Peter Galvin, VP of strategy, Thales e-Security, offers a step by step guide on how security teams can ensure their data is protected against new threats
Only a few years ago, most organisations were focused on building a bigger fence or a taller wall to protect their organisations from malicious threats.
But just like the Little Dutch Boy, organisations are still constantly plugging holes in the perimeter, regardless of how fortified it’s been. As a result, forward-looking organisations are focusing on pervasive data security, instead of just on perimeter security.
However, encryption strategies that protect data one place but leave it exposed in multiple other locations are providing a false sense of security – locking the door and hiding the key but leaving the window next to the door wide open.
The great security shift
We are currently experiencing a trend from perimeter security to data security. This is the result of the proliferation of connected devices in organisations today, from smart phones, tablets and IoT. Just a few years ago the network perimeter was much more static and limited but today the perimeter is everywhere, and constantly moving.
The distributed nature of people and devices, and the distribution of data, has changed the focus to protecting the data and not just the perimeter. Perimeter security is no longer sufficient to protecting sensitive or confidential data – especially in light of hackers’ demonstrated ability to breach network security.
Security in layers
Organisations are now focused on creating a solid data protection strategy. This involves looking at not just financial data or payment information but also personally identifiable information (PII) that has become so valuable to criminals. This data demands the utmost protection, because whilst someone stealing your credit card is a problem, you can always cancel your card – you can’t cancel your identity, or change your date of birth.
A primary component of data protection has become encryption. Every organisation needs an encryption strategy, starting with the protection of an organisations most confidential or sensitive information. When encrypting this data, it is compulsory that key management is simple and easy. This way, no matter where your data is located, it’s encrypted and it’s secure.
Knowing where your sensitive data resides is another crucial piece of the puzzle. Worryingly though our 2016 Global Encryption Trends study found that over half of businesses (57 percent) do not know where its sensitive data resides. Many organisations fall into the trap of protecting data only when it exists in a particular area, but that same set of data exists in potentially many other places. If it’s not protected everywhere, it is then vulnerable. Organisations need to understand, discover and know where all their sensitive data is located and ensure data is encrypted at rest, in use and in transit.
Only a few years ago, the attitude towards data protection in some organisations was largely, “Oh yes, I’ve checked the box for security.” But in light of the most recent hacks on high-profile organisations, data protection is now a boardroom discussion and we’ve seen what happens to senior executives who haven’t properly protected their sensitive data. In addition, customers are becoming more concerned about the safety of their data.
However, what holds organisations back is the fact that encryption can get challenging – but it doesn’t have to be. So here are my five top pervasive encryption techniques to help maximise data protection:
1. Encrypt everything, all the time: Encrypt everything, or at least encrypt everything that would be considered sensitive. And ensure your encrypting it in all phases of its life cycle – at rest, in use and in transit.
2. Create and execute a strategy: Make sure you have a comprehensive encryption strategy that allows you to understand what data you are encrypting, how you are managing your keys and the underlying policy controls for user access.
3. Leverage a hardware security module: If data is sensitive, the highest level of assurance is through a hardware security module that keeps your most important keys inside a secure hardware boundary.
4. Separate the duties: Implement policy controls to make sure you have separation of duties between network personnel and security professionals. Separating out the security components and the network management components or the application user components is critical to ensuring that only the people who need to access the different systems are able to access them.
5. Monitor and evolve your strategy: Continually monitor your people, processes and security posture to protect yourself as vulnerabilities evolve. You need to look at your people processes as well to make sure you have checks and balances in your technology strategy and continue to evolve it to see vulnerabilities.
How much do you know about data breaches? Take our quiz to find out!