Security experts pitch 'culture of data'

A holistic approach to security starting with a full review of data architecture does the best job of balancing protection with users' access needs

The companies that are having the most success in advancing their data security efforts today are those that are finding a way to protect sensitive information without getting in the way of business users, industry experts maintain.

In crafting their data-handling policies and selecting from the multitude of security technologies at their fingertips, those businesses that can foster both ready access to information, along with strong defenses for end-users and IT systems, are making progress the fastest, claim leading vendors and service providers.

After years of "throwing technologies" at the data security problem while juggling complex business demands along with external threats and regulatory compliance audits, some businesses are finally discovering that they can simplify the entire process by taking a more comprehensive approach to tailoring their programs to the manner in which their users access, handle, and share information.

Even within IT giants like IBM, the struggle to balance security issues with emerging business demands to work with information in new ways hasn't always been approached in this manner, said Julie Donahue, vice president of the security and privacy service in the company's Global Technology Services group.

Only through experience and ongoing efforts to constantly rationalize security policies with business demands has the massive firm been able to get a grip on its own data-handling needs, she said.

"Customers need to step back and see what their own culture wants. If we locked down everything within IBM, it would be so difficult to manage that we would have a serious management problem, so you have to ask questions around culture before you begin thinking of enforcement," said Donahue.

"You have to assess the risk environment and think of this as a holistic problem in terms of how you place bets and need to manage pools of risk, even though that for most CIOs it often feels like you have to spend your time going day-to-day dealing with the crisis of the moment," she said. "You really need to look at where to make the right investments, where to do enforcement, and where to monitor to have a truly strategic view."

Donahue said that when IBM was building its security practice roughly 16 months ago, it found that customers were spending as much as 10 percent of their IT budgets dealing with the maintenance and complexity of their data security systems.

The only way to reduce the data security management headache is to design an internal framework for managing infrastructure to ensure that investments are being made wisely, she said.

In many cases, those companies that are succeeding in that regard are treating their data assets just as they would treat cold, hard cash, the expert maintains.

"Companies need to protect their vast ecosystem of data like it is a monetary system, they really have to think about it that way," said Donahue. "It can't be the data center's problem or the network administrator's responsibility alone to protect its security; it has to be everyone's responsibility throughout the entire company."

IBM learns about security leaks the hard way
As evidence of the types of things that can happen to undermine even a comprehensive security game plan, Donahue pointed to IBM's loss of two backup tapes that contained sensitive information about former employees earlier this year.

While the incident was actually related to IBM's provider of backup storage services, the company was forced to pay out remediation costs related to informing those people who had been affected and providing credit monitoring services and the like for those individuals, she said.

In that sense, companies must also require the highest security standards from their business partners, said the expert. IBM has since written stronger backup-tape handling policies into its contract with its partner as a result of the incident, and Donahue encouraged others to do the same.

Phillip Dunkelberger, chief executive at encryption software specialists PGP, said that companies are spending too much time trying to react to data incidents and the individual mandates of compliance regulations while overlooking opportunities to improve data security through smarter process control.

Many companies are still too concerned with protecting various endpoint devices and network assets when a more data-driven approach would save them both time and money, he said.

"It has to be about the data. Data is very much the currency that people are transacting with, and employees need to be able to get their jobs done, even if that means taking information outside the network," said Dunkelberger.

"As complexity grows, things happen -- executives buy iPhones that are essentially 60GB storage devices that run on Open BSD and allow third-party applications," he said. "Defending the device is going to be a losing war, and even if you try to do that, people will inevitably add to the device or change its configuration."

While it unsurprising that Dunkelberger advocates the use of encryption as an intelligent way to overcome the complexity of changing IT infrastructure and business demands of defending data, he said that problems are most often related to faulty policies, not the types of technologies used for information protection.

The heightened information security atmosphere of today isn't as much a result of the rapid growth of mobile computing or shared infrastructure between companies, but rather an issue of poor data architecture from the top down, he said.

"Unless we start having a comprehensive discussion about the defense of data, the problem will only continue to persist, and not just in relation to hackers or compliance," Dunkelberger said.

"Everyone has policies, but it is interesting how much intellectual property is being targeted and stolen despite that; more of these attacks are coming, and that will only increase costs and complexity if handled improperly because these are the crown jewels of the organizations that are being targeted," he said.