Security Experts:

Data Integrity: The Core of Security

Data breaches at companies such as Target, Home Depot, Staples, Michaels, eBay, and Sony Pictures Entertainment are raising doubts about whether organizations are investing their security dollars in the right areas.

According to the Verizon Data Breach Investigations Report, 95 percent of data breaches are motivated by data exfiltration for material gain or corporate spying. Thus, it is questionable why we are putting so much effort into protecting the network perimeter rather than preventing data from leaving the organization or being modified. Considering the most recent data breaches, it appears that we’ve reached a tipping point that requires a new approach to information security which focuses on protecting the data itself, from the inside-out.

Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012.

Data BreachesHowever, the majority of investments are aimed at bolstering traditional perimeter security defenses, which is a losing battle. The cyber-attack on Sony Pictures Entertainment is a good example. Hackers were able to extract extremely sensitive data (e.g., movies, email, social security numbers of employees, etc.) despite an arsenal of security tools being in place.

Undeniably, data is the prime target for attackers. Therefore, if we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured. For example, a quick web search for “data breach and unencrypted data” produces thousands of results that illustrate how many organizations fail to protect the integrity of their data and don’t even encrypt sensitive information.

In fact, a study by the California Attorney General points out that millions of residents had their personal information exposed, but that more than half of these incidents would have been easily avoided if the breached organizations had encrypted their data. A survey of 5,000 senior IT managers conducted by market research firm B2B International supports these findings, revealing that 35 percent of organizations worldwide don't use encryption to protect data.

This is the reason why more and more regulations and industry standards (e.g., COBIT 5, PCI DSS 3.0, FISMA) are mandating the concept of data integrity. Concerns over the lack of data encryption for instance have prompted New Jersey legislators to propose requiring health insurers to encrypt personal health data on all of their computers. The bill, A-3322/S-562, comes nearly a year after two laptops with unencrypted information were stolen from Horizon Blue Cross Blue Shield of New Jersey’s Newark headquarters.

If data is the end target point of cyber-attacks, what steps can be taken to implement a data integrity strategy to secure an organization’s most sensitive digital assets?

The objective of data integrity initiatives is to assure the correctness, completeness, wholeness, soundness, and compliance with the meaning of the authors of the data. In the context of IT security, the goal is to prevent accidental, deliberate and unauthorized removal, insertion, modification, or destruction of data in a database. So what are the baseline best practices that organizations should put in place?

The first step is to classify data into categories that reflect the business need to protect them, such as “public”, “internal use”, “confidential”, and “top secret”. Unfortunately, data classification is often abandoned due to the manual efforts required to maintain the constantly changing classification states. However, emerging big data risk management systems come with so-called dynamic grouping capabilities that provide drag and drop capabilities to realign classifications and then propagate changes to all associated nodes.

Data classification will subsequently determine what data should be encrypted, which typically applies to all personal identifiable information (PII). Innovations in encryption technology over the past few years have eliminated many of its earlier performance and deployment roadblocks. Organizations should place special emphasis on developing well-documented and properly implemented encryption policies which should be applied to all sensitive data, wherever it resides and however it is transmitted.

Access control is the Achilles heel of many security programs, since practitioners have to balance data availability versus unauthorized data usage (e.g., theft, disclosure, modification, destructions). Meanwhile, hackers often target privileged users since their accounts provide a beachhead into the entire network. Therefore, strict enforcement of well-defined access control policies and continuous monitoring of access paths to ensure they are working as intended are essential for the success of data integrity initiatives. To assist here, organizations should consider deploying big data risk management systems to assess the organization’s risk posture, visualize the results, and prioritize remediation actions based on business criticality.

Last but not least, organizations should implement practices to certify uncorrupted data transmission. Worst case scenarios here include the manipulation of stock market data by cyber-attackers before it is publicly disseminated.

When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity principals, organizations can significantly reduce their exposure to Sony scale data breaches.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).