Data has become too distributed to secure, Forrester says

By Robert Westervelt, News Editor 11 Aug 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security pros should forget about addressing constant changes in their environment and instead work on ways to embrace cloud-based services, Web-based tools and consumer devices by reducing the risks they pose to the workplace.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

That's the central theme of next month's Forrester Security Forum, which will focus on "shifts" rather than changes that have transformed enterprises and are creating uncertainties among many security pros over how to secure the nuggets of data moving beyond company walls. The issue is more complicated than setting the right Web security policy or addressing cloud data security with a service provider.

"We understand that everything has changed -- that's a given," said Rob Whiteley, vice president and research director at Forrester Research Inc. "The point at which the conversation starts is no longer what we're tackling, but what we're doing differently to protect intellectual property and help mitigate risks that are being undertaken."

Whiteley said security professionals can't control the various Web-based technologies being used by employees and instead need to look at the issue through a risk-oriented approach as opposed to a security-oriented approach.

Cloud-based tools, services pose risks: Forrester advises cautious approach to cloud computing services: While it could save money, many firms should understand the security, privacy and legal issues when using cloud-based services. Cloud computing security group releases report outlining trouble areas: The non-profit Cloud Security Alliance says its comprehensive report serves as the starting point for a broader discussion on cloud computing security issues.

Data has become too distributed to be protected at the same level, Whiteley said. For example, if data residing on employee BlackBerrys and iPhones or with Web-based service providers is not mission critical, then security may be able to relax some of its controls, Whiteley said. Security pros need to figure out what needs to be protected at all costs, and at the very least monitor the flow of data to understand what is moving beyond the company's walls.

"A security person would say we would protect the data at all costs," Whiteley said. "A risk-oriented person would say let's try to quantify the business impact of this data and then protect the data that is absolutely critical to our operations."

Ultimately what cloud computing does is begin to shift the company data around. IT security professionals have to consider more than just data encryption, Whiteley said. Data retention policies, data retrieval, data classification and traffic monitoring has all been transformed by the use of Web-based services. Data may sit in multiple service providers that have their own security policies. That point is only the back end of the problem, Whiteley said. On the front end, employees are running around with laptops and PDAs and dealing with multiple partners and contractors all amassing data on their devices as well, he said.

"Before you had a single stack from top to bottom with everything tightly coupled," Whiteley said. "Now in the cloud era, you've decoupled the application from its platform and its underlying infrastructure and you've sourced those all independently."

SearchSecurity radio:

Times have changed, Whiteley said. In the past security teams had a lot of veto power when it came to allowing the use of consumer devices and social media websites. A younger workforce has translated into a demand for these new technologies that enable employees to become more efficient and productive. Today, security can't get in the way of innovation.

"We see that a lot of these social media and networking tools have a lot of value," Whiteley said. "The technology is evolving so quickly that it doesn't always make sense for companies to have a completely centralized procurement process. There's no way for them to keep up with the pace of innovation in the consumer space."

There are security controls that should be put in place to monitor the flow of data, to put virtualization technologies and email and content security tools to address the use of consumer devices, such as netbooks and iPhones. Companies are investing in these security technologies more aggressively, Whiteley said. But even more importantly, according to Whiteley, companies are starting to completely rework their acceptable use policy, he said. Acceptable use policies were fairly static in the past, but today there has to be much more modernization of those policies and much more awareness and user training.

"Mature organizations, especially in financial services, have been dealing with this forever; they just had very restrictive policies but they get how to go about this process," Whiteley said. "Now we see that all companies, regardless of industry and almost regardless of size, are having to revisit this, but at least we have a lot of best practices out there that companies can lean on."

Tags: Enterprise Data Governance,  Data Analysis and Classification,  Identity Theft and Data Security Breaches,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Cloud-based security services should start private Compliance in the cloud Data Analysis and Classification Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Compliance in the cloud Database monitoring, encryption vital in tight economy, Forrester says Best practices for log data retention Data classification best practices: Techniques, methods and projects HIPAA changes force healthcare to improve data flow Can read/write access policies be put on a SAN server? Data Analysis and Classification Research Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary