Security Shifts to Data

Opinion: In the past year, security's emphasis has moved from protecting devices to protecting data.

RSA Securitys annual security conference is being held this week in San Francisco. Its the first conference since the company was acquired by EMC. The company has always maintained an arms-length relationship with the conference, and I hope that will continue under the new corporate parent. It seems like a good time to step back and see how the technology industry is doing in its security battle with the bad guys of hackerdom.

The big shift Ive seen over the past year has been the switch in emphasis from protecting devices to protecting data. This is a welcome move and one the overall vendor and user community need to embrace. Recent data break-ins such as the distressing data breach at TJX Companies (parent company of T.J. Maxx and other retail outlets) provide a grim reminder on how unprotected data can shake the foundations of companies and industries.

There is a logic behind the shift. Protecting devices can be done one device at a time. You can develop a product that will put your servers behind firewalls, deter spam from hitting your mail server and keep intruders out of your wireless network. In many ways, those products are good, classic IT projects: You see a problem, you evaluate products that can fix the problem, and you buy and install the fix. While fixing one leak doesnt make sense when you need a new dam, the one-fix-at-a-time process has been a good-faith effort.

Protecting data requires developing and deploying an overall company process. Before you try to fix data leakage, you have a lot of work to do. You need to figure out where all your data resides and set levels of protection depending on the degree of data importance. If you decide to encrypt data, you need to figure out how to handle encryption and decryption keys. Who should issue the keys, how long they should exist, and where the encryption keys should be stored and maintained are only some of the questions that need to be addressed.

In the current era of compliance and legal discovery processes, the management of encryption needs to be part of any corporate technology planning.

An additional aspect of data protection that often is overlooked is what happens to data after it leaves your company. Companies have invested their technology dollars in trying to measure their reputations and brand strengths in the online world of blogs, wikis and Web sites. Now I am beginning to see startups that are offering a search service to see if an individuals Social Security number and other personal information are being bought and traded in "blackhat" Web trading areas. Soon, companies will need systems that can check outside the corporate Web to see if confidential corporate data is being bought and sold in the Webs black market. For example, IBM recently introduced identity mixer software aimed at thwarting identity theft, and a startup named TrustedID ( allows individuals to see if their Social Security numbers are available on the Web.

The move to protecting data instead of devices comes at a crucial time for companies. The power of mobile devices is rapidly increasing to the point where your laptop will appear underpowered compared with the handheld combination phone/e-mail/personal data device.

The development of those mobile devices also means that more confidential corporate data will be moving over more networks. Protecting that data will become a top business priority, a top regulatory priority and a top market opportunity for those security vendors wondering where the next big market will develop.

The RSA Conference always provides a good opportunity to take stock of the state of information security. While the security of devices is hardly a completed mission, the importance of securing data will become the new priority and will, I expect, become the major topic of future RSA meetings.

Editorial Director Eric Lundquist can be reached at

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.