Creating an Information Security Infrastructure

High-profile Internet security violations are on the evening news every week. Although the publicized computer break-ins seem to command the most attention, a wide range of other Internet violations and computer crimes now populate the IT landscape. An array of stakeholders - ranging from those in the executive suite to customers to regulators - are increasingly coming to view data as one of the most critical assets of the enterprise and the pressure is growing to treat it as such.

Drivers in Data Protection

Several factors are driving an increase in vigilance over the protection of corporate data. They include:

    * Explosive growth in data volumes
    * Increased use of data
    * Need to share data in new ways
    * Requirement to store data for longer periods of time
    * New laws and regulations
    * Continual presence of external and internal threats

Perhaps the most overwhelming factor driving data security is the explosive growth in data itself. More data about the enterprise is being collected in more different ways and from more different sources. In fact, Ray Roccaforte, a senior executive at Oracle, has suggested that data volumes are growing faster than Moore’s Law, which holds that computer processing speeds double every 18 months. By his estimate, data may be growing a whopping 120 percent a year.

Data is being generated in every corner of every organization. In addition to a skyrocketing amount of transactional data usually captured and stored in a relational database management system, companies are generating huge amounts of semi-structured and unstructured data as well, including email, text documents, images, video and audio files. Adding to this data onslaught is the increased use of sensors such as RFID to track goods and other processes as they move along a specific path.

Value Proposition of Data

As companies collect more data, they want to be able to extract more value from that data and use it in a more timely fashion. Data warehouses and sophisticated business intelligence applications, once affordable only by the largest companies, are becoming increasingly commonplace among a broader range of organizations. And cutting-edge companies do not only want to use their data warehouses for historical analysis. In fact, operational business intelligence promises to allow companies to apply analytics to their data in order to control ongoing business processes.

To fulfill the potential of business intelligence and to improve operational efficiency, data can no longer be captured in data silos associated with the specific applications and business processes that generated it. It must be shared across the enterprise to develop 360-degree views of customers and other key aspects of business activity, as well as to facilitate automated straight-through processing where applicable. People and applications need access to data from more different sources than ever before.

The drive to enable the sharing and integration of data by many parts of an organization is being accelerated by the emergence of service-oriented architectures. Creating a nimble information infrastructure based on loosely coupled, reusable services requires the availability of data from many different sources. In fact, the notion of a data layer as part of the IT stack, that is a distinct layer independent of the operating system, the application layer and the interface layer, is receiving widespread attention. Since data is being used in ongoing and often unanticipated ways, it must be stored for longer periods of time. Many groups within an organization may eventually use data initially generated for a single purpose. For example, data associated with a shipping invoice created by a supply chain application may eventually be used by the credit department, accounts receivable, business analysts, senior corporate management, as well as an inventory program at both the company and the customer.

External Factors including Regulation

But the growing need to use and reuse data internally is only one set of factors that has brought the need to protect data into sharper focus. Over the past 10 years, hundreds of state, national and international mandates have been passed regulating the access, security and safeguarding of data. These regulations cover almost every industry and have established a diverse set of requirements ranging from data privacy, to data change management, to the segregation of duties within IT organizations, to how long data must be retained and accessible.

Rules from regulatory agencies have also upped the stakes for data and security managers. Data breaches are no longer private affairs. California legislation, for example, requires that consumers be notified if their private information has been inadvertently accessed, turning breaches into public events. The violations of some regulations have criminal penalties and severe fines associated with them. Data security lapses have been shown to have a detrimental effect on a company’s image and lasting negative impact on its business.

Complying with regulations is tough enough. But companies must also find ways to allow access by external users to their data. Groups such as customers, supplier and resellers are frequent users of a company’s data and demand access, while, at the same time, the company owning that data is fending off criminals, both outsiders who attempt to hack into a system to steal its data and trusted insiders who violate the trust placed in them. Despite all the regulations to the contrary, theft of corporate data remains one of the most serious problems faced by industry today.

