A smart CSO knows that building a perimeter tough enough to keep attackers out is impossible, so a good defence is built around knowing where the organization’s sensitive data is.
That’s not always as easy, as lines of business have ways of squirreling away things. On Thursday California-based Informatica Inc. will release a new solution it believes will help organizations find and categorize the risk of structured data to help make better security plans.
Called Secure@Source, the company says the software is better than traditional data discovery tools which index one database at a time. Secure@Source can scan an entire infrastructure, then populate a dashboard to give CISOs, CEOs, privacy managers and lines of business a score of what is and isn’t protected. With that they can decided what security weapons — cyber insurance, data masking, staff education etc. — to deploy against which asset.
“It gives the ability to gain sensitive data intelligence so you can add data protection and take all the controls you use and assess if they are deployed appropriately,” Robert Shields, Informatica’s head of product marketing for data security solutions, said in an interview.
The software can index sensitive data by geography, business unit, movement within the enterprise as well as by category (for example, credit card, personal information, health), all of which can be displayed on a dashboard. Across the top of the dashboard graphics can show the organization’s overall risk score, the percent of unprotected sensitive data and the amount of restricted data. A map can show the general location of sensitive data by geography. Also displayed could be top company or department databases by risk score. Each of these can be drilled down by users.
The suite also includes policy-based alerting. Informatica says policies are easily defined and implemented to identify high-risk conditions, which can trigger alerts for actions such as when sensitive data leaves a country, when sensitive data is found in unauthorized locations, when regulatory data is not sufficiently protected, and when risk levels reach critical thresholds.
For now Secure@Source runs only on Red Hat Linux and needs a customer-supplied database (it supports Microsoft’s SQL Server) as a repository. Shields said a “moderately-powered server will suffice for most organizations.” Pricing is based on the number of structured databases scanned and/or the number of mainframe connections. It isn’t inexpensive: Shields estimated that a base package would cost a “couple hundred thousand” dollars.
It could take some time to scan an entire large enterprise’s databases, but most of the discovery is automated. Gary Patterson, an Informatica product manager, said one beta customer with a large SAP installation that included 90,000 tables took only “several hours” to scan. However, he also acknowledged that customers with Informatica’s PowerCenter data integration platform will see faster results than others.
There are some ways to shorten scanning time. An administrator can configure the setup up to scan for specific type of data (credit card, for example). Shields said Informatica recommends customers start by scanning priority databases. Secure@Source can also be configured to scan a statistically representative sample of an entire database to calculate results.