Data Security has always been a challenging task for CIOs/CTOs. Organizations need to increase the level of security for their sensitive data. And to do that, they need to understand several aspects of data security that include major challenges, emerging threats and most importantly identification of an effective model that prevent data theft. This article addresses all these critical aspects of data security.

As we begin the journey of the year 2010, we look forward to what 2010 will hold for data security challenges and solutions. With the advancements of technology the competition between hacker and organization/individual has already taken a new height.  The ongoing battle between hackers and the teams defending sensitive information means that the techniques in use by both sides last year will be updated, and the better you are able to predict what the other side may do, the more likely you will be prepared to defend against it. 

With the help of powerful and sophisticated tools, hackers have become much more aggressive and intelligent. With updated attacks and new functionality hackers today are able to penetrate databases using sophisticated attacks.  And needless to say that these updated sophisticated and blended mechanism increase automated random attacks that no longer target a specific company, but instead look for specific vulnerabilities wherever they may be.

“The security vendor should possess an end-to-end framework and solution coverage from both the business and IT security perspective.” Gaurav Agarwal - Country Manager, Tivoli Software Group, IBM India/South Asia

The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute’s annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record.

Major Challenges in Data Security

Data is the raw form of information stored in our databases, network servers and personal computers. This may be a wide range of information from personal files and intellectual property to market analytics, to sensitive company information. However, some of this information isn't intended to leave the system. The unauthorized access of this data could lead to numerous problems for the larger corporations or even the personal home user. Having someone’s bank account details stolen is just as damaging as the system administrator who was just robbed for the client information in their database.

Gaurav Agarwal - Country Manager, Tivoli Software Group, IBM India/South Asia, says “The assault on personal and confidential data in particular has driven numerous industry regulators and standards bodies to require more and more stringent security controls for data, both at rest and in use. In addition, data volumes are doubling every 18 months, further complicating efforts to provide secure storage of data, both onsite and offsite. Applications have become a primary attack point for data security breaches, with 75 percent of attacks directed at the Web application layer.”

“Organizations must go beyond the traditional understanding of security and look at a more advanced security operations function.” Rajiv Chadha, Vice President, VeriSign India

The increased use of the internet for remote business applications, online data sharing and collaboration will present more opportunities for theft and data loss. Rajiv Chadha, Vice President, VeriSign India, says that today, many web threats are designed to steal data from compromised computers, and data leakage, either malicious or accidental, is likely to become an ever-larger concern, especially with the increasing use of mobile technologies

Large scale security breaches have grabbed the news headlines in 2009, with external threats of data security thefts by cyber criminals and professional hackers on the rise. That is why it is important for companies to pay attention to increasingly more insidious internal threats of data loss within a company’s perimeter. According to Abhinav Karnwal, Product Marketing Manager, APEC, Trend Micro, one of the major challenges is to protect confidential and sensitive information, which has chance of falling into the wrong hands, posing new challenges for companies with regards to managing.

Contrary to common belief security challenges do not change easily. Information security has always been and will always be about the protection of the confidentiality, integrity and availability of data. Vikram Gidwani, Sales Manager, Vasco India, says, “New technologies and business models may seem to create new security challenges, but it is in fact only the outlook of the challenges that changes. The essence of security challenges always remains the same.”

The foremost challenge is coming up with solutions that can be implemented with considerable ease in existing applications/systems and do not require organizations to build their systems from grounds-up. Almost all organizations evolve over a period and tend to grow organically as well as inorganically. This results into having IT systems that are not only hybrid in nature but also store/process data at various places. This poses the requirements of having the ability to “find the critical data”, “classify the data” and “protect the data” w/o having to spend considerable efforts and cost. Some of these challenges are addressable by technology as those are available currently while others require organizations to making their investments in re-engineering the processes and systems to align them with the ongoing business needs.

“Defining clear security objectives is the starting point from where threats can be identified.” Vikram Gidwani, Sales Manager, Vasco India

An important security challenge for many enterprises is caused by de-perimeterization, which refers to the blurring of the company network’s boundary. The boundaries of networks disappear more and more through the use of smart phones, laptops, wireless network connections, USB-devices, and the use of web services for business partners. De-perimeterization implies that security mechanisms must not only be implemented at the network boundary (e.g. using a firewall) but that there is a need for distributed security including authentication, encryption, etc. Again, this challenge is not new in 2010 but remains of significant importance.

A second challenge is referred to as identity and access management. Employees of a company need to use multiple applications, and therefore different usernames and authentication mechanisms. These applications require authentication mechanisms with varying strength. Identity and access management is required to allow employees efficient but also secure access to resources storing confidential data.

