The struggle to protect enterprise data

The struggle to protect enterprise data
The struggle to protect enterprise data 

By Matt Hines
June 25, 2007

Long ago, when businesses kept sensitive information locked away in file 
cabinets and safes, it was relatively cheap and easy to store valuable 
data and control who had access to it. Today, enterprises invest 
millions in security, storage, and compliance technologies -- all in the 
name of increasing visibility into where vital electronic information 
lives and how it is being defended.

Despite those efforts, most experts and customers admit that in most 
companies the process of tracking down every piece of valuable company 
data -- and applying the appropriate tools to shield information from 
unwanted access or misuse -- remains in its beginning stages.

The heart of the matter is visibility. Enterprises feel uncertain 
whether todays technologies are providing an accurate sense of where 
things stand or are merely creating a false sense of security.

Seeing blind spots

When forensic experts called in by businesses to investigate external 
data breaches and insider threats tell their stories, the traumatic 
events that lead to brand-trashing headlines and regulatory punishment 
are most often based in the business lack of knowledge of where its 
sensitive data is.

Enterprises are improving their ability to safeguard the stockpiles of 
sensitive information they know about, admit investigators, but many 
remain blind to additional stores of important data or the flawed 
processes they use to transmit information electronically. Both problems 
leave them vulnerable to leaks and attacks.

"In almost every case we've investigated where companies have 
experienced a serious data breach, the reality is that the companies 
didn't know they had the information where it was stolen from until it's 
too late and the data has been taken," says Bryan Sartin, vice president 
of investigative response at Cybertrust, a provider of managed security 
services that lists risk assessment among its specialties.

"We end up telling companies where they store their sensitive data after 
doing forensics when they've already had a breach," Sartin says. "In 
some cases it's clear that companies are only doing the bare minimum in 
terms of protection before one of these incidents, but the truth is that 
even with companies that are employing a lot of sound technologies and 
process they're still missing a lot of the important data repositories."

Making the job of such professionals even more difficult, Sartin says 
that clever hackers are already using anti-forensics techniques to hide 
their footprints and make it harder for investigators to trace ongoing 
data theft schemes.

Other security breach experts agree that businesses seem overwhelmed by 
the task of hunting down and protecting valued information.

"It's not that good companies aren't making an effort in this area; it 
just seems that they can't seem to find a way to locate the information 
and manage it in a way that allows them to do business and guard the 
data from every conceivable threat," says Kevin Mandia, chief executive 
of security service provider Mandiant.

"Even worse, in many companies it's clear that they are doing the bare 
minimum to try and meet regulatory demands for data protection, or 
simply to prove that they're doing enough to avoid having to report a 
breach publicly when it happens," he says.

The perils of self-diagnosis

In survey results to be published on June 25, analysts at Enterprise 
Strategy Group (ESG) found that one third of the 102 large companies 
they interviewed admitted a loss of sensitive data in the previous year, 
with another 11 percent uncertain whether or not their data stores had 
been violated.

In a nod to the challenge of engaging security processes that go beyond 
protecting networks from outside attacks, 58 percent of the IT workers 
surveyed by ESG say they believe that the most significant threat to 
their sensitive information comes from insiders, through both malicious 
and careless activity.

"The good news is that we are finding that people are recognizing the 
problem around identifying, protecting, and classifying confidential 
data and intellectual property, and are willing to dedicate more money 
to those efforts, but the bad news is that this is still very much a 
manual process," says Jon Oltsik, the ESG analyst who authored the 
report (which was sponsored by data protection technology vendor 

"Many companies clearly believe they are doing a good job, but the 
evidence of breaches and holes in their processes leads you to believe 
that there are many inaccurate delusions out there," Oltsik says.

"When you dig a little deeper and show them what type of data is stored 
on people's desktops and on file servers, most companies are surprised 
at the size of the problem," says the analyst. "The common thread in 
these companies is a lack of cooperation between different business 
constituencies. It is not just an IT problem, or a legal problem, or a 
business problem; and unless people view it as a corporatewide problem, 
their situation isn't going to improve."

IT consultants who are helping enterprises solve these problems concede 
that even the best companies are struggling to comprehend the scale of 
the data security issue.

As the volumes of information being maintained by large companies 
continue to grow exponentially -- in some case driven by compliance 
regulations such as the Sarbanes-Oxley Act and HIPAA -- businesses are 
challenged to stay abreast of the issue and gain true visibility into 
their operations.

"In general we find that companies have applied a lot of great 
technologies and feel that they are secure, but there's a general 
problem of not having enough of a budget to invest in even more tools 
that can be used to dig down further and gain better visibility into 
their operations," says Steve Suther, a senior information risk 
strategist at IT consultancy Getronics Business Solutions.

Before joining Getronics, Suther served as director of information 
security management at credit card giant American Express. Data security 
was a "huge problem" for Amex during his decade there, Suther says, as 
the company tried to protect itself and its customers while dealing with 
millions of service providers and merchants who processed its 
information and accessed its records.

