The complexities of today’s IT environments make protecting data an ongoing challenge. Effectively securing data necessitates knowing where that data resides at any given point in time. However, as companies outsource tasks such as order processing, customer service, and fulfillment, this information becomes increasingly difficult to ascertain. Many of the external systems that house such data are not visible and are often not understood by those responsible for certifying compliance with regulations such as the Payment Card Industry Data Security Standard (PCI DSS).
Protecting Data Inside and Out
Enacting access controls and securing passwords for databases is an important first step for security, but that doesn’t mean the data is protected while it is in transit or when it is shared outside company walls. Companies subject to regulatory mandates such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) are responsible for safeguarding data, regardless of where that information resides. This means if the data is shared with a business partner or external service provider and a breach occurs, the originating company is still held liable. Thus, it’s critical to secure every layer of the infrastructure that interacts with sensitive information.
Understanding Data Flow
IT needs to understand not only the resources within its environment, but also the specific data passing through those systems, to effectively model risk planning and determine appropriate security remedies.
Once there’s an understanding of where data lives at each stage in the process, it’s helpful to go through a “day in the life” exercise where certain information such as a new order or a patient record is traced to determine all the places where the data is shared and how it is protected at each stage. This allows the organization to create a data flow diagram identifying how and where information traverses in all its various forms throughout the information lifecycle. Armed with this knowledge, organizations can quickly identify and combat vulnerabilities.
The next step is to classify essential vs. non-essential data, and decide how tightly to lock each of these systems down. A common misconception is that all data should be secured. However, this would create an unnecessary and burdensome cost. Easing security on less important information improves productivity and eliminates unnecessary investments in security systems, while freeing up resources to protect the most sensitive data.
Safeguard Against the Enemy Within
Common security weaknesses include default configurations that are left unchanged, default passwords left unchanged, configuration of unnecessary services, and failure to install the latest security patches. According to forecasts by the IT industry analyst group Gartner, 90 percent of all security breaches in the near future will originate inside companies. Organizations need a way to shield their “super user” passwords from unauthorized personnel, and be able to track the activities of these users in the event of a security violation. At this point, it’s important to reconcile which users have access to what databases, file systems, and applications, and how they use them. This level of understanding is critical for conducting forensic research, used to identify who was on a specific system at a specified time and what activities were performed.
Prompt termination of access rights for departing employees and contractors is equally important. Employees with improper access to systems, files, and data and former employees and subcontractors whose access rights haven’t been terminated are commonly exploited threats to any business. Employing automated processes to test, validate, and report on these IT controls provides the necessary visibility into these activities for proactive security protection as well as preparation for regulatory audits.
Looking Beyond Perimeter Controls
Despite investments in perimeter protection such as firewalls, intrusion detection systems, vulnerability scanning, and penetration testing, systems continue to be compromised. Management of the operating system and application configuration is often overlooked, yet there are hundreds of operating system or primary application configuration settings that have implications for security. Alleviating this threat requires an inside-out look at network services, interfaces, software feature sets and revisions, patches, and hot-fixes. Gaining a comprehensive view of configuration data and its associated parameters is an aid for IT assessment and control.
Codifying Expectations with Business Partners and Suppliers
Businesses also need assurances that their partners and vendors are employing prudent measures to protect their sensitive information. If, for example, a healthcare facility employs a transcription service for patient records, the facility should include SLAs in its contract with that transcription service dictating specific security measures. It is important to outline these rules in a contractual fashion so that external providers handling confidential information are under the same obligations as the organization itself. Moreover, providers should be expected to share details of their security policies, and specifically explain how they prevent intermingling of data from different companies.
Many organizations take this a step further and perform their own closed-loop risk management audits prior to any regulatory oversight agency. This involves a review process for potential new policies and controls, policy review with enterprise accountability of software and hardware, generation of an audit report, and evaluation and implementation of audit processes. As IT infrastructures change, it’s difficult to predict what vulnerabilities may appear. Performing cyclical audits as routinely as regular maintenance empowers organizations to gain consistent advancement in enterprise-wide security.
Safeguarding data in today’s IT environment requires a different mindset - looking beyond perimeter security. The proliferation of security breaks have taught us a great deal about common gaps being exploited. Instead of wholesale protection of all data, organizations are better served to classify information and employ top-notch resources for protecting the most sensitive data - regardless of whether it’s in transit or at rest, within their four walls or with an external service provider or partner. By taking a more widespread view of data protection, businesses are gaining a more effective means of understanding and protecting information throughout its lifecycle.