Finally the growing importance of electronic information has caused governments around the world to enact legislation with respect to its retention, use and destruction. This legislation, ranging from Sarbanes-Oxley (US) to the Bundes-Datenschutz-Gesetz (Germany), requires companies to increase efforts regarding legal compliance

Emerging Threats

“Without adequate policies and preventive measures, businesses can experience irreparable damage to reputation and customer loyalty due to large-scale data loss.” Abhinav Karnwal, Product Marketing Manager, APEC, Trend Micro

New threats emerge continuously, but not completely unpredictably. Most new threats follow the introduction of new technologies, but the most-dangerous ones come when the technologies become mainstream. IT security organizations have made substantial investments in technologies and processes that are effective in protecting the IT infrastructure from massive external attacks.

Data Security is an ever escalating problem. One of the attacker’s main tool is malicious software, known as malware, which has steadily evolved in the recent years. Malware was once mainly viruses and worms, digital pests that sometimes damaged personal computers and networks. Malware, today, however is likely to be more subtle and selective, nesting inside corporate networks. And can be a tool for industrial espionage, transmitting digital copies of trade secrets, customer lists, future plans etc.

According to Abhinav Karnwal, the critical need now is to improve protection from today’s more-damaging targeted attacks. The IT security organization is also under pressure to reduce the possibility of sensitive data loss and to help the business satisfy the demands of internal and external auditors for multiple regulations. Technology delivery models are changing rapidly, too. The increased use of strategic outsourcing – including the outsourcing of application development (AD) – means that enterprises need to find ways to ensure the security of IT infrastructures, operations and applications that are not under their direct control.

“With more and more people opting to merge their working and home lives, the insider threat from employees is an important area to look into. Today employees spend a lot of time sharing personal and business information on social networking sites with "a trusting innocence". This leaves themselves and the organization open to phishing and spam attacks.” Rajiv Chadha believes.

“Organizations must go beyond the traditional understanding of security and look at a more advanced security operations function.” Vikas Desai, Lead Technology Consultant, India & SAARC, RSA

The hardest risks to detect within an organization are those that are posed by its employees and other insiders. RSA defines Insider Risk as the security risks that an organization is exposed to by its internal users (employees, contractors, business partners) who have access to critical systems and confidential information. The threats can be deliberate (malicious) or unintentional. Vikas Desai, Lead Technology Consultant, India & SAARC, RSA, The Security Division of EMC, strongly says, “Internal security risk is a complex and difficult challenge facing organizations today no matter what industry or region. Therefore, Data Loss Prevention is the only way to protect information in the organization and it is not a surprise that DLP is gaining plenty of ground in the region including India. Companies have already bought in on the value of DLP and are ready to engage; therefore I am anticipating that it will be a high priority for businesses in 2010.”

Following the trend of de-perimeterization, mobile devices (smart phones, PDAs, laptops, netbooks, …) have become  an issue  for information security professionals. Mobile devices often contain lots of sensitive company information. Theft and accidental loss of mobile devices, and the associated loss and compromise of confidential data, will become a more important security concern.  Since smart phones and PDAs are becoming more and more popular, and since these devices are typically general-purpose, open platforms like ordinary computers, we will see a rise of mobile device malware. An iPhone worm capable of initiating a phishing attack against certain on-line banking websites has already been spotted in the wild.

Commenting on this emerging threat vectors, Vikram Gidwani says, “Social networking sites are likely to cause a further erosion of online privacy. Today these sites enjoy a certain level of trust which makes them fertile ground for identity thieves. Social networking sites provide a myriad of personal information, which is and will further be used to conduct attacks such as spamming and targeted phishing attacks.”

Internal Threats and External Threats

As the changing workplace opens up new ways for malware to enter the corporate network, corporations are exposed to greater risk of losing confidential data, both from external attacks, as well as from users and machines within the network. Infected machines can transmit data to cybercriminals using the Web as a delivery mechanism. Stolen laptops and mobile communications devices, lost USB drives, intercepted emails, information stealing malware, and hackers can threaten intellectual property and use your corporate data for criminal purposes.

With so many potential ways for sensitive data to escape from the enterprise without authorization, traditional anti-malware defenses may fall short when it comes to preventing data breaches. Without adequate policies and preventive measures, businesses can experience irreparable damage to reputation and customer loyalty due to large-scale data loss, not to mention the economic damages involved in clean-up and repair.

