Enterprises need to develop better security policies
September 26, 2006
More and more today, data is the currency of the global economy, as an increasing number of people use the Internet to pay with credit cards. Employees are now paid through direct deposit to their bank accounts. More and more businesses sell a good portion of their products and services online.
Increasingly, companies are now even more challenged to find better and more secure ways to protect all this vital information as it is rapidly exchanged with players both inside and outside of secure corporate networks.
Over the past few years, data security breaches and hacker attacks have become more pervasive. Additional legislation, including PCI (Payment Card Industry) standards and the GLBA (Gramm-Leach-Bliley Act), have been created to safeguard such consumer data. Well-publicized security breaches are causing enterprises to develop security policies in order to protect their brands from the damaging bad publicity surrounding such a tragic event.
Additionally, the growing trend towards outsourcing non-core business functions is also driving the need for enterprises to greatly extend their security policies to some of their partners. In this risk-filled environment, a data-centric approach to security may be the only way for enterprises to remain in full control of their information, no matter where and when it resides.
As a whole, data encryption technology allows certain individuals and organizations to secure their corporate data at the file level. An encrypted file can be sent via any communications mechanism (SSL/FTP/email) and the sender can rest assured that their data cannot be tampered with.
When data encryption is done in parallel with a Public Key Infrastructure (PKI), files can also be digitally signed and authenticated. This provides the originator the highest level of assurance that their data will reach its endpoint in a secure fashion.
Information can take many forms within a specific enterprise. Stored data can be found on mainframes, servers or even proliferated to an infinite number of corporate desktops. Sensitive information can be stored to back-up tapes at off-site storage facilities or even on CDs and USB drives.
Integrating encryption into data-management policies prior to saving to tape or CD will ensure that the information remains secure. As information moves through operational processes both within and outside of the enterprise, it becomes data in transit.
Usually, data moves throughout the enterprise from one computing platform to another. Information on the mainframe can be sent to servers or desktops, and vice versa.
In order to compliment existing processes, an encryption solution must allow for this multi-platform versatility, otherwise security can become restrictive and ineffective. An added consideration for facilitating data in transit is to use an encryption solution that compresses data prior to encrypting it so that the file exchange has as little impact as possible on bandwidth.
Business partnerships change dynamically as resources come together to achieve common goals. Whether the goal is a successful insurance claim or the processing of a financial transaction, information to support the activity must be exchanged.
For a security solution to be transparent and non-restrictive to partners, it must take into consideration the uniqueness of partners' computing platforms and security environments. Data-centric security is unique in this regard because it transcends operational requirements.
The common thread in most legislation today is that customer data must be vigilantly protected. As an organization looks at how to keep its information secure, it should look to how data flows within it. The following example illustrates the data flow of a national wholesaler working to achieve PCI compliance.
This particular wholesaler needed to secure transactional data being received daily in its mainframe data center. The data needed to be batched and encrypted every 24 hours. The data then resided in storage for several days while transactions closed, after which the files were sent to an AIX Server where the information was decrypted and stripped of sensitive information.
The remaining non-sensitive data was then moved to tape and stored in an off-site facility. As an added challenge, this wholesaler needed to maintain processing windows while adding security to their environment.
In reviewing the process flow from this wholesaler, cross-platform interoperability became one of the key components of the solution. The wholesaler needed the ability to take information encrypted on the mainframe, decrypt it on an AIX server and then protect the information as they saved it to tape.
In this case, the wholesaler was able to meet PCI compliance and maintain its processing windows through the use of compression. Another advantage of a data-centric security model is that it represents a cost savings to an organization because there is no need to secure the communications mechanisms, which are often expensive and difficult to maintain.
User Proof - The potential for employees to misuse encryption is a risk of the data-centric security model. In some cases, employees have encrypted information and upon its exit from the organization, the information becomes inaccessible. To prevent this from happening, encryption solutions should include a contingency or master key feature, which allows the system administrator access to any files being encrypted by users within the organization. An integrated policy manager will also allow the organization to dictate encryption policy through an administrative interface.
Non-Disruptive - Many security solutions do not compliment an organization's environment. The advantage of using a data-centric security model is that it compliments the security investments that organizations have already made.
Choosing an Encryption Vendor - The security market is saturated with vendors offering partial or point solutions. The best option is a practical solution that is able to address multiple concerns. As an organization looks for the right security solution, here are some things to keep in mind:
Backward Compatibility - In many cases, files that have been encrypted must remain accessible for several years to remain in compliance with regulations and audit requirements, even after they have been backed up. Look for a solution that is standards-based and can open legacy file formats.
The only feasible approach to securing information is to take an encrypted, data-level approach to security. Anything less leaves companies, customers and partners at risk.
Source: eCommerce Times
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing