Data Security and Protection Strategy: Today’s Challenge
Data security and the challenge of data protection is increasing in scope—and difficulty. While organizations have long needed to safeguard intellectual property and confidential information, changes in information technology and business models introduce new actors, new threats, and new regulations. As a result, organizations need to think beyond the traditional models of securing the perimeter and locking down specific segments of IT infrastructure in order to formulate their data protection goals. Some inherent challenges include:
- Protecting others’ information as well as your own. Consumers’ increased awareness of security breaches and privacy issues in general brings into sharp focus the fact that almost any information can be stolen and misused. To sustain business relationships, organizations must be able to assure customers and partners that their information will be safe.
- Understanding who—and what—to trust. Organizations are steadily losing control over their systems and workforce. The trend toward virtualization, outsourcing, use of contract staff, and arrival of consumer devices in the workplace all make it harder for organizations to impose policies and monitor compliance. It is inevitable that sensitive information will exist in systems and devices or in the hands of users over which the organization has limited control.
- Staying ahead of attackers. The persistence and sophistication of attacks rise with the potential reward. Malicious individuals and malware—malicious programs—come in many varieties. The term Advanced Persistent Threats (APTs) has come to represent the most sophisticated forms of malware. Consumer data is an especially attractive target that tends to grab the headlines. But many other kinds of information—such as product formulas, business strategies, or other commercial secrets are also at substantial risk.
- Knowing which regulations and standards apply. Governments and industry bodies have created laws, regulations, and standards to motivate organizations to protect the privacy and confidentiality of information. Responsibilities can vary widely by region and by industry, with many organizations facing multiple and inconsistent mandates, resulting in uncertainty and confusion. When faced with a security incident, ill-prepared organizations have little choice but to disclose everything—just in case.
Define Your Strategy
Most organizations today have some form of data protection in place, but are continually looking for ways to reduce risk. These three basic principles can help decision makers formulate effective data protection strategies for any type of organization:
- Take a data-centric approach. An important data protection best practice is to focus on the data itself. That may seem obvious until you consider that many security efforts focus on protecting a given application, building location, data center, machine room, or even a specific computer or storage device. Data protection is just that—protecting data—so organizations need to focus on the entire lifecycle of that data, from its first creation or acquisition by the organization to its destruction. Data can flow throughout an organization and end up in unexpected places—but still must be protected wherever it is at risk.
- Seek higher levels of assurance. Organizations are increasingly asked not merely if they are protecting data but also how well they protect it and how strong those protection mechanisms are; that is, with what level of assurance is data being protected? At its most basic level, high assurance means greater security implemented through procedures and technology—more checks and balances, more physical security to protect systems from tampering, and improved auditing. The downside to higher assurance is the classic security trade-off where efforts to increase security introduce bottlenecks and other sources of friction that can damage business continuity and drive up costs.
- Pick your battles carefully. To protect their budget as well as their data, organizations need to identify and analyze the kinds of risks they face, and prioritize data protection investments that result in the greatest risk mitigation. Sensitive and high-value information might require focused data protection efforts that do not necessarily align with external data protection mandates. It’s easy to be sucked into a compliance-driven mindset; organizations need instead to stand back and assess the big picture of data protection from a broader business perspective.
- Failure to deploy effective data protection measures can leave an organization open to attack, but building your plan before completing basic data discovery and classification will lead at best to a partial solution.
- Data protection goes beyond confidentiality and privacy; plans should also address threats to data integrity through modification or substitution that could result in follow-on attacks with much greater impact than the loss of individual data records.
- Data flows and usage patterns frequently span multiple organizational silos and management domains, making it difficult to establish consistency and sometimes exposing “air-gaps” or weak links between difference security regimes.
- Deploying cumbersome security measures can result in needless tradeoffs between security and operational efficiency—or security and cost.
- Successful data protection is a moving target—ever-changing privacy regulations, new and advanced attack methods, and the shifting IT environment all drive the need to re-evaluate data protection strategies frequently.
Data Protection Strategy: Thales e-Security Solutions
All products and services from Thales e-Security have one goal: to help businesses, governments, and other organizations succeed in overcoming today’s and tomorrow’s complex data protection challenges. We provide proven security products and services that seek to maximize operational efficiency, minimize total cost of ownership, and keep organizations agile as requirements, regulations, IT systems change over time. The bottom line: making a system more secure must not make it less reliable or scalable. No organization can afford that kind of security.
Thales solutions span five critical areas: hardware security modules (HSMs), network encryption, key management, time stamping, and identity management. We work closely not only with the businesses and governments that use our products and services, but also with many technology partners throughout the world—including OEM partners who embed our technology in their own products. We test our products with common security and business applications in order to pre-qualify our solutions and accelerate deployment for our customers. All our products are independently certified to meet FIPS, Common Criteria, or other security standards, enabling our customers to deploy effective data protection solutions with confidence.
Thales believes that bringing higher levels of assurance to business systems must go beyond just incremental improvement of security to minimize the disruption of business operations in the event of an attack. We help organizations minimize the risk of error, automate processes for greater efficiency, and recover more easily when incidents occur. Furthermore, we focus on system performance and scale by addressing bottlenecks that can be created by the introduction of cryptographic processes such as encryption and digital signing. By taking advantage of Thales products and expert consulting services to understand the spectrum of risk to their sensitive data and applications—and mitigate the most serious risks—many businesses and government agencies around the world are improving protection of their critical data assets and more effectively aligning operations with their strategic goals and obligations.
- Work with leading experts in data protection and key management.
- Take advantage of proven products in a broad range of data protection arenas.
- Increase confidence—rely on products that have been independently certified.
- Choose from a variety of deployment options—purchase only the capacity you need today, then upgrade easily over time as your needs change.
- Accelerate deployments—Thales works with a broad range of technology partners to ensure interoperability with leading commercial systems and applications.