Identification of threats is an important part of sound security management practices in general. Identification of threats is a natural process that follows the definition of security objectives. Once the security objectives with respect to a certain asset, product or process are defined, it is natural to identify threats that may prevent these security objectives from being achieved. So defining clear security objectives is the starting point from where threats can be identified.

“Security is as good as the weakest link in the chain AND security is as good as the people managing it.” According Rana Gupta, Business head, India & SAARC, Safenet

According Rana Gupta, Business head, India & SAARC, Safenet, most of the threats come from some sort of collaboration between the organization and its partner, vendor and customer eco-system as that leads to a virtual network. This creates opportunities for exploitation of any gaping holes that are left open either due to improper implementation of security policies or due to improper consideration of threat vectors.

Experts believe that threats are becoming more complex and they are no longer direct. They have become blended and this drains network resources. Spam, Phishing and Pharming attacks continue to remain major concerns for an organization. This combined with the need to achieve high level of information security to safeguard the digital assets, enterprises are seeking help from security experts as one solution does not suite all requirements.

Threats arising from within an organization are more dangerous than even external attacks and are unfortunately, almost always successful. Even external threats in the form of phishing, identity theft and Trojan attacks are rapidly evolving. There are Trojans that can change their signature in a matter of minutes, making them virtually undetectable for ant-virus softwares. There are Trojans that can modify online transactions on the fly. There is also the emergence of bot nets – where fraudsters hack into somebody’s PC and then they use that PC to carry fraudulent activities elsewhere.

There are two important trends to note here. The first – Technology advancements (and simplifications) have made breaches increasingly difficult. Second – The people side of the equation; where small entry errors have lead to large scale breaches sometimes becoming more difficult to manage than technology issues. The fact is that there are people involved with keeping information secure. It is extremely critical that processes such as implementing an immediate access termination when employees leave an organization, are well oiled and working at all times.

With a majority of the population moving online for a number of purposes, users need to become more vigilant about the kind of threats that they can face. In order to make themselves more secure and safe online, users need to be aware of the following:

• Visual clues: You need to look at the browser URL. For example, if it is baank.com you know it is fake website .Simple visual cues can demonstrate whether a site is safe, such as the “https” in the URL address, or the green address bar in the Web browser. This is called EV-SSL .These cues tell users that a website owner has invested in digital certificates that verify that a site is legitimate and that customer information will be encrypted during transact

• Too much information: Phishing sites frequently lure consumers through “urgent” e-mail alerts and then request personal information organizations should already have, or information they clearly do not need for account activity.

• While shopping online pay attention to the order form :When you place your order, the site should not ask for more than your name, shipping address, billing address, credit card type and number or expiration date

You know your machine is hacked, only when you see some activities that are not expected. It is like how do you know your house key has been duplicated? Only when you see burglary. That is the reason; you should put all effort to ensure your machine has the latest software/patches, with all the virus protection.

Defining Best Practices Model

The principle of “defense in depth” is an important principle in the field of data security in general. This principle means that data should not be protected by just a single security control, but rather by a range of independent security controls. This principle is often referred to as the “onion model”, as an onion consists of multiple layers.

The security controls themselves vary from technical controls (close to the actual data) to procedural controls. Consider, for instance, the protection of the confidentiality of data. In this case the first security control is most likely encryption of the data. However encrypting data shifts the problem to keeping cryptographic keys secure. Keys can be protected in multiple ways, for example by means of access control. Access control mechanisms assume that different people have different rights regarding the access to keys. This implies a procedure needs to be in place for granting and revoking access rights to people. This is probably not yet the end of the story, but hopefully this example illustrates that best security practices typically involve a layered combination of technical and procedural security controls.

Safenet believes that there is no one such “Best Practice Model” that fits all the situations. One needs to understand the underlying importance of the data and the threat vectors that this data shall be exposed to while working out the Best Practice Model. Of-course, one can look at the existing guidelines (PCI DSS is one such guideline) that provide the insight of using a combination of Parametric Security, Strong Authentication, Encryption of Data to secure the data.

Information is growing at an exponential rate, and everyone plays a part in managing this flood of data. While enterprises are responsible for the security, privacy, reliability and compliance of 85% of information created, individuals need to be aware of the threats that exist to protect themselves from attacks that can potentially be harmful.

