A lot of people talk about good enough solutions. Think about when cellphones first came out. They were big, bulky and didn’t work very well. You would lose signal in the middle of a phone conversation and sometimes you might get it back. Even with those problems they provided convenience. The good outweighed the bad.
This same thinking doesn’t apply to security solutions. Having something that works 50% or even 90% of the time doesn’t cut it. Would you like car brakes that only worked 90% of the time? How about a pacemaker that didn’t do its job 10 or 20% of the time? You wouldn’t accept these part-time solutions, so you shouldn’t accept it in a security solution.
Conventional approaches to information security are based on protecting network and system boundaries. In today’s business world, it is almost impossible to define the boundaries of a corporate network as cloud computing and mobility are blurring those lines. We have entered the age of the borderless enterprise.
The new frontier for information security is the information or data. This isn’t really anything new, but the focus has changed a little. Even the title information security is a dead give-away. It’s not device or network security, but information security. The most important asset in your business, aside from your employees, is your information.
If you focus on protecting a laptop or tablet, you have only solved part of the problem. If someone steals your device, they don’t want the hardware, they want what’s on the hardware. They want your customer data, your financial information or your intellectual property. Whatever someone can use to make money or cause disruption to a business or market is valuable. Hardware devices are commodities. Your latest product plans and drawings are worth a lot more.
The big data breaches and thefts you hear about in the news, like Sony, Anthem and Target, are typically the result of hackers or other bad actors. According to a recent study by The Aberdeen Group on Enterprise Rights Management, “75% of respondents experienced one or more security-related incident in the last 12 months – and only 25% of these were the result of the successful exploit of a vulnerability by a malicious, external attacker. Three times as many were the result of simple human error, or the well-intentioned actions of users who were just trying to get their jobs done.” Whether an insider threat is accidental or malicious, the results are the same. Your perimeter defenses won’t help, since these people are already inside.
Many businesses look to move the security closer to the data. Full disk encryption and data loss prevention are examples of relatively inexpensive solutions that work well for their chosen aim. Full disk encryption protects against the loss or theft of all data as it is stored. Data loss prevention solutions try to intercept the transmission of sensitive information, but this is typically effective only on data that passes through the system and that meets policy at the time. These solutions do not protect against the use of the data by authenticated, and therefore legitimate, users who can do almost anything with it.
These are only part-time solutions, since it’s obvious that data breaches continue to occur. Generally lacking is the ability to pervasively and persistently control access to the data based on its sensitivity and the context in which it is accessed. You need a data-centric solution that can apply dynamic access rights based on your role in the organization and can limit specific actions, such as printing or editing a file. Applying this security at the point of creation or consumption provides the best control. You must protect, control, or delete data pervasively across organizational boundaries, and do this persistently throughout the entire lifecycle of the data.
Good enough security doesn’t work when you are trying to protect your business. If you don’t want to get burned, use a persistent and pervasive data protection solution that allows information to be protected at the point of use, no matter where it may be or on what device.
Photo credit Anthony Easton