Tag: persistent data-centric security

Data Loss Prevention, Classification and Persistent Data SecurityTechnology advancements and rapid digitization of corporate information has made it easier for modern companies to conduct everyday business transactions. Today, business data is easier to access and share, giving companies the opportunity to reach more customers and conduct business quicker. At the same time, the unprecedented volumes of data created, accessed, shared, stored and the variety of sources is forcing companies to re-evaluate their cyber-security approach.  The collaborative nature of how business is done has extended the corporate perimeter. As a result, companies are seeing an ever increasing need for higher visibility into data, how their users access and use it and the secure it using encryption.

Users at a typical company today have 10 times the applications they had 10 years ago and they use multiple devices to create and use data and documents.  Data is proliferating – users are localizing data that is kept in company repositories, copies of data is everywhere, users are converting files to other formats, sharing them via file shares and virtual printers, copying them to portable devices, and emailing them.

Many companies that have turned to Data Loss Prevention (DLP) and encryption technologies in recent years have come quickly to the realization that some things are missing once the implementations and deployments of these technologies are completed. They realize that the DLP solution is missing the mark. They realize they don’t have a handle on where their “unstructured” data is, and worst yet if this data contains sensitive information. They realize they need to understand their data, who creates it, who uses it, its correct format, who the owner of it is and who its steward is. They realize that sensitive data must be protected end-to-end through its entire life-cycle, not just at rest, and in motion but in use to ensure there are no security gaps.

Data classification is a technology many are turning to in hopes of optimizing their DLP investments. This is a very effective complementary technology if it is deployed correctly. However, it quickly becomes a real challenge when too many classifications are put in place. Furthermore, as users are given the ability to make a determination as to what classification to apply, the door is opened to the good old “user mistakes”. It is a wiser approach to have the data classification defined at the “administrator” level rather than getting into a mess by giving users this type of control.

Another technology that is popular these days is software that crawls around to help companies get insight on where their unstructured sensitive data is. When asked, most companies say they know where their sensitive data is, but lately this has been changing and many companies are admitting that unstructured data and copy data are a big security problem. The effort for sensitive data discovery goes hand in hand with most data projects in most companies that are realigning their security posture.

Lastly, most companies implementing data classification will have limited deployments and tangible benefits without bringing into the picture persistent data-centric security as well. Persistent data-centric security brings security to the data itself at creation time rather than the security of networks, servers, devices, or applications. With this type of a security approach, access policy for authorized users travels with the data itself regardless of where the data is and what network or device it is on.

With implementing technologies for data discovery, data classification and persistent security, companies are empowered to better protect their data without  costly and painful headaches.

Keep employee information safe through persistent securityHardly a week goes by without a new data breach making the headlines.  Companies in different industries are constantly re-evaluating their security postures to determine how best to deal with the protection of sensitive and confidential data.

A lot of effort is focused on financial and customer data, but most companies overlook all of the sensitive employee information they possess and the risks associated with storing and accessing it.  This is a major area that seems to be neglected when it comes to protecting company information.

According to a recent survey titled “The State of Encryption Today”, employees’ data are not protected at the same level as business related or customer information.

Below are some interesting statistics provided by this survey:

•  Failure to consistently encrypt Human Resources files – 43%

•  Failure to consistently encrypt financial or banking details of company employees – 31%

•  Failure to encrypt healthcare information – 47%

These are significant numbers. While companies seem to concentrate on securing customer data to avoid hitting the headlines, the findings seem to point to the fact that protection of sensitive employee data is overlooked.

While companies accept and use encryption widely to ensure security, there are still some critical gaps. Encryption is mostly implemented to secure sensitive information at rest, or in motion, but there is a significant threat gap when data in use is often overlooked.

Traditionally most of us associate Human Resources departments with benefits or 401K plans. In reality they possess and control so much more sensitive data – employee healthcare information, banking information, spouse and family information, salaries and resumes just to name a few.

The State of Encryption Today study goes on to point out that 75% of respondents said they need to improve how they encrypt sensitive information and 69% said they plan to increase use of encryption over the next two years.

Below are some sound and proven suggestions to consider when companies re-assess their security posture specifically around their Human Resources departments:

  • Encrypt sensitive data and apply security policies – ensure access only by authorized users, regardless of location or format
  • Encrypt sensitive employee benefit or healthcare information
  • Secure and control employee criminal background checks and drug texting information
  • Protect employee contracts and financial information
  • Secure files and access when an employee or a contractor leaves company

Companies have the same obligation to protect sensitive employee information as they do with their customer or business related data.  Protecting sensitive employee data should not be overlooked as it requires the same rigor. Strong encryption and persistent security controls are highly effective tools that should be considered as companies re-evaluate their security policies.

Book a meeting