Why Data Integrity is the New Protection
Why Data Integrity is the New Protection
The failure of traditional perimeter security mechanisms to prevent data breaches is well documented. The cyber-attack on Sony Pictures Entertainment is a good example of how hackers are able to extract extremely sensitive data (e.g., movies, email, social security numbers of employees, etc.)despite an arsenal of security tools being in place. We’ve reached a tipping point that requires a new approach to information security which focuses on protecting the data itself, from the inside-out.
Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012.
Data breaches at companies such as Target, Home Depot, Staples, Michaels, Kmart, Bebe Stores Inc., eBay, the Montana Department of Public Health and Human Services, and Sony Pictures Entertainment are raising doubts about whether organizations are investing their security dollars in the right areas. According to the Verizon Data Breach Investigations Report, 95 percent of data breaches are motivated by data exfiltration for material gain or corporate spying. This is an important factor to take into account when planning technology acquisitions.
Since data is the prime target for attackers, why are we putting so much effort into protecting the network perimeter? If we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured. For example, a quick web search for “data breach and unencrypted data” produces thousands of results that illustrate how many organizations fail to protect the integrity of their data and don’t even encrypt sensitive information.
As a matter of fact, a study by the California Attorney General points out that millions of residents had their personal information exposed, but that more than half of these incidents would have been easily avoided if the breached organizations would have encrypted their data. A survey of 5,000 senior IT managers conducted by market research firm B2B International supports these findings by revealing that 35 percent of organizations worldwide don't use encryption to protect data.
This is the reason why more and more regulations and industry standards (e.g., COBIT 5, PCI DSS 3.0, FISMA) are mandating the concept of data integrity. Concerns over the lack of data encryption for instance have prompted New Jersey legislators to propose requiring health insurers to encrypt personal health data on all of their computers. The bill, A-3322/S-562, comes nearly a year after two laptops with unencrypted information were stolen from Horizon Blue Cross Blue Shield of New Jersey’s Newark headquarters.
If data is the end target point of cyber-attacks, what steps are involved in implementing a data integrity strategy to secure an organization’s most sensitive digital assets?
The objective of data integrity initiatives is to assure the correctness, completeness, wholeness, soundness, and compliance with the meaning of the authors of the data. In the context of IT security, the goal is to prevent accidental, deliberate and unauthorized removal, insertion, modification, or destruction of data in a database. To achieve this, organizations should at minimum implement the following practices:
The first step in any data integrity program is to classify data into categories that reflect the business need to protect them, such as “public”, “internal use”, “confidential”, and “top secret”. Unfortunately, data classification is often abandoned due to the manual efforts required to maintain the constantly changing classification states. However, emerging big data risk management systems come with so-called dynamic grouping capabilities that provide drag- and drop capabilities to realign classifications and then propagate changes to all associated nodes.
Data classification will subsequently determine what data should be encrypted, which typically applies at minimum to personal identifiable information (PII). Innovations in encryption technology over the past few years have eliminated many of its earlier performance and deployment roadblocks. Organizations should place special emphasis on developing well-documented and properly implemented encryption policies which should be applied to all sensitive data, wherever it resides and however it is transmitted.
Control Data Access
Access control is the Achilles heel of many security programs, since practitioners have to balance data availability versus unauthorized data usage (e.g., theft, disclosure, modification, destructions). Meanwhile, hackers often target privileged users since their accounts provide a beachhead into the entire network. Therefore, strict enforcement of well-defined access control policies and continuous monitoring of access paths to ensure they are working as intended are essential for the success of data integrity initiatives. To assist here, organizations should consider deploying big data risk management systems to assess the organization’s risk posture, visualize the results, and prioritize remediation actions based on business criticality.
Last but not least, organizations should implement practices to certify uncorrupted data transmission. Worst case scenarios here include the manipulation of stock market data by cyber-attackers before it is publicly disseminated.
As incidents continue to proliferate, it’s becoming clear that cyber risks can never be completely eliminated.However, maintaining data integrity can provide protection from attacks and breaches, where legacy security approaches are falling short.
About the Author:
Torsten George is Vice President of Worldwide Marketing and Products at big data risk management software vendor Agiliance.Torsten has more than 20 years of global information security experience. He is a frequent speaker on compliance and security risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with ActivIdentity (now part of HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (now part of Dell). He holds a Doctorate in Economics and a Master of Business Administration degree in B2B-Marketing and Business Strategy.