Security Infrastructure

Safeguarding data, a company’s most important asset, requires a multi-layered security infrastructure that some observers have labeled defense in depth. This is a multi-layered approach to data protection:

    * Perimeter defense
    * Protecting access to the database
    * Protecting data at rest
    * Identity management and access control
    * Protecting data in motion
    * Identity management and access control
    * Encryption

The first layer is perimeter defense, which consists of firewalls and intrusion detection systems to keep unauthorized users out and to identify them should they break through.

But perimeter defense is just a start. The data itself must be protected as well, both when it is stored in the database, which is known as “data at rest,” and when it travels along a network, when it is called “data in motion.” Protecting data at rest has several components. The first step is appropriate identity management and access control. Companies must be able to identify and control who has rights to what data and then be able to safeguard who has access to that data and what actions they are allowed to perform on the database.

This task has become more challenging as data infrastructures have become more complex. New stakeholders, including external users accessing data via the Internet, often need to be allowed to use an appropriate slice of corporate data. Identity management and access control can’t be implemented with a one-size-fits-all all approach; they must be very granular and specific to the individual.

The last line of defense is encryption, which can be used to protect data at rest, as well as data in motion. Encryption of data at rest, that is data stored in the database, presents several significant challenges. If companies encrypt an entire database or an entire table, it can seriously slow performance, since data has to be continually unencrypted to be used. A better alternative is to encrypt selected columns or rows, or even selected records or fields.

The encryption of data at rest also requires what is known as key management. Keys are the passwords needed to decrypt the encrypted data, and if they are not managed correctly, data can be lost or compromised. And the destruction or loss of a key is the equivalent to the destruction or loss of the data itself. Effective key management requires that keys are suitably safeguarded, and are generally kept away from users who can otherwise access the data. If staff members that routinely access data also routinely have access to encryption keys, it is like giving keys to your house to potential burglars. Unfortunately, there is no universal key management solution that can be used to manage keys from solutions from many different vendors.

Encryption can also be used to protect data in motion, that is, data that is moving over the network. The same sorts of issues - performance and key management - that present challenges for encryption for data at rest also present challenges for data in motion.

In short, a security infrastructure technology has at least four layers. The outer layer is perimeter and network security. The second layer controls access to the database. Finally, the data itself should be protected both when it is at rest and is in motion.

Challenges in Security Management

Though companies are now well aware that they must take most vigorous efforts to protect their data, developing a comprehensive security infrastructure is very complex. Many organizations still have a collection of point solutions to address individual security concerns - the entire security strategy is rarely viewed holistically. Different administrators are responsible for securing different parts of the information infrastructure and they may not communicate with each other as frequently or as comprehensively as might be desired.

Complicating matters, in the 1980s and 1990s, security was often not a top priority for many application developers. Consequently, applications have different vulnerabilities that are often hard to identify. Frequently, those built-in or hidden vulnerabilities are not reviewed or assessed by the IT personnel responsible for their ongoing operation.

Moreover, IT infrastructures are dynamic, complex systems. As companies merge and acquire new companies, the infrastructure changes. Those changes have an impact on the security set-up. The use of newer blade servers and adoption of virtualization technology for servers and storage has an effect on security. The emergence of service-oriented architecture (SOA) and the concept of data as a service has also had a profound impact on data security. These changes are often so complex and time-consuming, that the impact they have on security is overlooked.

The last challenge is regulation. The regulatory environment is constantly changing. Data administrators can face contradictory regulations passed by different governing agencies, who may all be aggressively enforcing them. IT security personnel must work closely with those in the organization charged with monitoring regulations to better understand the impact of new regulations on security policy and practices.

Building a Security Infrastructure

A solid security infrastructure has three components - technology, processes, and people. While technology alone cannot create a security infrastructure, the right technology is a necessary foundation. Companies must be prepared to invest in every level of a multi-layered security strategy.


