QUESTION & ANSWER

RSA attendees see data classification, rights management projects stumble

By Robert Westervelt, News Editor 10 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Enterprises deal with data as if it were free and it is not. Rena Mears,  U.S. privacy and data protection leader, Deloitte

Have companies missed the boat so far in terms of data classification? Do most firms know where their data is?
Rena Mears: We did a survey and one of the things we found was that almost every company said they did data classification. When we actually talked to companies we found out that what that almost always means is there is a nice data classification document somewhere with some nice classes defined; somewhere between two and four. And pretty much what happens is the document is sitting on the shelf often with other policies sitting on the shelf. It's not clear who has read it. It's not clear if it's well implemented and more importantly it's fairly clear that the technologies that have been implemented are not well equipped to deal effectively with the data classification.

We see data classification coming more with things like segmenting networks. It's usually done at what I would call the gross level rather than the data level, architecturally segmented in the network. Access, firewall protection or greater perimeter protection around that segment of the network then is effectively meant to handle the fact that that data requires more protection. The question you then have to ask yourself is how really truly segmented and protected that particular part of the network is and often you find that there are holes or ways around and into that segment.

The Payment Card Industry Data Security Standards (PCI DSS) is one area where segmentation comes into play. How is data classification affected in that case?
Mears: PCI and the whole PCI requirements have driven more spend in this space than we've seen in a long time. Companies are taking it seriously. There are a lot of areas in PCI that require strategic decisions on the part of the company … They are developing that segmentation. What I think is still a challenge often is for companies who are trying to meet the framework of PCI really being able to have the time to step back and say, now that network segmentation—is it really complete? Is it really effective at all layers? I do think PCI has been a positive influence on getting data classification operationalized in some aspect, but we're not there yet.

Ongoing RSA '08 coverage: SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the most detailed coverage of RSA Conference 2008. Check back often for the latest news stories, interviews, podcasts, videos and blog tidbits from one of information security's biggest annual events. >>>Visit RSA Conference 2008

Let's talk about rights management and some of the challenges there. It seems to be a people challenge rather than a technology challenge or is it a mixture of both?
Mears: It's all the above. In our enterprise risk survey we did, what we found out of all the technologies implemented the one that had been least implemented so far was digital rights management. There's a love hate relationship with digital rights management in the technology world. Now there's this conversation about whether it should be there at all for certain kinds of products and services or should it be complete and I think there is a lot of challenges. One challenge is people. Walk into the enterprise and everybody has an opinion of what should be done with data, but no one wants to stick up their hand and say I own the data, because when you tell them that is equal to accountability for what happens to the data hands quickly drop. The concept of data stewardship and accountability creates issues.

What are your thoughts about the state of the economy and how it could possibly affect IT budgets moving forward?
Mears: For IT spending in particular I think we've got opposing economic forces going on. Clearly there is a downturn and any time you have a drop in margin the first strategy that comes to mind is cut costs. But I also think there is some opposing drivers out there that actually work in favor of technology solutions and security and privacy issues. We're increasingly global and we're increasingly digital, so I think that what we're seeing is a recognition that IT, security, privacy and all the technologies that enable commercial activity are really essential for continuing growth.

Data classification: How to conduct a data classification assessment: Before businesses safeguard mission-critical data, they must know how to conduct data classification processes.

In tough economic times it will become even more critical to show the value of a data project. Is it particularly difficult to show ROI with a data classification or a rights management project?
Mears: Only if you don't connect the dots to the fact that data is an asset and most of us don't at this point. Enterprises deal with data as if it were free and it is not. When we talk about data classification, data protection and data management, if I look at data as a true asset then I can say I have a rate of return that I expect an ROI off the investment of that asset. If that asset is returning nothing or it's negative, it represents merely litigation risk, breach risk or regulatory risk, but it's not giving me revenue or not supporting my employees as an indirect revenue driver, then why do I have it? So one of the ways to get return on investment and show return on investment is in a data project is to be able to show that you have effectively concentrated your efforts in the most bang for the buck place on your assets and the first recommendation is often get rid of a lot of things your holding because there is no return.

Who is going to be making the pitch to get a data classification project approved? Is it really IT driven?
Mears: The answer right now is nobody is making the pitch or at least hardly anybody. Nobody has gotten together to make a good pitch, if you will, or to explain what the risks are. We've seen a little bit of upward movement through Sarbanes-Oxley, because suddenly the security guy got to talk to the board of directors. In the finance industry chief risk officers are the people who would bring this message up. Outside the finance industry we're starting to see other industries starting to pick up that concept that aggregating various risks and bring all of that enterprise risk to the table at the c-level. All of this stuff requires strategy. The people who are hired to do strategy are at the c-suite and it needs to be a comprehensive message.

Tags: Enterprise Data Governance,  Data Analysis and Classification,  PCI Data Security Standard,  Sarbanes-Oxley Act,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  Data Loss Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Data Analysis and Classification Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Compliance in the cloud Database monitoring, encryption vital in tight economy, Forrester says Best practices for log data retention Data classification best practices: Techniques, methods and projects HIPAA changes force healthcare to improve data flow Data Analysis and Classification Research PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary