This is the second in a three-part series on IT security from Forsythe Technology. This post looks at data protection and identity and access management. Other posts covered core infrastructure and threat and vulnerability management and governance and application security.
Your Data Has Left the Building: Are You Protecting It?
In the previous post, I talked about the current role of perimeter and core infrastructure security, and the importance of keeping up your organization’s first line of defense. Now, I’ll focus on protecting “the crown jewels” inside the perimeter using data protection and identity and access management. As we all know, valuable information increasingly resides outside of the data center, and beyond IT’s control. A lot of it exists on the “edge” of the network, where data is captured and work is conducted on endpoints like laptops, smartphones, and tablets. Not only do we have to find a way to protect it, we want our employees to be able to retrieve it on the go in order to boost productivity, and we also need to produce it for compliance reasons.
Meeting all of these needs can be hard to achieve, but doing so delivers value to your business and is critical to protecting your data, your intellectual property and your brand.
The first step to securing data—no matter where it is—is knowing what you need to protect. As RSA president Amit Yoran said during his keynote address at this year’s conference, "You must understand what matters to your business, and what is mission critical. You have to . . . defend what's important, and defend it with everything you have."
Companies that don’t have an effective data classification and/or prioritization program in place struggle with data protection because they don’t know where to aim.
You Can’t Protect What You Don’t Know
It is critical to separate valuable information that may be targeted from less valuable information by tracking data usage cycles, and implementing appropriate controls. Take into account:
- Where this information is stored. Make sure you include mobile devices, backup systems, and cloud services.
- Who has access to it; understand which employee roles and individuals need access, as well as those that may have unwarranted access.
- What your organization’s process is for provisioning and deprovisioning access.
- Your partners’ valuable information and what your process is for evaluating their security.
Unless you have a tremendous amount of staff and operational support, you probably can’t do it alone. Professional assessments can help you identify and classify sensitive data and figure out who has access to it, and give you the baseline insight you need to update security policies and processes.
From a technology perspective, solutions like DLP, encryption, advanced endpoint protection, database activity monitoring, and enterprise mobility management tools help to guard against threats no matter where data is stored, used or transmitted. And if encryption is well-implemented, it can make data useless to attackers in the event of a breach.
Identity and access management tools (federated identity/SSO, privileged access management and identity governance solutions) and strong authentication also help by controlling access to services, and managing the identities and privileges of expanding groups of users—including employees, partners, and customers—that are logging into systems both inside and outside the enterprise.
By using data protection and identity and access management tools together, you can help your organization protect data throughout its lifecycle, and secure each door into the fragmented IT environment.