(This blog is by Sangam Manikkayam Iyer, principal security specialist, Symantec Canada)
Companies of the past, present and future would all agree: data is critical for business, and its integrity and confidentiality must be maintained. As the April 24th IT World Canada #EncryptITWC Twitter chat I participated in via @SymantecCanada confirmed, the discussion on how best to protect that data is evolving.
Data that is critical for business operations may have the potential to be breached or compromised, which in turn might impact the business; putting it at risk. Implementing the right amount of security safeguards is of prime importance for all chief information security officers (CISOs), right from the strategizing phase to implementation and maintenance. There are many tools in the security toolkit, but CISOs should not stop at encryption for data protection.
Encryption alone is not sufficient to protect critical business data; it should be deployed in combination with other tools like data loss prevention, mobile application management and access management to give significant enough protection for critical data. In this post, we’ll explore implications for each.
Let’s look first at encryption.
There are various kinds of encryption tools which could be used for data in file shares, emails, or other endpoints (such as mobile devices or laptops.) Some organizations follow a practice of encrypting the whole-disk of all their mobile devices, whereas some others follow a practice of encrypting all their emails.
Are there any limits to encryption? No, but there are implications. It would be ideal for businesses to encrypt data until the chances of integrity/confidentiality tampering is minimized. However, this may affect the performance of the target systems slightly, – in some cases, slowing them down. However, business benefits and data security often outweigh those drawbacks.
Security and performance are two sides of a balance. Organizations may have to weigh which aspect is most important for their business and choose accordingly. CISOs must choose which data to encrypt judiciously, favouring critical data such as personally identifiable information, business policies, financial, and credit card information.
Maintaining an encryption process requires periodic review. Many organizations have encryption solutions but may have some broken policies/processes. Doing an audit to find out about the encryption policies will uncover some of the misconfigurations which could lead to a broken encryption process. An example of an incident that can affect that process is when an employee changes their role within the organization and the encryption policies don’t change accordingly. A closed-loop automation is ideal to link the roles within the organization and access rights within the encryption solutions.
One of the common complaints about any encryption solutions comes from end users. End user education is really important in the success and acceptability of any encryption solution. Employees should be educated about encryption policies and standards, as well acceptable usage policies. They should also be made aware of the new solution deployment and what to expect in terms of the solution behavior, enhanced security measures and possible delays due to the change.
Data loss prevention is the next security step to consider.
Data, once decrypted, could be knowingly/unknowingly moved out of the organization’s environment through various means. Data loss prevention helps keep this confidential information and intellectual property safe within the environment. It is ideal to look at data loss prevention as well as a complementing solution to encryption. Savvy organizations look at all aspects of data loss prevention, be it data-at-rest, data-at-endpoint or data-in-motion. It is a multi-layered strategy to make sure that whatever the channel may be, confidential data never leaves the organization unauthorized.
Mobile security is the last layer of protection we’ll discuss.
Organizations are looking at enhancing mobile user productivity without compromising on the security aspects of data protection. A mobile security approach should shift from being device-centric to app-centric, where instead of controlling the personal device, companies control app-related data only. This shifts control from the whole device to the specific applications that access, store and transmit company data. This would be an ideal approach for enterprise IT to ensure data security, regardless of the device, its ownership, and the apps that are being used to access the corporate data. The ideal state of any BYOD strategy should be a consumer-like user experience for corporate information on both managed and unmanaged devices, without compromising information security.