One of our Client Managers recently reminded our Chief Architect, Mandy Shaw that quite a few of our financial services customers are either needing to, or are currently upgrading their backup and archiving solutions so that data stored on tape is suitably encrypted for compliance/data protection reasons.

So said Chief Architect dropped me an email asking me to "Blog" an answer to the topic and as this, among other Information Management subject matters is high on my "no brainer" list here goes!!!

You've all seen the headlines in the news, well run and highly-respected companies are finding themselves the victims of stolen and lost data, effecting millions of employees and customers.

Data security breaches are on the rise, over 100 million private records lost and over 15 Million consumers impacted by identity theft in the last 12 months. A 10 fold increase in volume and sophistication of malware over the last five years and today's threats are much more nefarious (organized crime, espionage, etc.) so staying out of the headlines is a constant priority.

The ever increasing Regulatory Compliance burden and liability, damage control, customer loss and breach notification costs far outweigh any security expenditure, and not surprisingly, enterprises around the world are becoming increasingly concerned for the security of their data, and are looking for new solutions.

As technological capabilities evolve so do security risks. "Perimeter" security is not enough to protect the enterprise, so to guarantee the security of their sensitive information, organisations need security from the inside-out.

This statement, although US orientated says it all!!!

"Encrypt your backup tapes. It's smart, it's easy, it's cheap, and it'll keep you out of jail."

                  -Steve Duplessie, Founder, Enterprise Strategy Group

Data encryption is just part of any Security Strategy but it is probably the most critical if all of your other defences have been compromised, and an effective encryption capability renders the data unusable to unauthorized individuals.

When considering encryption specifically, the practice of encrypting information that travels over publicly accessible networks is standard procedure today. The use of virtual private networks (VPNs), secure web sessions for sensitive transactions through secure socket layer (SSL), and secure login sessions via secure shell (SSH) are examples of encryption in use by millions of people every day.

These are all examples of securing "data in transit". The focus here is on preventing someone from unauthorized snooping as data travels from point A to point B. The issue of securing "data at rest", whether it resides on disk, tape, or optical media, is a more recent concern. Data encryption can occur at the application, database, operating system or network level and in addition, for media to be shipped offsite, backup vendors also provide encryption capabilities.

It should be clear that implementing data encryption requires planning and preparation and getting started begins with developing the strategic policies concerning what data needs to be encrypted and then identifying that data and any copies of that data within the enterprise storage environment.

This all leads me to another of my "no brainer" topics, Data Classification and probably the next one in my new "Blog".

While encryption capabilities have been available for some time, few organizations have taken advantage of them. This is due in part to a lack of appreciation of the actual risk as well as because of technological limitations that made encryption impractical.

Awareness of the risk is no longer an issue but implementation is a whole new ball game, the good news is the products and knowledge is available so watch this space. 

Comments

There are currently 2 comments about this blog.

Jan Zelezinski, 5 months ago

Your example beggars belief Victoria, and if the UK Security Services can't manage their information then just imagine what the state of information security is in the business world at large. Human error will always happen but measures can and are being taken but have to start at the top. This should include a clear understanding of the regulations that govern that particular business, risk assesements of processes and procedures and clear controls and education of staff on the handling of sensitive data. Then there's data classification into classes and how data should be handled including its final destruction. This will include the who, what, where, when and how data can be accessed, moved and shared. I've already spoken about encryption which can be applied to data at numerous points so that if data does leak out of the organisation, for what ever reason, it is still secure. The use of USB devices on PC's and Laptop's can be eliminated so human error can be minimized along with its impact to the reputation of the business. Deliberate and fraudulent activity is more difficult but with the right controls and audit tools in place this too can be handled. In heavily regulated organisations such as Financial and Pharma then this is second nature but as requlations spread wider and deeper, then the rest of the business world must take note or suffer the consequences as we have seen far to regularly in the press.

Victoria, 5 months ago

Really interesting article, Jan, especially in light of the current press coverage about the UK civil servant who apparently left top secret security papers on a train recently (http://news.bbc.co.uk/2/hi/uk_news/7449255.stm). Given that the individual in question apparently broke security protocols in leaving the documents on the train in the first place, what other recommendations would you have to help guard against human error?

Leave a Reply

Name

Email Address

Your Website URL (please include http://)

Your Comment

type the text from the image