Policing business partners is a monster challenge on its own. "One of 
the hardest areas to enforce your own information risk management 
programs, no matter how sound, is with third parties; even when 
companies can effectively map out all their internal business processes 
and identify who controls what, Suther says. It's still very difficult 
to get information about processes employed by third parties that may be 
touching the data."

Making progress

Despite all the hurdles, enterprise customers are moving forward and 
discovering tools and processes that will help them improve data 
security. Gus Tepper, vice president of software development at real 
estate financial services provider First American, says that incremental 
progress is important, even if it does not solve every data security 
headache overnight.

One of the first steps, says Tepper, is to get a better grip on which 
workers can access which repositories of sensitive information and to 
automate the process of granting and removing entitlements using more 
intelligent tools. This has proven vital in a company with close to 
40,000 employees, many of whom tend to shift responsibilities on a 
regular basis.

"We think that we've done a good job of making sure that data is secure 
from this perspective of access. Where most failures occur is around 
human process," Tepper says. "To the extent that you can automate and 
minimize threats via controlling access, this is some of the most 
important work I think any company can do.

First American installed encryption technology on all of its laptops to 
prevent someone from gaining data access if the machines are lost or 
stolen. It is also employing similar tools to obscure data stored on 
tape drives in offsite locations, and the company has bought into 
entitlement management software made by Securent to help its data 
governance efforts.

"When you're in a large company like ours with hundreds of applications 
and people moving between divisions, there is a lot of cleaning up that 
has to happen, as its easy to lose track of access privileges without a 
tool that gives you centralized management," Tepper says. "As far as the 
outside world having access, we really want to make sure that doesn't 
happen, and we have a lot of security technologies in place to address 
that. But by getting a better handle on internal access and all the 
processes needed to allow for that, we think our standing has improved 

The company also hired its first chief information security officer in 
2006 to give data protection a more prominent role in the overall 
management of its operations, he says.

Many large companies wish that they could start from scratch as they 
rearchitect their data protection strategies, but even those who can 
afford to concede that the nature of protecting the information they 
gather is daunting.

Marty Hodgett, chief information officer at Orchard Supply Hardware, a 
California-based retail chain with headquarters in San Jose, has been 
tasked with introducing IT into the company, which is hoping to grow 
into a national presence in the next few years

As the hardware chain brings workstations and new data harvesting 
systems into its operations -- which Hodgett classifies as lagging in 
the use of most modern IT equipment -- it will be an ongoing balancing 
act to empower the company with more data about its customers, 
employees, and suppliers while keeping a lid on sensitive information, 
he says.

Retail giant Sears currently owns roughly 80 percent of OSH, but the 
hardware chain is also working toward a spin-off from its parent 
company. "We've been relying on Sears for a lot of things, so now we're 
putting in our own financials, payment, and human resources systems, 
among others, on this journey to become independent and expand across 
the country," Hodgett says. "Today this process is all about risk 
mitigation. We know we're never going to get to zero, and you can go 
crazy if you try to consider everything at once, but a key part of 
building this IT foundation is considering data security at every turn."

One of the tools Hodgett has already employed is data leakage prevention 
software made by Provilla, to help safeguard sensitive employee and 
customer data against potential breaches, both intentional and 

"As we are moving up the technology curve and adding capabilities, we're 
trying to augment everything we do with additional mitigation techniques 
for risk," Hodgett says. "We're low-tech today, so the risk is low, but 
as we push the envelope and do things like introduce consumer credit 
cards, there will lots of demand to secure everything we have, as well 
as compliance demands."

Expert advice

With everyone from hardware makers to services providers trying to inset 
their wares into the enterprise security buying cycle, there is no 
shortage of strategic advice. For starters, Nick Mehta, senior director 
of product management at Symantec, suggests blending anti-malware 
applications with data discovery systems.

Mehta leads a team responsible for developing and marketing Symantec's 
Enterprise Vault technologies, a package of data archiving and security 
tools. "There will always be ways to circumvent protections, and 
companies will always have incidents, but you can get rid of a lot of 
the accidental issues such as missing encryption and broken business 
processes by employing technologies that identify and block those types 
of incidents," Mehta says.

On the hardware side, Intel has begun loading its products with 
additional security features, including the company's recently announced 
Active Management Technology, which is designed to help IT 
administrators remotely fix devices that have crashed due to malware or 
other attacks.

"From an IT operational level, I do think things are getting better, but 
there will always be a need for continued evolution in the nature that 
information is stored and protected," says Malcolm Harkins, an IT 
security director at Intel. "Protection starts with the classification 
of data and its criticality to a business. Once you do that you can 
specify controls based on tolerance for risk."

Executives at Imperva, a provider of security and compliance 
technologies used in corporate datacenters, say that past security 
investments make it tough to convince business leaders that new tools 
will actually solve the information protection problem.

"For the last 10 or 15 years, customers have been throwing technologies 
at these problems, and senior leadership often feels that these 
solutions haven't proven adequate, so every purchase needs to be 
defended over and over again," says Robin Matlock, general manager at 
Imperva. "IT departments need to show leaders where the problems exist 
and what new options are open to them to address the problems they have. 
And security vendors really do need to help customers continue to make 
their business case."

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods