Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

Ensuring the Security of Stored Data

By Jodi Mardesich

A good security strategy not only protects against attacks, but also safeguards corporate data residing behind firewalls -- on network servers, desktops, even laptops. While CIOs put stringent strategies in place to patch operating systems and secure the perimeters of the network, many often unknowingly leave the data inside vulnerable.

Recent high-profile embarrassments underscore the high stakes of securing corporate data.  ChoicePoint, a data vendor, admitted that personal information for about 145,000 people may have been stolen by scam artists posing as customers with legitimate access to their own data. The incident could spur legislation to regulate companies that collect and sell sensitive data.

This sort of threat to data doesn't have to come from hackers. During a routine physical transfer of tapes to a data backup center, Bank of America lost backup tapes containing the private information - including Social Security and credit card numbers -- of hundreds of thousands of customers. It is not known whether the data on the lost tapes was encrypted. The effects of this data loss are far reaching. Not only does it harm individual customers by compromising data; it compromises the reputation of the company. The potential harm to the companies involved, in terms of negative press and financial losses, can be staggering.

CIOs must ensure their companies use security best practices to prevent theft of sensitive corporate assets. A comprehensive storage security strategy involves creating policies to safeguard data, auditing network security, and using technological measures, especially encryption, to protect those assets.

Putting a strategy in place

To safeguard corporate data, CIOs must be extremely vigilant about how data can be accessed. CIOs can help prevent unauthorized access to company data by implementing physical access controls, data network transport protection, host defenses, and system and applications authorization, according to Rich Mogull, director of research for the Gartner Group.
 
Protection strategies should also extend to secondary storage such as tape media. CIOs need to ensure that only authorized users access tape media that is rotated, remotely stored, transported, or handled by third parties, Mogull says.

Perform an audit

In addition, CIOs should perform regular audits of their security practices. Such audits may include determining the sensitivity and the level of security necessary to protect the data. Passwords should be safeguarded and changed regularly, or whenever new technology is introduced. CIOs should also establish a specific policy for data management, backup, and audit frequency.   

It is also important to consider internal access to corporate data, as well. Gartner estimates that 70 percent of security incidents that cause loss involve insiders. If an insider has trusted access to corporate systems, that means he or she is inside the firewall -- where perimeter-based defenses won't detect their attacks.

Determine how the data should be safeguarded
 
Extremely sensitive data -- such as confidential customer information and credit card numbers -- should be encrypted before being designated for storage. Not all data must be encrypted, however, according to Mogull.

"Use encryption to protect only data that moves, physically or electronically, or to enforce segregation of duties for administrators, for example, encrypting credit card numbers in a database to prevent database administrators from seeing them," he says.

According to Mogull, encryption should be used as a primary security technology on laptops or portable storage devices containing sensitive data, on backup tapes containing sensitive data, and for credit card numbers in databases.

Dealing with compliance

Companies in certain industries, such as healthcare, must ensure that their data backup, storage, and recovery policies comply with government regulations. The Gramm-Leach-Billey Act and the Health Insurance Portability and Accountability Act (HIPAA) require more stringent corporate governance and controls. The Sarbanes-Oxley Act requires corporations to be financially accountable; it doesn't specify the amount of time specific data should be stored, or how, but because it does require integrity of data, it is motivating CIOs to determine their own policies and to be more vigilant about backing up and storing corporate information. High-profile incidents, such as ChoicePoint's recent data compromise, could spur lawmakers to act. Gartner says that regulation is an effective way to deal with these kinds of data thefts, because consumers themselves have no power to drive changes.

Technology-centered data protection

As the Yankee Group has observed, storage networks have become more complex and have matured to the point that they require additional perimeter, as well as internal, security services to ensure data integrity. More than 70 percent of Global 2000 companies have deployed storage area networks, or SANs, according to the researcher. Different technology products can help safeguard corporate data. These include access controls, content monitoring and filtering software, and encryption:

  • Access controls Corporations must institute security policies regarding who can access databases, and there must be monitoring software to discover and record who has accessed data.


  • Content monitoring and filtering software Tools from various vendors watch the way content is accessed -- via email, instant message, and file transfer protocol (FTP), for example -- and inspect the content for policy violations. Some tools block or quarantine violations, while others offer the ability to block outbound email.


  • Encryption The process of encrypting information is an added line of defense. If a database is accessed, or if intruders obtain access to a storage device, encryption renders the data unreadable to anyone who - does not have a proper key.

Putting a storage security plan into place and adhering to security policies can help CIOs guard against threats, and keep companies compliant with ever-growing regulatory requirements.

Jodi Mardesich writes about business and is a former staff writer for Fortune.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"70 percent of security incidents that cause loss involve insiders."

--Gartner Group
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.

© MMIX, CBS Broadcasting Inc. All Rights Reserved.