Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘data security’

What Will be Hot at RSA 2010?

Monday, February 22nd, 2010

In the midst of the global recession, I found the RSA 2009 Conference to be a big snooze. Not much was new and the show lacked focus.

I doubt whether this year’s conference will be as lethargic. Security spending is on the rise and new regulations around data protection and breach notification are making their way through congress. With this as background, I believe the hot topics at this year’s conference will include:

  1. Network security. ESG’s research indicates that this is the biggest security priority for most large organizations. I expect to hear about virtual devices and lightning fast multi-function security gateways. Good news for Cisco, Crossbeam, Fortinet, Juniper, and McAfee.
  2. Endpoint security. There seems to be a renaissance in this category as endpoint agents consolidate and offer enhanced security protection. Advantage Kaspersky, Sophos, and Symantec.
  3. Cloud security. There will be a lot of hype here about this security widget and the next, but the two real interesting things will be cloud security strategy (look for the good work done by the Cloud Security Alliance), and security SaaS. Cisco’s reputation service and Trend Micro’s Smart Protection Network are prototypical applications here.
  4. Identity management. I expect massive changes in this area over the next few years as models like OpenID, Shibboleth, and PKI as a service take off. Lots of folks to talk to here including CA, IBM, Novell, and Oracle (if Oracle will answer my calls, that is), and PGP.
  5. Data security. I’m hoping that the discussion is less about tactical technologies like DLP, eRM, and encryption and more about enterprise efforts around data security and information governanace. HP and IBM will have a lot to say here.
  6. Cybersecurity. The Federal government is ramping up several efforts to bolster government security and improve security within critical infrastructure protection industries. Hopefully, I will have a chance to speak with DHS, US-Cert, and NSA about this.

The RSA Conference is a tale of two cities. Half of the people there are talking and learning about real security problems and strategies while the other half yacks about products. I’m hoping that my time is spent on the former.

Expect More Data Security Focus — and Legislation — in 2010

Monday, January 4th, 2010

According to the website datalossdb.org, there were a total of 436 publicly-disclosed breaches in 2009, down from the disastrous 717 in 2008.  Does this decrease represent real improvement?  No — simply the luck of the draw.  It wouldn’t surprise me a bit if 2010 was a banner year for data breaches.  Heck, we are only 4 days in and there have already been two reported breaches — one at Larch County Correction Center (OR) and one at the TSA here in Boston.

While I’m afraid 2010 may be an especially bleak year for cybersecurity, there is a bit of good news with regard to data breach legislation.

First, there is significant momentum for this issue on Capitol Hill.  In December, HR 2221, the Data Accountability and Trust Act (i.e. the DATA Act) passed a House vote.  Of course, the Senate is working on its own similar legislation — S.1490, the Personal Data Privacy and Security Act (sponsored by Senator Leahy D-VT) and its companion bill, S.139, the Data Breach Notification Act (sponsored by Senator Feinstein D-CA).  The two bodies of Congress have to somehow merge these bills into some cohesive body of legislation but I do expect this to happen by the summer.

Data breach legislation is by no means limited to the United States.  The EU is contemplating new legislation that would cover all member countries.  Canada recently passed tougher criminal penalties for identity theft.  The UK passed the UK Data Protection Act and recently backed up this legislation with guidelines for businesses and the public.

While these federal laws come to fruition, my home state of Massachusetts will finally enforce the most stringent data breach notification laws to data, MA 201 CMR17.  Yes, this legislation has been delayed several times and watered down a bit, but it is still a milestone.

So what does all this mean?

  1. Data privacy and security will be front and center in 2010.  You are bound to see much more public debate and mainstream news as data security, breach notification, and legislation gains traction.
  2. Federal legislation will be the legal equivalent of a 1.0 software revision.  Expect the Feds to compromise with lobbyists, misunderstand security technology, and leave loopholes in bills.  For example, it is my understanding that the House bill only covers private data in electronic form; so if I print and steal a report with 100,000 Social Security Numbers, it is not considered a breach.
  3. Compliance will continue to drive security spending as large organizations sort through new global legislation.  ESG recommends that CISOs stay on top of developments and prepare for changes proactively.
  4. Lots more compliance rhetoric from the tech industry.

