Freely subscribe to our NEWSLETTER

The conflicting goals of data availability and security are also a consistent issue, particularly when applied to sensitive and high value information. High value data assets can contain a disparate range of confidential information sets that have specific value to the organisation such as earnings sheets, product designs, customer payment details, patent information and so on. Assets often require different levels of access and security related to the inherent value and sensitivity of their content.

To complicate matters further compliance is increasingly high on the list of compelling drivers. Modern standards, like ISO 27001, require a Security Management System to be implemented that is based on an assessment of risk and for technology and process to be applied to mitigate these risks.
However, not all data is the same. Information that is of high value to companies, but is not subject to regulatory pressures like the Data Protection Act, is often overlooked. This information can be of such high strategic value that its compromise could have major financial or public relations implications and possibly disastrous consequences for the company.

Understanding Data Types

When considering the different scenarios within which sensitive data are used, and the risks inherent in these scenarios, it is important to understand the different types of sensitive data an organisation has. A recent Forrester study examined the type and value of enterprise documents that contained intellectual property, and found they formed two tangible groups.

Secrets – valuable confidential data such as financial reports, design documents, product roadmaps.

Custodial Data – data that are held on behalf of others such as banking data, patient data, legal contracts etc.

The value properties of each group differ due to the nature of their use and requirement. Proprietary company secrets generate revenue, increase profits, and maintain competitive advantage. Custodial data such as customer, medical, and payment card information has value because regulation or contracts make it toxic when spilled and costly to clean up.

?

Increasing Regulatory and Compliance Pressure

Recent changes to the Data Protection Act came into force on 6th April 2010 and are designed to deter data breaches. The Information Commissioner’s Office (ICO) is now able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. The power to impose a monetary penalty is designed to deal with the most serious personal data breaches and is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.

This drive for regulatory compliance has specific resonance for data that fall within the custodial group, however secret data remains unaffected, is company specific, arguably of higher value and has higher consequences should it suffer a breach or leak.

It is also worth noting that increasingly competitive markets and sophisticated customers are putting pressure on companies to implement, and be assessed against, non-mandated standards like ISO 27001. Customers are becoming more aware and demanding that suppliers conform to recognised standards as they themselves become more attuned to the risks inherent in sharing their own data.

Compliant Doesn’t Mean Secure

Understanding and recognising the different types of data a business makes use of can help to address the balance when formalising where data security investments are needed. Often a company will focus on trying to prevent accidents with custodial data, due to regulatory pressures, but an additional and often overlooked risk is theft of sensitive company secrets as they carry a far higher intrinsic value.

Company secrets are the data asset “crown jewels” and represent the most sensitive activities from research and development, patent filings, mergers and acquisitions, financial and strategic direction. This information is of critical importance to the future success of the organisation. Keeping it safe should be the highest priority.

As compliance is focused on the appropriate use of custodial data, solutions that operate within that remit alone are frequently too narrow in their objective and result in overlooking valuable data assets such as company secrets. When considering solutions for the protection of sensitive information, both data types should be considered and, where possible, processes combined in order to derive maximum return for the organisation. The combination effect of a carefully considered purpose built solution will deliver the requirements needed for both data types – security and compliance for custodial data; and secure sharing and control of company secrets.

Traditional Solutions Operate in Distinct Technology Areas

Until very recently there are a number of point security technologies that can help secure individual stages of the data “custody” chain as shown below. These technologies tended not to take into account the overall business process they were operating alongside and rarely gave an end-to-end solution: at some point valuable data was left exposed.

Figure 1.Traditional Technologies in the Information Custody Chain
While there are many point solutions that operate within each of these technology areas, all suffer from the same problems:

• At some point an item of data has to be unprotected in order that it can be used

• Once an item is sent out from its owner and arrives with a recipient, control is lost

• Information Security risks tend to be associated with human activity (absent mindedness leading to loss, malicious actions leading to theft, poorly designed business processes leading to compromise, etc). These activities more often than not span more than one step of the custody chain and so technology lead solutions tend to be misaligned with the risks they are trying to mitigate

• Following on from this, few of these solutions are designed to work together, creating expensive and complicated integration work or difficult to follow workflows and making it difficult to demonstrate compliance.

Approach the Problem from Another Perspective: Think Data Centric
The reason that traditional solutions have the problems described above is that they focus on areas of technology, rather than starting with the higher level problem of mitigating information security risks associated with the activities of business – they are an evolution of a less mature view of security.
What is required is a security paradigm that includes the following considerations (based on the sections discussed above):

• Secure both Secret and Custodial data with the same rigour

• Secure Information irrespective of where it lies within the custody chain

• Secure Information wherever it ends up

• Remove human error where possible

• Support compliance needs

• Be driven by the needs of doing business – using but not losing data.

A recent development in this field is the concept of truly “Data Centric” security. In this world view individual items of data are secured irrespective of where they are held in a fashion that allows the appropriate access to the appropriate person, wherever they are and whenever they try to make access. Rights are variable by the owners of data as circumstances dictate and all actions relating to items are securely recorded for auditing purposes.

Conclusion

Compliance is a major spend within the security budget but does not necessarily equal secured data when it comes to sensitive information security. Enterprises need to consider placing more focus on securing critical secrets that confer long-term competitive advantage, rather than just preventing accidents involving custodial data.

By coming at the problem from a point of view that considers the business requirements that lead to information risks and selecting systems and solutions that share this world view, businesses will be better placed to support the needs of compliance and address the security of their own secrets.

Enterprises should consider data-centric security technologies that provide a unified platform to protect both types of data. They should specifically be able to accommodate unstructured information, provide the correct level of access to necessary parties and place emphasis on retaining control of information at all times including throughout any collaboration processes or sharing. Files should also be secured with persistently applied measures, allowing the file to be always protected as its minimum state, and access controlled wherever it is used, sent or stored.

Celestix Networks is exhibiting at 360°IT, the IT Infrastructure Event held 22nd – 23rd September 2010, at Earl’s Court, London. The event provides an essential road map of technologies for the management and development of a flexible, secure and dynamic IT infrastructure. For further information please visit www.360itevent.com

1 The Diverse and Exploding Digital Universe, IDC. March 2008

2 The Value of Corporate Secrets, Forrester. March 2010