Selecting and implementing the best security technology is not an easy task. Commonly, security set-ups are implemented through a grab-bag of point solutions that may or may not be integrated into a coherent overall structure. Not infrequently, these point solutions are managed by separate groups within an IT organization, making it more difficult to achieve a coordinated layer of security protection.

Moreover, the way security technology is implemented can have a significant impact on the overall application performance, user satisfaction and the ability to meet service-level agreements. Apple Computer drove this point home with a withering series of television commercials launched after the release of the Microsoft Vista operating system. It mocked the operating system for requiring users to proactively approve virtually every step in a particular operation. Apple’s point was that Vista was now too rigid to be easily used. Indeed, making applications and systems easy to use often runs counter to making them highly secure.


The second element in building a secure infrastructure is processes. Indeed, many of the most relevant regulatory requirements relate to the processes companies must implement to protect their data. Who has access to data? Who can change data? Who reviews or monitors changes to applications and hardware systems? How are systems audited? Processes to address those questions have to be developed, implemented, documented and periodically reviewed.

Once again, a balance has to be struck between making systems secure and letting IT professional do their work. If a process is too restrictive, work can grind to a snail’s pace. If a process is too permissive, much can slip past security measures.


The final element is people. As with the other components of security, several different aspects must be evaluated when considering people. People must be trained to operate in appropriate ways. No matter how secure a system may be in theory, if people allow unauthorized personnel to use the accounts, if their passwords are easily comprised, if they do not log off or log onto systems correctly, or if they do not take the proper steps to safeguard systems, no technology will provide the right level of security.

A second factor when dealing with people is trust. On the one hand, employees like to feel their employers have confidence in them. On the other hand, an eye-popping number of data security breaches come at the hands of so-called trusted insiders. The activities of users, both inside the organization and those accessing data from the outside, must be monitored carefully based on current experience. But the monitoring strategy must be implemented in a way that does not impede employees from completing their tasks efficiently.

Companies should develop a security checklist with these three elements in mind: technology, processes and people. In developing such a list, first identify the internal and external risks to the data. Next, assess where systems are vulnerable. Are there gaps in the technology either in the hardware or the software that could be exploited by persons inside or outside the organization? Are the correct security processes in place? Have the right communities been properly trained? Is the administrative support for security in place to keep it on track?

Finally, organizations need to consistently audit their security infrastructure, checking for opportunities for new threats to occur. Organizations are by nature continually changing and their IT systems have to be dynamic to keep up with shifting demands. Every organizational change and the technological changes it spawns can potentially open up new vulnerabilities. The task of creating a secure environment is never finished. It is an ongoing process and those involved must remain continually alert to any new change that might open up a chink in the armor of security procedures.


The stakes involved with data security have never been higher. Corporate data has come to be seen as an organization’s most valuable asset. With nearly all IT systems connected to each other via the Internet, computer-based data files are more vulnerable than ever before. Threats come from both outsiders who work to break network perimeter defenses and from employees inside the security perimeter. As defenses have become more sophisticated, so have the methods of the attackers.

Security must be viewed from a holistic perspective and security technology must be implemented in several layers. Unfortunately, to date, most companies still rely on scattered point solutions rather than highly integrated and coordinated security defenses.

Most importantly, security concerns must always be a top priority of not only IT but all of top management. The security implication for every project and each change must be assessed and action taken if needed. And even if internal systems remain relatively stable, security must be subjected to regular audits to seek out weaknesses. With the current regulatory environment, breaches can lead to anything from bad publicity to fines and jail terms. In short, even companies with elaborate security arrangements in place are only one change - a change as small as a revision to the invoice numbers or the addition of a new employee on the loading dock - away from being vulnerable. Monitoring and assessing these changes, both before they occur and while they are occurring, is part of the continual battle to maintain a secure environment that protects data and applications from threats from a variety of directions.