PGP INSIGHT
PGP Blogs
Subscribe to CEO Blog via RSS.
2007: The Year of Secure Data
02 Jan, 2007
General George Patton once referred to fixed embattlements as "monuments to human stupidity". Static filters or firewall-style solutions are certainly not stupid, but 2006 taught us that any organization depending on them to protect data is guilty of at least being ill-prepared for the threats they now face. The time has long since passed when we could assume that because we protect an organization's IT infrastructure and endpoints, the data residing behind that Maginot Line is safe. As many studies including the updated 2006 CSI/FBI report (http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml) have shown, the vast majority of data breaches occur inside the perimeter as defined by the firewalls, spam and spyware filters, and concrete bunkers in which all modern data centers reside.
Truly protecting confidential information now requires significantly more sophisticated tools than the fixed embattlements upon which many enterprises depend. Achieving this goal requires a holistic approach that protects data while in motion and at rest. The information must be protected in the data center storage farm, mail servers, and on the increasing numbers of mobile devices now in use. It's no surprise that I believe persistent encryption is part of the solution, but you may be surprised to learn I also believe that even the best encryption tools are only part of the solution.
So, casting caution to the wind, I'll make a few predictions and recommendations that will hopefully provide some insight and actions that will help enterprises globally protect their confidential information in 2007.
1. Information leakage audits will become a standard corporate practice. If you can't prove to your auditor and regulators that you're not exposing customer data, many will assume you are. There are now some terrific tools from companies like Vontu and Workshare that monitor communications traffic and tell you exactly how and which information is being exposed.
2. Regulators in the financial services and medical sectors will start to require that any laptops in use by the enterprises they regulate be completely encrypted. They won't require the same security on connected PDA devices until 2008, although they should do both now. Although we read about all the laptops stolen in 2006, we are only beginning to learn about the implications of deploying connected PDA devices and the exposures they create.
3. Personal financial and/or medical information from leading U.S. government officials will be breached and leaked. The fact of the matter is that it probably already has happened, given the breaches experienced by the Department of Defense and the VA last year. The only reason we haven't heard about it is that it didn't fall into the hands of anyone with ill intent. How many more times can we expect that to happen?
4. The U.S. Congress will finally deliver the personal privacy act all Americans deserve. Ironically, it won't be driven by my third prediction or by individuals clamoring for such a bill. Instead, it will be driven by the financial services sector that is essentially indemnifying all Americans against any financial losses due to identity theft. An equally strong driver will be the growing need to synchronize U.S. privacy regulations with the European Union and the patchwork of statutes currently in place at the state level.
5. Global enterprises will finally begin to view data security as an inherent component of IT infrastructure, not an add-on. Security needs to sit at the endpoints, at the periphery of the infrastructure, and travel with the data at all times to be completely secure. Therefore, we'll see a decline in the deployment of tactical point solutions and a shift to integrated key management and reporting platforms that gives IT security officers visibility on data security across the enterprise.
02 Jan, 2007
One clinical definition of insanity is doing the same thing over and over while expecting a different outcome. When it comes to information security, 2006 proved this maxim. Based on the number of reported data breaches, it's clear that the classic methods of protecting confidential information aren't working as intended. From simple laptop theft to the kind of socially engineered breach experienced by ChoicePoint, the "bad guys" appear to be winning the war—and nearly all the battles.
Very few weeks of 2006 passed without a major corporation or government agency admitting that lost customer or personal data through either benign carelessness or calculated larceny. If 2006 was the year of the data breach (and it clearly was), then we need to ensure that 2007 is the year of secure data. The time has clearly come to take a different approach to truly protecting the confidential information that drives our economy, entitlement programs, and health care delivery system.General George Patton once referred to fixed embattlements as "monuments to human stupidity". Static filters or firewall-style solutions are certainly not stupid, but 2006 taught us that any organization depending on them to protect data is guilty of at least being ill-prepared for the threats they now face. The time has long since passed when we could assume that because we protect an organization's IT infrastructure and endpoints, the data residing behind that Maginot Line is safe. As many studies including the updated 2006 CSI/FBI report (http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml) have shown, the vast majority of data breaches occur inside the perimeter as defined by the firewalls, spam and spyware filters, and concrete bunkers in which all modern data centers reside.
Truly protecting confidential information now requires significantly more sophisticated tools than the fixed embattlements upon which many enterprises depend. Achieving this goal requires a holistic approach that protects data while in motion and at rest. The information must be protected in the data center storage farm, mail servers, and on the increasing numbers of mobile devices now in use. It's no surprise that I believe persistent encryption is part of the solution, but you may be surprised to learn I also believe that even the best encryption tools are only part of the solution.
So, casting caution to the wind, I'll make a few predictions and recommendations that will hopefully provide some insight and actions that will help enterprises globally protect their confidential information in 2007.
1. Information leakage audits will become a standard corporate practice. If you can't prove to your auditor and regulators that you're not exposing customer data, many will assume you are. There are now some terrific tools from companies like Vontu and Workshare that monitor communications traffic and tell you exactly how and which information is being exposed.
2. Regulators in the financial services and medical sectors will start to require that any laptops in use by the enterprises they regulate be completely encrypted. They won't require the same security on connected PDA devices until 2008, although they should do both now. Although we read about all the laptops stolen in 2006, we are only beginning to learn about the implications of deploying connected PDA devices and the exposures they create.
3. Personal financial and/or medical information from leading U.S. government officials will be breached and leaked. The fact of the matter is that it probably already has happened, given the breaches experienced by the Department of Defense and the VA last year. The only reason we haven't heard about it is that it didn't fall into the hands of anyone with ill intent. How many more times can we expect that to happen?
4. The U.S. Congress will finally deliver the personal privacy act all Americans deserve. Ironically, it won't be driven by my third prediction or by individuals clamoring for such a bill. Instead, it will be driven by the financial services sector that is essentially indemnifying all Americans against any financial losses due to identity theft. An equally strong driver will be the growing need to synchronize U.S. privacy regulations with the European Union and the patchwork of statutes currently in place at the state level.
5. Global enterprises will finally begin to view data security as an inherent component of IT infrastructure, not an add-on. Security needs to sit at the endpoints, at the periphery of the infrastructure, and travel with the data at all times to be completely secure. Therefore, we'll see a decline in the deployment of tactical point solutions and a shift to integrated key management and reporting platforms that gives IT security officers visibility on data security across the enterprise.
- Phil
Related Links
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
Archives
Recent Posts
Cold Boot Attack Commentary
24 Mar, 2008
Metrics that Matter
08 Feb, 2008
Smile When You Say That.
05 Oct, 2007
Why You Need Enterprise Data Protection
14 June, 2007
Media Contacts
North America
Christina Grenier
PGP Corporation
+1 650 543 3697
cgrenier@pgp.com
Tom Rice
Merritt Group
+1 703 856 2218
rice@merrittgrp.com
Germany
Ingrid Daschner
Johnson King
+49 (0) 89 8940 8511
ingridd@johnsonking.de
Japan
Kyosuke Wakairo
Powered Communications Inc.
+81 3 5211 7899
pgp@powered-communications.com
United Kingdom
Jacqui Depares
Johnson King
+44 (0)20 7401 7968
jacquid@johnsonking.co.uk