Limiting security exposure by controlling sensitive data creep

Organizations are struggling to manage the proliferation of sensitive data as they respond to increased regulation and more sophisticated, insidious security threats. Employing advanced tools for the monitoring and discovery of sensitive data may well be the key to locking down data, wherever it resides across the enterprise.

FINDING AND SECURING SENSITIVE DATA

Securing sensitive data has become a daunting exercise. Organizations in virtually every industry are struggling to control more and larger databases residing across a web of virtual and physical networks. It is not unusual for a company to manage a complex combination of vendor and custom-built applications accessed by a highly dispersed workforce, including employees, contractors, and outsourcing partners. Companies continue to move business processes overseas, either through outsourcing or captive overseas operations, to improve efficiencies and cut costs. Increasingly, these activities are high-value processes that are regulated and require rigorous compliance and auditing. Over half of the participants in the Forrester Research/TechTarget November 2008 Global Database Management Online Survey stated that securing private data in databases was challenging.

Good business practices for handling personally identifiable information (PII) and other sensitive data are now highly enforced, and companies must understand and comply with a myriad of regulations, including Sarbanes-Oxley (SOX), Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA) European Union (EU) Data Protection Directive (1995) and a number of state laws, including the California Online Privacy Protection Act (2003) and the new Massachusetts Privacy Law. The Massachusetts law could well be the first of many state laws to require compliance not only by companies located in the state, but also by any companies with customers in the state or carrying personal data related to a state resident. It is unclear to what degree the new Fin Reg federal financial regulatory law will affect security requirements, but certainly passage of this legislation contributes to an already highly regulated business environment.

To secure their networks and ensure compliance, companies must be able to identify what subset of their data is sensitive and where it resides, not only in their own production databases but also in development testing and hosted environments. Additionally, they need to know who has the authority to access, who has the ability to access, and who has previously accessed sensitive data. Traditional approaches to data security, such as firewalls and other perimeter security, were developed before compliance was a primary consideration and lack the adaptability to address current regulations. Companies want and need more relevant and comprehensive methods for discovering and protecting their sensitive data and monitoring and auditing their security processes.

SENSITIVE DATA CREEP: A HIDDEN ENEMY THAT CAN COMPRIMISE SECURITY

With so many databases and authorized users, it makes sense that sensitive data is constantly shifting across locations, within or across databases, and throughout the existing data structure. If only occasional "snapshots" of the sensitive data are taken without vigilant and consistent tracking, that sensitive data can quickly migrate unmonitored outside of protected areas. We call this data movement "sensitive data creep": the migration of data across an organization's IT applications and databases without adequate identification, tracking, or protection.

Sensitive data creep is particularly dangerous because undocumented spread of sensitive data can multiply geometrically over time, spinning out of control. Often, sensitive data creep is caused by migration of sensitive data from production to nonproduction environments. In the 2008 Ponemon Institute study, 79% of the organizations studied used production data in application development and testing, and 64% were testing applications on a weekly basis. Close to half of the organizations surveyed in 2009 by the Independent Oracle Users Group employed actual production data within non-production environments. Sensitive data creep can also occur when user security rules inadvertently allow sensitive data to be cut and pasted into additional or even temporary locations. Companies are particularly vulnerable to this type of data creep if they lack processes for inventorying and classifying their database data or if application development is not subject to the same levels of security as other organizational activities.

Unintentional misuse of data occurs well within the security perimeter and behind firewalls but, since it is undocumented and outside the audit trail, it can multiply and migrate to other areas of the network, especially without constant monitoring. Sensitive data creep within software code is virtually invisible and, even if it is detected, it is challenging to uncover the full extent of its propagation. All releases of programs and code such as user screens or reports, whether home grown or from an application vendor, need to be tested for access to objects that may expose sensitive data. The myriad of development tools for applications, whether for internal use or Web access, adds complexity to such testing and compliance.

DATA DISCOVERY: CRUCIAL TO EXPOSING SENSITIVE DATA CREEP

Sensitive data creep is a perpetual problem that calls for vigilant, consistent and proactive approaches. The most effective method of controlling sensitive data across the enterprise is a deliberate blending of data masking, data discovery, and access control. Data masking alone is inadequate, since sensitive data is continually shifting, leaving it at risk in undocumented locations. Comprehensive data discovery can prove to be time consuming and expensive, however, particularly if an organization has a number of large incompatible databases. A manual, piecemeal approach can prove to be inexact, since that methodology may be incapable of examining every table or piece of code in all applications across the network.

Innovative solutions are now available that automate the process for comprehensively determining what data is sensitive, tracking where it is located over time, who has access to it, and how it is being used, all on a unified platform. The best discovery tools enable companies to identify what data is sensitive and trace it throughout their networks, across all applications and databases, including source code. New and existing source code can now be reviewed automatically and evaluated for compliance risk. This automated approach is at the same time more thorough, more economical, and easier to implement than traditional approaches to data discovery and deliver the visibility that organizational stakeholders need to identify and mitigate problems before they lead to a data breach.

LOOK TO VENDORS WITH ADVANCED SECURITY FRAMEWORKS

Companies have many alternatives when they turn to third parties for projects, processes, or products. Given the high cost of compromised security and noncompliance, companies should prioritize security infrastructure as a factor in vendor selection. "In order to keep the competitive edge and maintain the lead in security initiatives, IT-BPO companies in India must now look at automating the security processes and implementing leading edge technology to reduce risks of non-compliance and data leakage," said Sivarama Krishnan of PricewaterhouseCoopers in a 2008 report on the state of information security in India. Vendors with advanced security infrastructure and a proven understanding of the regulatory landscape can add considerable value beyond cost containment and process efficiencies.

This article is an abbreviated version of the 3i Infotech White Paper, "Limiting Security Exposure by Controlling Sensitive Data Creep." To download the complete, complementary White Paper, simply visit: 

http://www.3i-infotech.com/content/showcase/datacreep.aspx