05/11/2014

By Informatica


Cyber-warfare is a grim reality increasing in its frequency and sophistication. Government and local agencies in particular are constantly targeted by cyberattacks that often result in significant data breaches. But they do not need to be left vulnerable. Several proven data protection technologies are available and of particular relevance to government organisations aiming to secure their systems against data breaches and cyber-attacks.

Industry concerns

Every CIO knows that if they don’t get security right customers, employees and the institutions they work with alike can suffer directly, and their role can be perceived as ineffective.

With more sensitive data being collected and stored for longer periods of time, there is more risk associated with breaches resulting in the unauthorised and illegal exposure of personal, credit and health information.

According to a research conducted by The Office of Cyber Security and Information Assurance, the cost to the economy - estimated at £27bn - is significant and likely to be growing. It suggests that the two main areas of data theft come from cyber-espionage and IP theft.

Companies and government organisations need to ensure the privacy of enterprise data. Data privacy is critical for application development, quality assurance and implementation testing, as well as for outsourcing, training and off-shoring. In addition, increasing scrutiny from regulators simply do not give businesses much leeway in storing and providing data in a secure way.

Data masking as a security enabler

Modern data security strategies therefore need to consider two layers: the layer where data is being stored and organised, and the layer where data is being retrieved. Data masking has emerged as a versatile technology for data storage. It is a method of camouflaging data in order to maintain confidentiality of data. The technique is used when the format or type of data needs to remain intact, but the actual data values must be hidden from a user or process.

For example, an organisation that has developed an application to report on its customer data may wish to send the application to a third-party consultant for testing. Wanting to test the application against the actual data set, but not wanting to reveal its customers’ names or addresses the organisation first masks the data, and then sends the application and the masked data to the tester. With this, sensitive information fully remains within the organisation.

Data masking may be offered as an option with database products, or third-party data-masking products can be purchased separately from vendors. Data masking may also be included as part of a data management service on a software-as-a-service (SaaS) platform.

In spite of the growing threat from targeted attacks and the general best practices, data masking deployment remains sporadic and even non-existent in otherwise highly secure organisations. Why? In the past, data masking techniques like encryption required a lot of processing power, limiting their usage. Additionally, many organisations found data masking tools too expensive for broad application. However, these long-held beliefs are no longer accurate, as faster and cheaper tools have emerged in recent years, making data masking an option for organisations of all sizes.

Why mobile security is so important

More and more data is being retrieved on mobile devices, and at the same time they are the top item left behind in taxis. International travel can also broaden the scope of mobile security threats and possesses a further breadth of opportunities for cybersecurity.

Mobile devices replace the laptop in many cases, and they are being used as transaction processing devices, for example at the point of sale. For all of these reasons, having a strategy for protecting mobile devices or the applications that run on those devices and related sensitive information is critical in minimising the impact of a potential wider breach.

Here, two predominant areas have advanced over the last ten years: First, ‘Mobile Device Management’ solutions provide the ability to delete content on a mobile device based on certain events, such as a lost or stolen device or a device being tracked into a location where certain information is not allowed. An example for this is a retailer who gives its employees iPads to process transactions. If the iPad is taken from the store’s premises, the device including all data is automatically wiped out, making it useless.

Another market that has expanded is data encryption and tokenisation. If certain data fields, such as credit card information, are stored from a mobile device, that data can be encrypted or tokenised on the device to minimise the scope of a PCI audit as well as preventing a breach. Also, Virtual Private Network technologies that apply secure tunnel connections behind corporate firewalls have now been adapted to mobile devices. Their increased computing capability does not impact performance too much. Plus, apps run reasonably well when using a VPN connection due to the high network bandwidth now available via cellular technology.

Threats on the horizon

In modern day, the biggest hazard an organisation faces is the lack of knowledgeable skillsets in mobile security and potential threats. Data security expertise has been one of those skillsets considered in serious shortage for some time now. Given the rapid change of the mobile device landscape, as soon as you invest in training your team on the latest threats, new technologies emerge that require more catch up training. Also, given that consumers and the next generation of the entitled workforce have expectations that they can conduct business from their mobile devices, the pace of application development and rollout will accelerate faster than the security’s team can keep up.

So it is more than high time for all businesses to implement an adequate and efficient data security strategy. For this, the starting point should always be: what data do I store, where do I store that data and who has access to data? Once a clear picture emerges what happens to data where, when and by whom, its storage and retrieval can be made more secure. Data is increasingly perceived as a currency, and it should therefore be treated as such: by putting it in a safe place and making sure any exchange is authorised.