Until recently, the focus of network security was primarily on the perimeter. Organizations put their efforts toward keeping attackers out. However, the perimeter isn’t so easily defined as it used to be, and, as a result, IT security teams are scrambling to plug all the holes.
A new paradigm is being adopted that looks beyond perimeter security to pervasive data security. Encryption strategies are critical for securing data today, but must be deployed in a thorough, holistic way. Otherwise, data may be protected in one place, but not in other locations. That’s a false sense of security that can lead to data disaster.
Guest article by Peter Galvin, Vice President of Strategy, Thales e-Security
The Perimeter Has Changed
The shift in focus from securing the perimeter to the data within it is the result of the proliferation of connected devices in organizations today, from smartphones, tablets, and the IoT. Just a few years ago, the network perimeter was much more static and limited, but today, the perimeter is everywhere – and constantly moving.
As the workplace, and the devices and applications employees use, have become increasingly distributed, the focus has changed to protecting the data. Perimeter security is no longer sufficient for protecting sensitive or confidential data – especially in light of hackers’ demonstrated ability to breach network security.
The New Data Security Strategy
Creating a comprehensive strategy for data protection involves looking at not just financial data or payment information, but also at personally identifiable information (PII) that is valuable to criminals. This data demands the utmost protection. While someone stealing your credit card is a problem, you can always cancel the card – you can’t cancel your identity, or change your date of birth.
One of the ways organizations protect their data is through encryption. Every organization needs an encryption strategy, starting with the protection of an organization’s most confidential, or sensitive, information. When encrypting this data, it is compulsory that key management is simple and easy. This way, no matter where your data is located, it’s encrypted and secure.
A critical factor in protecting your sensitive data is to know where it is. A big concern, however, as seen in the 2016 Global Encryption Trends study, is that over half of businesses (57 percent) do not know where their sensitive data resides. Many organizations fall into the trap of protecting data only when it exists in a particular area — but that same set of data exists in potentially many other places. If it’s not protected everywhere, it’s vulnerable. Organizations need to understand, discover, and know where all their sensitive data is located, and ensure data is encrypted at rest, in use, and in transit.
It wasn’t long ago that organizations had an “I checked that box” mindset about data protection. But in light of the most recent hacks on high-profile organizations, data protection is a boardroom discussion – and we’ve seen what happens to senior executives who haven’t properly protected their sensitive data. In addition, customers are becoming more concerned about the safety of their data.
While organizations recognize that encryption is part of a robust data protection strategy, many still hesitate, because it can be challenging – but it doesn’t have to be.
Here are my five top pervasive encryption techniques to help maximize data protection:
- Get strategic. Do the upfront work of creating a comprehensive encryption strategy that allows you to understand what data you are encrypting, how you are managing your keys, and the underlying policy controls for user access.
- Encrypt what you value. Encrypt everything that would be considered sensitive. And ensure you’re encrypting it in all phases of its lifecycle – at rest, in use, and in transit.
- Use a hardware security module. If protecting sensitive data is your goal, a hardware security module has the highest level of assurance to keep your most important keys inside a secure hardware boundary.
- Create separation. Make sure you have separation of duties between network personnel and security professionals by implementing policy controls. Separating out the security components and the network management components, or the application user components, is critical to ensuring that only the people who need to access the different systems are able to.
- Continue to monitor your strategy. Protect yourself as vulnerabilities evolve by continually monitoring your people, processes, and security posture. Look at your people processes as well, to make sure you have some kind of checks and balances in your technology strategy, and continue to evolve it to see vulnerabilities.
Peter Galvin is the VP, Strategy & Marketing, and a product and marketing strategist for Thales e-Security. With over two decades of experience in the high-tech industry, he has worked for Oracle, Inktomi, Openwave, Proofpoint, and SOASTA.