Data Security is like a great big onion–Part One

Data 6 Minutes

Another BLOG, another tenuous music link, if you’ve read much of my stuff in the past you’d know that’s pretty much par for the course! Obviously this tune is one for the kids!!! – yep, right up to date my music playlist!

What prompted the tenuous link on this occasion? – Recently we have run a series of data security events with a number of our solution partners for a wide range of our customers (shameless plug, we have another event coming up in Manchester on 23rd April). As part of the event I ran a set of brief 5 minute sessions that linked each of our topics together, the theme of the sessions basically been that data security is complicated and multi layered, and is not fixed with one solution, there is no “silver bullet” to take care of all of our data security needs.

People seemed to find the inter-linking of the sessions quite useful and one or two suggested that sharing it on a BLOG post would be a good idea, so here I am.. never one to disappoint on a customer request, I thought I’d share our set of layers, why each layer is important and what you may need to do to fix it… so get ready to wipe your eyes as we go chopping our way through the onion that is data security.  

What do I mean by data security?

Perhaps a good starting point is what actually do we mean when we say data security, data security is a multi layered and tricky problem, only becoming ever more tricky as the amount of data we have and the requirement to access it from an ever widening ranging set of devices and locations grows. The aim of these sessions, was not to look at the more traditional areas many of us think of, this is not about perimeter security, or AV, or Anti-Spam, we have to assume our audience (and this includes you dear reader!) are already taking precautions to protect your data at these most basic of points, what we are talking about here, is looking at how we govern and control access to our data, secure it from the middle to the edge and minimise the chances of losing that data from our organisation.

Layers, Layers and more Layers

So as the title of this post suggested, we wanted to share with our attendees the multi layered nature of the security issues we see. Now in a limited time, we couldn’t cover every area that we possibly could, so we picked on 6, 5 shown below,one more to come later, looking from the very core of our data out to the data that lives outside of our networks on edge devices.

 

Hopefully the above areas make sense, now let’s drive a little further into the challenge presented in each of those areas;

Controlling access

At the very core of any data security strategy, has to be an understanding of what our data looks like, where it is, what it is and who has access to it.

 

With a particular focus at this stage on our unstructured data, we find there are many questions IT departments and ultimately a business can’t answer;

  • Who has access?
  • Who is accessing, modifying, moving and deleting files?
  • Which files contain critical information?
  • Which data is exposed to too many people?
  • Who owns the data?
  • What data isn’t being used?

We looked here with our partners Varonis how the appropriate tools can provide deep insight into our data sets, so we can answer all these questions and by doing that provide a platform from which we can start to deliver true data governance and control to our key data sets.

To be honest, if we can’t even answer the above questions, any data security policies and controls are likely to fail.

Driving Compliance

Now we understand who has access to our unstructured data and what’s held within it, our next focus was how we ensure that we don’t just let the data slip out of our business, by providing tools that freely let us take our data and quite happily send it where we like.

This lead to one of my favourite presenter comments;

We spend all this time securing our data and data stores, we then say, here’s email, completely unrestricted, now send our sensitive data wherever you like!

I kind of like that view of the world though, we often focus many of our efforts on securing one area, while leaving other doors completely wide open, a bit like buying the most expensive front door and locks, then leaving a key on the hook next to it !

So with a specific focus on email, why do we need to drive compliance and control of our mail solutions? Waterford Technologies where happy to share those considerations;

I think many of us look at archiving technologies and think, why bother, storage is cheap, email like Exchange no longer has restrictions that force us to apply stringent limits to our email systems and to a point that’s correct, however what is important is we have control and understanding on exactly what is passing through our email system in exactly the same way we do with our unstructured file stores.

There are a number of things we have to consider when it comes to email;

  • Compliance
    • Meet regulatory compliance (FSA, SOX, HIPAA)
    • Requirement to keep a copy of all E-mail (H/R, Company Policy)
  • Reporting and Monitoring
    • Monitor Acceptable Usage Policy (personal, inappropriate)
    • Report on email usage (Who, what, why, act!)
    • Improve Productivity (Educate users)
    • Protect IP (Prevent data leakage)
    • Provide Duty of Care to employees (Avoid HR/Legal issues)
  • E-Discovery
    • Respond to information requests (FOI, Regulator requests)
    • Legal issues (Protect against law suits)
    • Customer/Supplier contract issues (Resolve disputes)

The question this raises of course is how much of this do we need in our business and currently are we delivering it, so we can protect our data assets.

Ask yourself, how secure is your front door?

Keeping It Secure

In the last part of part one of our event we moved our focus to our endpoints, until then we focussed on the core data, the data in our unstructured file storage and how we protect data in our structured applications such as email.

Once data leaves the safety of our core network, what do we do next – how are we keeping it secure once it moves to our plethora of devices,especially those devices which then leave the organisation, laptops, tablets, USB devices and smartphones (then not forgetting the ever growing range of cloud based apps) and we are talking here about users and devices that have appropriate access to our key corporate data.

One of the most useful weapons in our data security armoury is encryption, most of the devices on which our data rests, already have an encryption capability built in, from the enterprise desktop with Bitlocker on Windows, to built in encryption in IOS and Android devices, it’s there and usable, so why aren’t we using it, especially as a recent report showed that a quarter of all data loss from organisations is via accidental loss.

Our partners at WinMagic explained;

“Why don’t people encrypt all of their devices? – it’s perception, it’s to difficult to manage, it is a poor end user experience”

However this aside, the importance of encryption shouldn’t be underestimated and if you take your data security at all seriously, then that data has to be secured, because accidents do happen, devices are lost or even stolen, but there is no reason that the data on those devices should be open season and available to all.

Of course one area where data encryption is of particular interest to many, is in the area of cloud storage, the ability to encrypt our data before it lands in our cloud storage repositories is an extremely attractive proposition, allowing our data to sit happily in the cloud, completely secured from any unwanted 3rd party eyes.

If you’re not encrypting data that leaves the safety of your internal network, then you are most definitely taking a risk, is it one worth taking?

It’s time for a KitKat

As that ended our first session, it seems a good point to split this BLOG post, as I said right at the beginning, Data Security is a great BIG onion, so big in needs two BLOG posts to cover it!!!

Hopefully in part one you’ve seen some of the things we need to consider as we protect our data in the core of our network, as we move into our structured applications and as we place data on our more mobile devices. In part two we’ll look at our end point devices in more detail as we focus on the management and control of them and tools for preventing loss of data from them, before we wrap up with how we control and manage all of that.

Hope this part of onion chopping didn’t bring to many tears to your eyes, look out for part two, coming soon!

Published by stringy99

Paul is Technical Director at the long-established UK based IT consultancy Gardner Systems. A technology enthusiast who likes to understand how technology impacts organisations of all types. He shares his enthusiasm via his BLOG at techstringy.com as well as the Tech Interviews Podcast which can be found at podcast.techstringy.com Paul also writes for a range of well-known technology sites. He also carries out research work for analyst firm GigaOM, you can find his work on gigaom.com. He is also a member of the NetApp A-team and Veeam Vanguard programs.

Published

One thought on “Data Security is like a great big onion–Part One

  1. Pingback: We built this security policy on rock’n’roll – @techstringy

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.