As for security breaches themselves, all of this legislation will be fairly ineffective in the short term — there are simply too many vulnerabilities and threats at this point.  Nevertheless, more attention to data privacy and security is a welcome change since we’ve given these issues little more than lip service in the past.  As long as we view legislation as progress and not a data security panacea, it can only help.

The Top Three Risks to Confidential Data

Tuesday, December 8th, 2009

Confidential data (i.e. regulated data, private data, company confidential data, PII, etc.) is everywhere — on laptops, thumb drives, file servers, and enterprise storage devices. This also means that confidential data is at risk everywhere. In other words, my organization could suffer a data breach as a result of a stolen laptop, external hacking exploit, or lost box of backup tapes.

This represents an overwhelming situation for IT and security professionals. How can you possibly safeguard data when it is literally everywhere inside and outside of the enterprise?

There may be a glimmer of hope. ESG Research indicates that confidential data is most at risk based upon three factors:

1. Volume. If lots of people have access to confidential data it is more at risk than if only a few can see it. Likewise, if there are many copies of a file containing confidential data, it is more at risk than if it is on a single common file.

2. Mobility. The more mobile the confidential data, the higher the risk of a confidential data breach. There are few examples of lost tapes in the data center but many data breaches related to lost tapes in transit.

3. Proximity to IT. Ten terabytes of confidential data stored in the data center is safer than a 1MB file on mobile laptops. In other words, the more IT oversight, the less risk.

These three risk factors can be a useful guide for security countermeasures. High volume, mobile data must be surrounded by security safeguards in the form of user training, data security, and behavior monitoring. Authentication and entitlement management is also part of the solution.

At ESG, we created the “outside-in” security model where risk grows as a function of distance from the data center. It proposes different processes, training, and security technologies for 5 different security zones. The paper is available on the ESG website. I hope it helps to bring some order to the pervasive state of data security chaos.

Federal data breach highlights difficulties of data security

Friday, November 20th, 2009

In January 2008, the Office of Management and Budget (OMB) instituted a security initiative called the Federal Desktop Core Configuration or FDCC. FDCC is comprised of about 300 settings on Windows PCs. The objective is to create a standard federal desktop configuration that eases operations and improves security. All Federal agencies were required to implement FDCC settings by February 4, 2008.

Fast forward to October 2009. The Washington Post breaks a story on a pending investigation of 30 lawmakers by the House Ethics Committee. Information about the Committee probe was inadvertently leaked from a Junior staffer’s PC via peer-to-peer file sharing software (ex. BitTorrent). Someone anonymously accessed the file and then forwarded it to the Post.

These two events illustrate part of the complex problem we face with data security. The feds went out of their way to define a Windows configuration that was “secure by default,” yet a Junior staffer was able to either access a confidential file from an insecure computer or install peer-to-peer software on an FDCC-compliant system.

At a high level, here are some of the problems associated with this episode as well as potential ways to address them.

1. Data classification. The confidential file that leaked may not have been properly classified as such. This is a very common occurrence — employees have no idea that the data on their PCs may be private or regulated so they treat confidential documents the same as photographs, music, and other documents.

Possible solution. Improved data discovery and classification. Extensive and continuous user training. DLP/eRM software. Data encryption.

2. PC administration. While FDCC provides secure PC provisioning, users may be able to download and install vulnerable software and thus open doors to the outside world.

Possible solution. Lock down configurations and avoid giving users administrator privileges. Log changes to PC configurations and generate alerts when rogue software is installed. Create and enforce an application white list. Educate users.

3. Data leakage. The Junior analyst may have wanted to work at home so she innocently saved a confidential file on a portable storage device and then installed it on an insecure system.

Possible solution. Port controls, restricted use of portable media (i.e., authorized encrypted devices only), DLP/eRM software, user training.

I have no idea whether the Junior staffer in question had an FDCC-approved PC configuration but in this case it doesn’t matter. The leak was a combination of poor PC administration, a lack of specific data security controls, and either non-existent or incomplete user training.

This is a great example of the old saying that security is a process and not a product. The FDCC is a great start but it needs to be surrounded by a culture of secure IT administration and regular user training. Without these other changes, we should not be surprised with the continuous epidemic of data breaches.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site