Is securing data easier than securing entire systems?
Data security becomes paramount in new threat environment
If the future of threats against networks and systems is mostly of stealthy advanced persistent threat kind, is it safe to assume that some systems will be penetrated and attacked no matter what kind of security is put in place? If the main target of these attacks is information and data, why not focus on securing the data itself?
In some ways, that would be a return to the approach that ruled 15 years ago when firewalls were first deployed to protect the perimeter of the enterprise. The idea then was not to protect networks or systems but the data that traveled through and among them.
Even without APTs, the threat today from data leakage through everyday use by people who have no ill will at all should be enough to promote the idea of data security in organizations. And with the current use of portable storage devices such as USB devices and CDs, growth in mobile communications, and explosion in the use of things such as tablet computers and smart phones, there’s no longer much of a perimeter to defend.
“We’re at an interesting place right now where we finally get how to lock down the file servers and the database, and where we are doing a much better job of protecting the central repositories where the sensitive data resides,” said Shon Harris, president of Logical Security, a computer security consulting firm. “If the data just stayed in the database, then life would be terrific. But people have to take a little piece of that data and put it into an e-mail or some other application to use it.”
And after it's outside the database, data is no longer protected by the controls placed on the database itself.
The problem of data leakage led to the rise of data loss prevention (DLP) solutions, software that can monitor data in motion on the network, at rest in the data center, or in use at various points, such as workstations or mobile devices. The software automatically detects confidential data in any of those states and protects it by enforcing security policies to prevent it from ever leaving the enterprise.
For data that goes outside the enterprise, technology such as information rights management has emerged over the past few years as a necessary complement to DLP. It attaches controls to the particular pieces of data that may have been copied to a USB device, laptop or CD or e-mailed to someone outside of the enterprise, restricting who can read, alter, print or even forward that data.
That doesn’t obviate the need for an enterprise defense-in-depth strategy and protection of what remains of an organization’s IT perimeter, but that’s not the be-all of security today.
“Absolutely there needs to be a movement to object centered security,” said Prem Iyer, director of the information security practice at Iron Bow Technologies. “Even if I lose data from my own control, I still need to be in the position of implementing policies on that data and to ensure that it’s not being viewed by anyone that doesn’t have a need to know.”
That’s even more vital in the age of the APT. Most observers now believe that a good number of government computers have been penetrated by APT malware and that APTs have been resident in those systems for some time. On any given day, APTs are probably accessing and stealing sensitive government data without agencies being aware of it.