The biggest threat to data security is underestimating the threat to data security. And, as IP networks become the de facto standard, ignoring reality will extract a heavy price down the road.
Assessing risk comes down to simple arithmetic: What is the data worth, and what is the damage if it is compromised? It makes sense that organizations dealing with such highly sensitive data and proprietary intellectual property as customer financial information, national security information, highly competitive
product development information, patient medical records, must take a closer look at the vulnerability of their network. A single breach can wreak havoc in the long term. Lawsuits from customers, fines for non-compliance to government regulations, degradation of an established brand are consequences that are very real, and often very difficult to overcome.
The way we conduct business today often creates holes in our IT systems allowing new types of attacks that pose an unacceptable risk in protecting data and intellectual property. These new types of attacks target holes in applications, processes used for data access, and any place where valuable data lives. Data protection at the network layer can provide a hardened infrastructure to safeguard critical and confidential data in a way that other security technologies cannot. It can protect new and legacy applications at the same time; and provide the enforcement of security at the core of data protection, protecting data itself. Data protection therefore, must be an essential layer of defense.
Data protection strategy
The concept of data protection as a primary layer of defense begs some questions. Should a company try to keep up with 2000 application and OS patches that may cover dozens of applications, or consider a different type of data protection solution? Perimeter defense is essential, but does not protect against the risk that comes from insiders, so is it time to encrypt data-in-motion? What does a robust data protection strategy look like? And where should data protection be applied most effectively? How do you protect your business from intrusions that are happening everyday, but you don't know about them because they are not publicly disclosed?
Beyond the perimeter
The focus of traditional network security is on protecting the perimeter by deploying firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), anti-virus software, and identity management systems. These security measures do their part in preventing many known threats from entering the network. Relying on perimeter defense is not enough when data travels inside the perimeter from one site to another over the core IP network, or against emerging threats that are not detected by traditional network security techniques.
According to studies by CERT, the FBI, and InterGov, nearly 80 percent of security attacks now originate within the firewall and 50% of intrusions are not publicly disclosed. Organizations must look beyond perimeter defenses to a comprehensive, multi-layer security solution that provides defense in depth.
Layered defense and defense in depth
Looking back 15-20 years ago when companies where first connecting their business to the Internet, people defended their infrastructures and their data at the perimeter, initially with firewalls and then with IDS/IPS systems. Even at the 2006 RSA conference, a primary focus was identity management and device validation. Federated management, tokens, and PKI are examples of products focused on proving who entities are and ensuring that they have adequate rights to access a resource or the infrastructure. NAC and NAP are examples of technologies designed to validate that a device has the right virus protection, software patches and other items configured in order to join the network. Each of these uses signatures and cryptographic techniques to provide each layer of security.
Once the perimeter is fortified, people and devices are validated, there is still one additional step that security conscious organizations deploy, and that is data protection. Data protection defends against intrusions that get past traditional security techniques, threats from insiders, and keeps the core business asset secure--specifically the data--and is the next step for a defense in depth security architecture.
Figure 1. Threat-focused security: Looking beyond the perimeter
Figure 2. Best practice for protecting data and IP: Layered Security for Compliance
The figure above shows the layered approach for protecting data. The best-practice threat focused security approach deploys a triple-layered defense solution that (1) controls access, (2) defends the infrastructure, and (3) protects data. Access control mechanisms (e.g. AAA, Federated identity) and infrastructure defense mechanisms (e.g. firewall, IDS/IPS, anti-virus, content filtering) are important components of a comprehensive security infrastructure. But the foundation, missing in most architectures today, must be a robust data protection solution that secures data-in-motion as it travels the network. This is critical to a "defense-in-depth" network security strategy.
Patches are being issued in alarming numbers and keeping up with them can be a nightmare. Furthermore, since only half the breaches are reported, there will be many vulnerabilities for which no patch has been created. Companies should consider an alternative to reactive patchwork.
A robust data protection strategy must proactively secure data against network and application vulnerabilities. End-to-end encryption of data on the network provides a data protection overlay that eliminates the significant vulnerabilities in the network.