrypt only those, further eliminating potential bottlenecks in database performance caused by searching for encrypted data. Distributed enterprises will also want a solution that can be deployed across the organisation from one central location, minimising cost and effort to implement and maintain. This is especially important for organisations that have multiple databases in different physical locations. Businesses that need to support different software platforms and database applications should obviously look for a solution that supports all major relational databases and their operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. environments. How strong should your encryption be? The encryption should be as strong as technically possible and less capable solutions often lack in other areas as well. Look for a solution certified to meet the Federal Information Processing Standard Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all non-military government agencies and by government contractors. (FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies. ) 140-2, the most widely recognised benchmark for cryptographic security. Last but not least no single technology is the magic bullet (jargon) magic bullet - (Or "silver bullet" from vampire legends) A term widely used in software engineering for a supposed quick, simple cure for some problem. E.g. "There's no silver bullet for this problem". that can solve every security problem. Encryption technology should be partnered with a full-fledged data security solution that enforces role-based access controls The identification, authentication and authorization of individuals based on their job titles within an organization. Contrast with mandatory access control and discretionary access control. See least privilege. and separation of duties between database administration and IT security. For instance, security officers set the policies, but may not access the sensitive data itself. Understanding key management One of the essential components of data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign is key management--the way cryptographic keys are generated and managed throughout their lifecycle. Because cryptography is based on keys that encrypt and decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. data, your data security solution is only as good as the protection offered by your keys. Real security depends on two factors: where are the keys stored and who has access to them? Enterprises should look for solutions that provide the capability to centralise Verb 1. centralise - make central; "The Russian government centralized the distribution of food" centralize, concentrate alter, change, modify - cause to change; make different; cause a transformation; "The advent of the automobile may have altered the all key management tasks on a single platform and automate administrative key management tasks. This provides both operational efficiency and reduced management costs. Other essential key management features include a secure mechanism for key rotation, replication and backup. Any encryption product that does not provide a secure means of recovering/replicating keys is a catastrophe waiting to happen, and one that's unfortunately likely to manifest in a disaster recovery situation where complete backups and necessary files may not be immediately accessible and keys need to be replicated quickly. Look for a solution that allows keys to be replicated when a quorum comprised of a pre-determined number of people authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. themselves to the system. Keys should also be securely backed up and rotated periodically to ensure absolute security. The back up benefits are obvious and key rotation is a process that automatically decrypts data using existing encryption keys and then re-encrypts it with new keys, at pre-selected intervals. Depending on the sensitivity of data that is being encrypted and the government and industry regulations that effect a particular organisation, companies may want to look for a solution that supports Dual-Control implementation of encryption key management. This feature blocks one-party changes and requires two people to authenticate major changes, in the same way as particularly large bank checks require two signatures to be valid. Encryption is rapidly becoming an essential and expected part of a company's obligation to protect sensitive information. It's an easy and cost effective way to avoid a slew of embarrassing and expensive security problems. I bet TJX's CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. wishes he'd used it. www.protegrity.com About the author. Ulf holds a degree in electrical engineering electrical engineering: see engineering. electrical engineering Branch of engineering concerned with the practical applications of electricity in all its forms, including those of electronics. from Polhem University, a degree in Finance from University of Stockholm and a master's degree master's degree n. An academic degree conferred by a college or university upon those who complete at least one year of prescribed study beyond the bachelor's degree. Noun 1. in physics from Chalmers University of Technology (body, education) Chalmers University of Technology - A Swedish university founded in 1829 offering master of science and doctoral degrees. Research is carried out in the main engineering sciences as well as in technology related mathematical and natural sciences. Ulf Mattsson, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. for data security specialist, Protegrity. RELATED ARTICLE: Sybase Survey Sybase, Inc. has announced the results of an independent survey on business intelligence application implementations, conducted in conjunction with the National Computing Centre The National Computing Centre (NCC) is a membership and research company in the UK founded on 10 June 1966 by the UK Government in order to encourage the growth of computer usage in the UK and ensure that the necessary education and training was made available. . Dave Lawrence, Technical Sales Manager sales manager n → gerente m/f de ventas sales manager n → directeur commercial sales manager sale n → at Sybase, made the following observations on the survey results: * As a software vendor with over twenty years TWENTY YEARS. The lapse of twenty years raises a presumption of certain facts, and after such a time, the party against whom the presumption has been raised, will be required to prove a negative to establish his rights. 2. of experience in providing data management solutions, we were keen to compare the results of this NCC NCC See National Clearing Corporation (NCC). survey with our understanding and experience of today's BI market. This survey underpins our analysis that initial BI implementations focus on supporting business decisions, performance management and business process control. * Interestingly, the survey shows that only 13% of the surveyed systems have completely met their original business drivers. The ability for any BI system to provide answers quickly, on the right information, in an easy to use fashion, is a challenge for 29% of respondents. Our experience leads us to understand that it isn't easy to derive ongoing, tangible benefits from any BI system. It's a careful balancing act to provide sufficient BI capability, at a controllable total cost of ownership, without losing agility, insight, or competitive edge. We've no doubt that BI will continue to grow as an increasingly important business tool, allowing senior management to predict changes to their target markets, and to assess the impact and profitability of their product and service offerings in near-real time. To support this activity, BI systems will need to support growing volumes of structured and unstructured information, with real-time access, by increasing numbers of users wanting to ask any question, on any subject. So the future for BI is bright--it's just a question of discovering how to best utilise its undoubted un·doubt·ed adj. Accepted as beyond question; undisputed. See Synonyms at authentic. un·doubt  ed·ly adv. ability to provide that
competitive advantage to your business.
"The research reveals that the deployment of BI might be a panacea Some antidote or remedy that completely solves a problem. Most so-called panaceas in this industry, if they survive at all, wind up sitting alongside and working with the products they were supposed to replace. of management decision-making, but like most process changes, cultural issues around deployment can be a significant barrier," said Stefan Foster, Managing Director, NCC Ltd. "To make BI effective means fully understanding what metrics are important to you and your business. Deployment problems occur when the wrong data is collected, when the wrong questions are asked, and when staff are unsure of what they want from the system, or are wary of using it. Getting the cultural issues right are just as important as choosing the right technology." For more information, visit: www.sybase.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion