Last week, Vormetric attended the RSA Security Event. As always, the event is informative and useful for security professionals. This year, though, there was a new tone to the rhetoric and it is one that seems almost resigned. In fact, in his keynote kickoff speech, RSA Chief Arthur Coviello said, “ Our networks will be penetrated. We should no longer be surprised by this.” He went on to discuss the increased sophistication and persistence of criminal groups and hacktivists in targeting companies and carrying out compromises of the selected network. He further suggested that companies should assume that their networks have been penetrated and invest in technologies to detect that intrusion.
While these statements may be interpreted to suggest that the information security world has resigned itself to being unable to stop criminals intent on stealing data and wreaking havoc on companies and individuals alike, this is actually a call to action for companies. Instead of conceding the cyberware to the criminals, the event focused more on how companies can be proactive in detecting and preventing data theft. Two themes kept emerging – the growth of “big data” and the increasing difficulty in protecting networks, even as many companies begin shifting “to the cloud.”
The term big data refers to data sets that have grown so large that they become unwieldy to manage. As companies become more and more dependent on information to help them hone their marketing, product development, and strategy, “big data continues to proliferate.” The old adage about not storing data if it’s not needed has become irrelevant, as companies become more and more convinced that every piece of data is needed in order to gain competitive advantage in their respective marketplaces. As computing power and storage capabilities increases, companies depend less on sampling and more on trying to analyze every piece of data for its possible relevance to the companies’ objectives. Witness for example, the Target data analysis program that allows them to predict pregnancy in their shoppers. While big data can offer big advantages, it also poses big risks if not properly managed.
Risk Management was another recurring theme at the event, with concerns being raised around the involvement of the board in the security and privacy policies of their firms. In fact, a survey co-sponsored by RSA revealed that some 70% of Fortune 2000 executives rarely, if ever, review their company’s security and privacy policies. Such lack of involvement seems counter intuitive in such a dynamic and changing threat environment, not to mention a regulatory environment in which lawmakers and federal agencies are taking an active interest in the security and privacy policies of corporations.
These two trends, increasingly large data sets and lack of executive involvement in risk management, are occurring at a time when more and more companies are migrating their processes, and in many cases their data, to the cloud. Cloud computing brings with it many advantages, but as with any technology it must be carefully evaluated against the potential risks. Questions about “security in the cloud” have plagued the platform. Security experts have debated the utility of the cloud in the face of repeated, increasingly sophisticated attacks by data thieves. While proper planning and analysis can help companies successfully secure their cloud environments, it is difficult to do so without a proper risk analysis.
Again, though, the overarching theme was the protection of company assets against the “advanced persistent threat” posed by increasingly sophisticated, targeted, and determined data thieves. Whether those thieves are intent on stealing data or proving an ideological point, the objective of the thieves remains the same – to use the resources (data or network) for the benefit of the criminal and to the detriment of the target company. The goal of criminals is, more often than not, data. While it may be the case that “networks will be penetrated [and] we should no longer be surprised by this,” it does not have to be the case that the data must also be compromised.
Network penetration does not always equate to data compromise, supposing a proper implementation of strong encryption with secure key management and appropriate access controls. For many years, the focus of data security was on “perimeter controls”- firewalls, intrusion detection, and similar measures. The result was often a “hard, crunchy shell with a gooey center.” In other words, there were strong network and perimeter protections, but the data was often left unencrypted. Thieves had only to compromise the network protections in order to get to the data. Now, we have seen that network controls alone do not suffice to protect company assets. To offer the best protection against data thieves, companies must couple those staunch network or perimeter protections with equally, if not more, robust data encryption practices. In essence, companies must provide a hard crunchy shell with an unrewarding center - encrypted data that is inaccessible and unusable to the thieves.