Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Small Business

    How to Keep Corporate Secrets a Secret

    By
    eweekdev
    -
    July 28, 2008
    Share
    Facebook
    Twitter
    Linkedin

      /images/stories/70×50/bug_knowledgecenter_70x70_(2).jpg

      There is nothing like a data breach to bring a CIO unwanted publicity. We read all the time about these costly spills of precious corporate data, from the British government exposing the records of 25 million citizens, to the TJX Companies’ loss of 45.6 million credit card and debit card records. The PRC (Privacy Rights Clearinghouse) documented roughly 234 million data records were involved in security breaches since 2005.

      The cases involve everything-from the University of Iowa putting a few hundred students’ data on the Internet-to the supermarket chain Hannaford Bros.’ breach, in which 4.2 million credit card numbers were compromised and more than 1,800 cases of identity theft resulted. Tapes lost, laptops stolen, Wi-Fi and network snooping, malware and virus intrusions, and plain old theft are just a few of the threats that keep CIOs up at night.

      The problem of data leaks goes far beyond the breaches that make the news. Potentially more catastrophic than the exposure of personal data is the risk to corporations when trade secrets, customer lists, pricing data and other critical assets leak out the door. Keeping corporate secrets a secret requires careful thought, effective processes and sophisticated technology.

      Most of the efforts at data leak prevention focus on making systems and networks secure. These steps are essential. However, as the volume of digital data grows, protecting systems may not be enough. Intelligence services have always known to protect the message, not just the medium. A courier can be kidnapped even if he is surrounded by spear carriers, but his message will be safe if the enemy can’t read it.

      Fire walls, anti-virus software and password-controlled access are all forms of “perimeter protection.” With so many places for data to be stored and so many ways for it to move off the premises (for example, laptops with 200GB disk drives, iPods and cell phones capable of carrying tens of gigabytes of data-not to mention the Internet), perimeter protection may not suffice to meet every threat.

      Companies maintain rigorous perimeter protection in a number of ways: by disabling USB ports to prevent the use of memory sticks, by blocking access to Web-based e-mail, and even by monitoring data flows. But, no matter how diligently applied, these approaches leave the data itself unprotected. Once secret data slips out the door, all the fire walls in the world can’t get it back-protecting the data is key.

      A complete solution combines process and people with advanced technologies. Here are five steps to consider:

      Step No. 1: Identify the data that needs protecting.

      If you try to protect everything, life will be too difficult. Users will be annoyed and they will undermine the process. Be reasonable and employees will participate. The classification process needs to be thorough, comprehensive and participatory. Segregating valuable data is an important first step and there are tools that can help.

      Step No. 2: Secure the message as well as the medium.

      Even with SSL (Secure Sockets Layer) and VPN, strong passwords, fire walls and a flood of security patches, the medium (the network and the attached servers) should be considered inherently insecure. The greatest security comes from protecting the data itself. Even a gargantuan data breach will be of no real consequence if the data is undecipherable.

      Sensitive data should be encrypted, and a business process surrounding key management should be in place to restrict access in a manner consistent with corporate data access policies.

      Encryption has been around ever since Julius Caesar coded his messages by shifting the alphabet. Data encryption tools are now integrated well with standard office software. Yet, many organizations don’t bother with even the most basic data protection practices, such as applying passwords to Word and Excel files, or using the native Windows hard disk encryption capabilities for laptops that leave the office.

      The widespread use of encryption and digital rights management has greatly complicated corporate key management practices. If you are not familiar with the Enterprise Key Management Infrastructure initiative, now would be a good time to check it out at www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi.

      Step No. 3: Address issues for all three data states, and implement processes and technologies for each: data at rest, data in motion and data in use.

      It’s easy to focus too much attention in one or two areas. For example, to manage data at rest, find all the critical data sources, identify how they are stored and protected and consider encrypted databases and files. To manage data in motion, use signed and encrypted e-mail, SSL connections, VPN and other forms of network protection. Remember, the bulk of data breaches are unintentional. They have become more common because increasing numbers of workers carry more and more data with them.

      Step No. 4: Consider signing documents and files.

      Digital signatures not only make it possible to protect data through strong encryption, but they also provide a means to validate the source, and ensure that nothing has been changed. Like key management, digital signatures require that certificates be issued and identities verified. Microsoft Outlook, for example, supports signing and encrypting with digital certificates. It even provides links to certificate authorities (the folks who issue digital certificates) that will sell you personal and corporate certificates.

      Step No. 5: Investigate the latest generation of data leak prevention (DLP) tools.

      There are many companies that provide DLP tools to discover, classify and protect your data. Among them are companies such as Iron Mountain, Websense, Reconnex, RSA Security, Trend Micro and Essential Security Software.

      The rate of data breaches is unlikely to slow, and its seriousness will not diminish. This is the case for the simple reason that the data driving modern enterprises is becoming increasingly accessible and transportable. However, the right tools and technologies do exist to help keep corporate secrets secret-and CIOs out of the headlines.

      /images/stories/heads/knowledge_center/abelson_ledeen_lewis160x100.jpgHarry Lewis (on the left) is professor of computer science at Harvard and fellow of the Berkman Center for Internet & Society. He can be reached at lewis@harvard.edu . Ken Ledeen (in the middle) is chairman and CEO of Nevo Technologies. He can be reached at kledeen@nevo.com. Hal Abelson (on the right) is professor of computer science and engineering at MIT. He can be reached at hal@mit.edu.

      /images/stories/knowledge_center/AbelsonLedeenLewis_cover170.jpg

      Harry Lewis, Ken Ledeen and Hal Abelson are the authors of “Blown to Bits: Your Life, Liberty, and Happiness after the Digital Explosion.“

      eweekdev
      http://www.eweek.com
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×