Security Experts:

Visibility into the Location and Nature of Sensitive Data—Key for a Strong Security Framework

Network and Data Visibility

Operating with blinders on, whether you are riding a bike, running a business or operating a technology enterprise can be a recipe for serious trouble. And it’s that same safety-driven need for visibility that fuels the search for solutions to aid in discovering and ultimately protecting sensitive data.

If it’s true that “you don’t know what you’ve got ‘til it’s gone” then it must also follow that finding out exactly what you have, particularly when it comes to items of value, is a smart thing to do.

So, it’s safe to say that taking inventory of assets is a vital first step in setting up any kind of protection framework. After all, it’s not possible to accurately assign value to something until it’s been located, called out and described in detail.

Take a renter’s insurance policy, for example. Policyholders must accurately estimate the value of their personal property in order to make sure they are covered sufficiently. An heirloom-quality black cherry dining room set complete with hand-carved images can carry a very specific level of value. Musical instruments, English bone china and other items must be understood and described in detail if their value is to be properly assessed.

The owners of a neighborhood mom and pop grocery store need to carefully monitor inventory not only as a guide for re-ordering of popular items long before they run out but to stay on top of issues such as spoilage, breakage or perhaps theft.

After all, if patrons come to the store on repeated occasions only to find their favorite items out of stock, it won’t be long before they stop coming in, period—and that’s the kind of lost business scenario that causes deep concern for any small-business owner.

Certainly then, having a clear understanding of the nature, location and therefore the value of assets sits at the core of sound business practice.

The nature of those assets can run the gamut from soup to sweaters, trombones to tires or something more arcane, information technology-based and potentially more far reaching in its impact. Something like data.

Visible, Valuable and Viable

Network VisibilityData, while somewhat amorphous and conceptual when compared to a can of soup or a sweater, carries with it, arguably even greater requirements for visibility and protection, since this is the kind of “inventory” that can cause substantial trouble if it falls into the wrong hands.

It is the very fundamental power of data that underscores one of the major challenges confronting IT organizations, i.e. being able to specify the exact location of critical data within the broad context of an enterprise.

As businesses have increased their reliance on access to data, the volume of that same data has also mushroomed, making accurate data discovery more important than ever.

Moreover, the sensitive nature of some of this data, whether it be trade secrets, employee information, customer information or other forms of personally identifiable information (PII), means that its discovery and protection have broad governance, and risk management policy implications.

Driving these concerns are standards and regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) the Gramm Leach Bliley Act (GLBA).

To varying degrees, these standards and regulations place requirements on organizations to protect data that is deemed to be private.

And the seemingly inexorable march of high-profile breaches has only heightened the concerns of government entities when it comes to protecting privacy and property.

Security Requirements Continue to Tighten

For example, on Thursday (October 20, 2011), the Securities and Exchange Commission (SEC) issued guidelines that tell companies to not only report cyber attacks but to disclose the steps they are taking in terms of remediation.

The SEC is also getting down to a very granular level when it comes to calling for organizations to reveal potentially painful data to investors. It has put companies on notice that they may need to factor cyber incidents into their estimates for such things as warranty liability, capitalized software costs, litigation, inventory, deferred revenue, and allowances for product returns.

It’s this reality that underscores the crucial nature of protecting against cyber attacks. Frequently, this involves locating and protecting enterprise databases that contain critical, sensitive and private information.

While organizations need to accurately assess data security, they also face the demands of operating in 24x7 environments.

And because the vast majority of database environments are critical to the operation of the businesses involved and geared towards maximum uptime, whenever a security framework is employed it must be done with an eye toward being as non-intrusive as possible, specifically with regard to ease and speed of installation and configuration.

But, as is often the case, security is also being called on to adapt to a shifting landscape, in the form of virtualization and the realities of the cloud.

New Technologies, New Benefits and New Challenges

The power and potential of virtualization and cloud computing have also carried with them an additional level of complication when it comes to data discovery, i.e. visibility into data assets for the purpose of protecting those assets.

Part of that shifting reality boils down to the way data centers have evolved into implementation platforms for making use of virtualization—certainly a profound benefit but this benefit carries with it the task of “finding” the data within those data centers in the cloud.

We’ve reached a point where the concept of the data center can include hundreds or maybe even thousands of database servers. Not only are these database servers large in terms of the raw numbers they represent but they can be widely dispersed on a global scale.

This widely dispersed nature and the fact that virtualization means that servers can be provisioned and de-provisioned with great speed also means that security frameworks are stretched to the limit, trying to play a technology version of “Where’s Waldo” i.e. where are the servers and therefore the databases and sensitive data contain therein?

Keeping Your Eyes on the Prize and the Sensitive Data

As we’ve seen, sensitive data that is out of sight is an invitation to trouble, since “out of sight” often means unprotected.

Better to discover your sensitive data before someone with ill intent does the job for you.

In addition to capabilities that have already been mentioned, it’s also important to make use of security technology that can scan multiple databases from a centralized location and that does not require detailed knowledge of specific database management systems. This ease-of-use characteristic removes stress from internal IT staffs that already have their plates full of important work to be done.

Finally, presenting findings in reports that are each tailored for different compliance standards is another necessity for taking pressure off of internal security and IT staffs.

All things considered, it’s obvious that what you can’t see and therefore don’t know about CAN hurt you, making visibility into sensitive data a must have for a reliable security framework.

view counter
Eric Schou is a Group Product Marketing Manager at McAfee. He is currently a part of the Security Management Group. Before joining McAfee, Schou spent more than 15 years in the security and storage industry.