In 2015, 707-million data records were compromised–more than 80 000 every hour. With data’s increasing importance attracting cyber-criminals in swarms, old-style perimeter security is no longer adequate.
A new security mindset is required, delegates at the recent Data Security Summit heard. The event was hosted by Gemalto and IndigoCube.
Neil Cosser, African regional sales manager for the SafeNet Product line at Gemalto, says that security had evolved over the years, from perimeter security through network security and then device security. Each of these have a role to play, but a more integrated approach is needed.
“One needs to accept that perimeter security, including device security, is no longer enough–breaches will occur, especially given the highly distributed business environments of today, thanks to the mobile revolution,” says Cosser. “The new security mindset looks inside, to establish what data needs protecting and where.”
This means encrypting the data while it is moving and where it is stored, whether in on-premise systems or in the cloud, notes Cosser. Other key steps included managing and securing cryptography keys centrally, and controlling access to applications and systems rigorously in line with defined user requirements.
In his presentation, Godfrey Kutumela, head of cyber-security at IndigoCube, tackled the specialised question of SAP security. Kutumela argued that SAP’s extremely large footprint across the global business community meant that this was a critical issue.
SAP is the fastest-growing vendor of databases, and in 2013, McKinsey estimated that 74% of global transaction revenue touches an SAP system.
Of concern is that 95% of all SAP systems are vulnerable according to a Virtual Forge benchmark report, in part because of the high levels of customisation. But, says Kutumela, encrypting SAP databases poses numerous challenges because the database is integral to the application.
“A better approach is tokenisation, by a sensitive data element is substituted by a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value,” says Kutumela. “In this way, the vital data is protected in a separate, encrypted data store, while the application’s performance is unaffected because it has a token with the correctly formatted dummy value in its native SAP database. The encrypted data is only displayed when needed and after security processes have been followed.”