Cyber-warfare is a grim reality increasing in its frequency and sophistication. Government and local agencies in particular are constantly targeted by cyberattacks that often result in significant data breaches. But they do not need to be left vulnerable. Several proven data protection technologies are available and of particular relevance to government organisations aiming to secure their systems against data breaches and cyber-attacks.
Industry concerns
Data has become a boardroom issue. We know all the paths of data access and the data types. Every CIO knows that if they don’t get security right customers, employees and the institutions they work with alike can suffer directly, and their role can be perceived as ineffective. Data is powering the transformation of businesses today. Data is powering a new wave of businesses.
The broad adoption of cloud and mobile computing, global and outsourced workforces, and the advent of Big Data are challenging Chief Information Security and Risk Officers to locate, track and protect sensitive and company confidential data while ensuring compliance to data residency and privacy regulations. Responding to the common question asked by CEOs and Boards of Directors, ‘How Secure Is Our Data?’ often is difficult to impossible to answer. Existing network-based security measures are insufficient as the definition of the perimeter is no longer valid. More and more users want access to all data wherever they are for better decisions and outcomes. The pace of technology evolution is faster than IT’s ability to keep resources up to date.
Therefore, a new data-centric security paradigm is required and necessary in order for security teams to be able to define data classification and use policies including at the data’s source . These policies need to follow the data - independent of how it gets proliferated, who requests access, or where it persists, including in the cloud.
Data masking as a security enabler
Modern data security strategies therefore need to consider two layers: the layer where data is being stored and organised, and the layer where data is being retrieved. Data masking has emerged as a versatile technology for data storage. It is a method of camouflaging data in order to maintain confidentiality of data. The technique is used when the format or type of data needs to remain intact, but the actual data values must be hidden from a user or process.
For example, an organisation that has developed an application to report on its customer data may wish to send the application to a third-party consultant for testing. Wanting to test the application against the actual data set, but not wanting to reveal its customers’ names or addresses the organisation first masks the data, and then sends the application and the masked data to the tester. With this, sensitive information fully remains within the organisation.
Data masking may be offered as an option with database products, or third-party data-masking products can be purchased separately from vendors. Data masking may also be included as part of a data management service on a software-as-a-service (SaaS) platform.
In spite of the growing threat from targeted attacks and the general best practices, data masking deployment remains sporadic and even non-existent in otherwise highly secure organisations. Why? In the past, data masking techniques like encryption required a lot of processing power, limiting their usage. Additionally, many organisations found data masking tools too expensive for broad application. However, these long-held beliefs are no longer accurate, as faster and cheaper tools have emerged in recent years, making data masking an option for organisations of all sizes.
Why mobile security is so important
More and more data is being retrieved on mobile devices, and at the same time they are the top item left behind in taxis. International travel can also broaden the scope of mobile security threats and possesses a further breadth of opportunities for cybersecurity.
Mobile devices replace the laptop in many cases, and they are being used as transaction processing devices, for example at the point of sale. For all of these reasons, having a strategy for protecting mobile devices or the applications that run on those devices and related sensitive information is critical in minimising the impact of a potential wider breach.
Here, two predominant areas have advanced over the last ten years: First, ‘Mobile Device Management’ solutions provide the ability to delete content on a mobile device based on certain events, such as a lost or stolen device or a device being tracked into a location where certain information is not allowed. An example for this is a retailer who gives its employees iPads to process transactions. If the iPad is taken from the store’s premises, the device including all data is automatically wiped out, making it useless.
Another market that has expanded is data encryption and tokenisation. If certain data fields, such as credit card information, are stored from a mobile device, that data can be encrypted or tokenised on the device to minimise the scope of a PCI audit as well as preventing a breach. Also, Virtual Private Network technologies that apply secure tunnel connections behind corporate firewalls have now been adapted to mobile devices. Their increased computing capability does not impact performance too much. Plus, apps run reasonably well when using a VPN connection due to the high network bandwidth now available via cellular technology.
Threats on the horizon
In modern day, the biggest hazard an organisation faces is the lack of knowledgeable skillsets in mobile security and potential threats. Data security expertise has been one of those skillsets considered in serious shortage for some time now. Given the rapid change of the mobile device landscape, as soon as you invest in training your team on the latest threats, new technologies emerge that require more catch up training. Also, given that consumers and the next generation of the entitled workforce have expectations that they can conduct business from their mobile devices, the pace of application development and rollout will accelerate faster than the security’s team can keep up.
It is imperative for vendors to work together to jointly create an optimum process to combat cybersecurity.. Data Integration products do not make security products redundant, but they can make them more effective by pointing them at the highest-risk data that needs to be protected. Data integration complements rather than competes with security technologies, and it is designed to help organisations narrow down where sensitive data resides, physically and logically. Only then they can prioritise which stores need to be better secured, with which types of security technologies.
So it is more than high time for all businesses to implement an adequate and efficient data security strategy. For this, the starting point should always be: what data do I store, where do I store that data and who has access to data? Once a clear picture emerges what happens to data where, when and by whom, its storage and retrieval can be made more secure. Data is increasingly perceived as a currency, and it should therefore be treated as such: by putting it in a safe place and making sure any exchange is authorised.