Based on more than 25 years of experience in the security industry, RSA has developed a strong understanding of the best practices that help prevent enterprise data loss. By following these best practices, companies can not only improve their ability to secure sensitive customer data, but also protect revenue, ensure customer loyalty, build brand value and meet government regulations. These best practices include:

1. Understand what data is most sensitive to your business

2. Know where your most sensitive data resides

3. Understand the origin and nature of your risks

4. Select the appropriate controls based on policy, risk, and where sensitive data resides
   Manage security centrally

5. Audit security to constantly improve

A strategy which is information centric and focuses on the risks involved would be very effective in addressing the various threats that any organization faces today. For an effective implementation of this strategy it also needs to be repeatable. On the other hand, Seclore Technology feels that the best practice model would look at the life cycle of information. Information goes through a cycle of create-store-transmit/share-use-archive-delete and best practices for each enterprise have to be evolved by looking at the flow of information through these stages. At each stage information security needs have to be identified and a combination of technology, process and awareness needs to be implemented. There are of course technologies like Information Rights Management which cut across the lifecycle of the information which should be evaluated for completeness.

As organizations look to secure online interactions with employees, business partners, and consumers, they balance compliance and fraud risk with the typical costs of rolling out authentication solutions. Apart from 2FA as an option, Enterprises should look at implementing Strong Encryption Solutions involving Digital Certificates to work in tandem with the existing ecosystem covering Email applications, Endpoint Security, Data Storage and others.

“The challenge is to look at the security of data through the lifecycle of create-store-share-use-archive-delete.” Vishal Gupta, CEO, Seclore

Standalone or ‘Best of Breed’ Solution?

Companies, organizations and even individuals that face a certain security challenge should opt for the solution, or combination of solutions, that best meets their needs. The precise needs are dependent on the given context, but they are typically a combination of security, pricing and convenience requirements.

Experts believe that enterprises implement a combination of traditional anti-malware defenses, together with data leak prevention as well as data encryption technologies for complete data protection. By incorporating content filtering and encryption together with endpoint security technologies, an organization can improve its ability to stop sensitive information from leaving the organization. However, recognizing that technology alone cannot prevent all forms of confidential data from escaping, data leak prevention solutions still have to be combined with data encryption technologies that prevent any stolen information from being deciphered and used for malicious purposes.

Gaurav Agarwal, IBM India/South Asia, says, “It’s better to go for a single vendor rather than multiple vendor, so as to derive integrated solution from TCO perspective, post deployment support, skills development & also from better manageability of tools. Also security initiative is a journey & its better to have partner relationship model with a comprehensive security vendor rather than to go with point product vendors. The vendor should also be able to support customers on emerging / zero day attacks / threats and keep up to speed.”

Two thoughts come to mind – Security is as good as the weakest link in the chain AND security is as good as the people managing it. That being said, given the availability of skilled resources, it is always better to go for the proven “best of breed” solutions. However, in many a cases, it is challenging for a customer to either allocate adequately trained resources that are capable of handling components from “different” vendors or even having a “best of breed” solution may be expensive enough to justify the ROI (and usually in such a situation the IT team will in any case not be equipped to dealing with the security components from different vendors). As an example, there is no point having a best of breed PKI system if the people managing/implementing it are unaware of the value of securing the Root Private Key and store that in HardDisk.

Sanvei Overseas, a security consulting company, strongly believes that no single vendor solution is comprehensive in protecting large volume of data from several threats. Multi-vendor solutions protecting different silos are difficult to manage solution but have advantages beyond a well protected central infrastructure.

Looking Forward……

The potential of the data security market in India is huge as most organizations still do not have a complete understanding of various risks of fraud faced by them nor they have an efficient strategy in place to manage these risks. According to Gartner, the Indian security market has been growing rapidly at double digit AGR and we are forecasting a CAGR of 16.4% for the Indian security market from 2008-2013. The market has been experiencing a positive growth and the industry is hopeful that this fiscal the market will experience a faster growth and vendors will continue to introduce technologies regular basis.

According IBM, Hackers (outsider/insider) do find ways to misuse other people's software. Initially this was done by exploiting vulnerability but they are now finding ways to just misappropriate software without vulnerability. In parallel, the attack vectors will move to focus on the application layer including Web applications. Software as a Service will evolve to address Data security requirements.

Vasco believes that the use of mobile devices creates new security risks. These security risks have to be countered by data security vendors. In addition, a better protection of transactions is imperative. The use of e-singnatures is of the utmost importance. On the other hand, Sanvei Overseas predicts that data security market will be heading to protection of end devices and unwanted data sharing through public forums and collaboration websites. At corporate level the data security market will move towards use of biometric authentication, layered authorization and multi-key access mechanism.

—By: 'InfoSecurity' Bureau.