Old-fashioned attempts to protect data by building impenetrable firewalls are impractical in the age of big data. It’s just too expensive and, anyway, business success increasingly means opening up to customers and business partners. By Godfrey Kutumela, head: security division at IndigoCube.
Traditional approaches to data security mirror those in the real world: building massive barriers to keep the dangers outside the corporate systems. Successful for a time, it has become clear that this approach ultimately cannot withstand a sustained assault any more than the Great Wall of China could keep the Mongols out.
More to the point, business in the digital age is all about the company’s ability to open up its systems to customers and business partners – particularly developers of the apps that make the company’s products and services available to new markets. Making it hard to get into corporate systems is not only ineffective; it reduces a business’s ability to succeed.
A further complication: the arrival of big data. Protecting increasingly large volumes of data does not make economic sense.
How do risk managers and CIOs balance all of these factors to create a security policy that is affordable, effective and yet promotes the flexibility and openness essential in the digital economy? The consensus is that the right approach will cover these three key areas, moving the focus to securing the data rather than attempting to secure the perimeter – inside-out security.
The three key areas are:
* Identify critical data sets. Having understood that there is just too much data inside corporate systems to protect it all, the logical response is to identify and prioritise data sets in terms of risk. A key consideration here would, of course, be the need to comply with data-privacy regulations like the Protection of Personal Information Act in South Africa. The critical consideration in this risk assessment should be business strategy. Those applications that directly advance the business’s strategic goals are the ones to spend the most on protecting. This simple and pragmatic approach is a sure guide.
* Control access using a risk-based identity model. The cornerstone of any security system is identity management and access control. If this is not properly designed, implemented and monitored continuously, then the data-protection strategy is a waste of time and effort. However, because digital business models require data to be shared, access control has to be dynamic, and access decisions should be based on a broad set of risk factors. Put simply, dynamic access models should consider not just who is asking for access but what data he or she should be allowed to see. Luckily, highly effective risk- and challenge-based authentication systems exist: Use them.
* Protect the data adequately while at rest (structured or unstructured). The most feasible and cost-effective way to protect data is while it is still in structured format in a database. Once it leaves the database, it is virtually impossible to do so because it could literally be anywhere. Most cyber-attacks target these structured data repositories because that is where the crown jewels are kept–and where they can be identified. By the same token, the database should be the focus of security efforts.
To protect at-risk databases, database encryption must be implemented where feasible. The only exceptions should be sensitive applications, such as SAP, where the database format and structure is integral to the application itself. This is one reason why SAP security is becoming such a critical issue.
This simple but practical security measure will ensure maximum data protection, which is why it is mandated by almost all data-protection compliance standards around the world.