By Ivan Milman
Data Security: Maximizing the business value of data means securing it comprehensively
As organizations strive to get the highest possible value from IT assets, it’s natural for them to focus on the most valuable asset of all: data. That’s why data security has never been a hotter topic than it is today.
Consider the following trends:
- There’s more data, in more repositories, than ever before.
- Yesterday’s hackers, motivated by curiosity or mischief, have increasingly been replaced by criminal enterprises motivated by profit.
- Because data is leveraged inside organizations in more ways, for more services, than before, it’s harder to track that use — and prevent abuse by privileged insiders.
- Government regulations specify how sensitive data should be monitored and managed; more emerge every year.
Viewed from these perspectives, one can see that data is, in a sense, a two-sided coin: it creates business value, but it also represents a significant potential liability. Minimizing that liability in a cost-effective way is what data security is all about.
Best practices for developing a first-class strategy
What’s the best way for organizations to get their arms around such a complex and multifaceted challenge? IBM has a number of recommendations.
First, understand where data, especially sensitive data, exists — and that’s a job that’s rapidly getting more complex as data flows unpredictably through virtualized infrastructures or even outside company walls completely, to a public cloud.
Second, safeguard sensitive data, both structured and unstructured. By structured, we mean data in databases; unstructured data is everything else. Policy-based solutions that apply access rights based on job roles/groups or specific identities are essential to this task.
Third, don’t forget that sensitive data may exist outside the production environment. Any complete data security strategy will need to handle that data, too (and many don’t).
Fourth, make sure that as circumstances change — data becomes more sensitive, new attack vectors emerge, employees enter and leave the organization, etc. — your security strategy can change in parallel.
Fifth, it’s important to not just achieve compliance with all the relevant government regulations, but also be able to demonstrate that — quickly and completely — in the event of an audit.
A few recommendations for real-world data security
Moving from abstract best practices like that to an up-and-running implementation will, of course, require thinking through a number of specific issues.
For instance, consider the question of data discovery. Organizations can’t comprehensively protect data (both structured and unstructured) unless they’re fully aware of it, everywhere it occurs in the infrastructure. Ferreting it out, however, is no simple task. And the more manual a task it is, the higher the odds that some data will be overlooked — ultimately meaning it will be unprotected. Best-in-class data security solutions, for this reason, should be able to help you pursue this job in a smart and automated fashion that not only finds data, but also establishes the relationships between different kinds of data — all in a fast, cost-efficient and complete way.
Protecting up-and-running databases is similarly critical. You should think of the potential for abuse not just in terms of hackers or criminal organizations, but also in terms of your own database administrators — who’s watching the watchmen? You’ll need to find a way to monitor all database activity, of all users, ensuring that only the right people get access to data, and then with the right access privileges. But it’s also important that this monitoring take the smallest possible toll on system performance and business productivity.
Data redaction — the partial filtering of data to suit different contexts — is another excellent way to improve data security. If you’ve ever seen a spy movie in which classified documents had certain text blacked out, you’re familiar with this idea, which applies very naturally to the business world. Not everyone in a call center, for example, needs complete access to customer social security numbers; perhaps only the last four digits are needed to verify someone’s identity. Through data redaction, that job is easily and automatically handled.
You should also take into account the security complexities of situations in which data moves from point A to point B in the organization and takes on a new context as a result. For instance, many organizations that develop their own software want to test that software using data that closely reflects production data — so they go to the production environment to get it. In such cases, data should be modified en route, so that it will still support testing goals, yet isn’t the actual production data at all — nor can it be used to recreate the original test data.
IBM InfoSphere Guardium: A best-in-class data security appliance
If you’re looking for capabilities along these lines, you’ll definitely want to check out IBM InfoSphere Guardium: a structured data security appliance designed for straightforward deployment and minimal subsequent management. Despite its outstanding ease of use, though, this solution offers a complete feature set, including data discovery and classification, policy-driven security and comprehensive reporting — all implemented in an elegant, operationally transparent way that won’t require you to make changes to either your applications or your systems.