IT: Forget the device, secure the data

Last June, Wisegate, a crowd sourced IT research company, surveyed hundreds of its senior-level IT professional members to assess the current state of security risks and controls in business today. The respondents considered malware and breaches of sensitive data to be the primary security risks/threats, followed by malicious outsider risk.

As shared with CSO's readers in April, BYOD and cloud adoption were the top tech trends driving these concerns. Here, we delve deeper into a new trend: how information security professionals are moving toward practices that secure the data itself rather than securing the device. What are these practices and what are their strengths and pitfalls?

Many factors, from BYOD policies to cloud adoption, have opened small holes in the vaults in which organizations store valuable and sensitive data. With many organizations now lacking physical parameters to protect sensitive information and less knowledge as to where data actually resides, IT professionals have turned their efforts to defend the data itself.

Unable to guarantee the integrity of their devices and networks, CISOs are using a new category of security controls known as information protection and control (IPC). Broadly speaking, the protection of data is provided by encryption technologies, while the control is provided by data leak prevention (DLP) technologies.

Data leak prevention

Simply put, DLP can detect when a file with sensitive data is leaving a protected server. Most DLP mechanisms are difficult to configure and make a lot of noise. As a result, most enterprises choose to use DLP technologies to monitor functions, alerting and reporting on potential threats but not shutting down the system. The problem with monitor-only mode is that by the time the security team has seen the alert and reacted accordingly, the hackers have already escaped with the valuable data. While blocking the movement of data interrupts workflow and slows down business processes, monitor mode DLP on its own is not an adequate security control. To truly protect data, DLP technology must be used in a mix of layered defense, including defending the data itself.


Unlike DLP technology, encryption can be used to secure the data. A strong algorithm with an adequate key length will theoretically protect the data forever--wherever it is, and whoever has access to it. Data that has been encrypted is considered regulatory compliant, if and when correct key management is used.

Successful key management is one of major weaknesses of encryption. Managing all of the decryption keys and making sure that only the right people have keys, as well as renewing keys when they expire is one of the most challenging aspects of encryption for an organization. Additionally, encryption can pose practical problems too. While fixed data can be encrypted and stored, the process is too cumbersome for dynamic application data, making it difficult to perform operations.

Proxy servers and in-house key storage are two additional steps that some organizations have employed to up the security of the data. Both systems decrease an attacker's ability to access the data, however neither of these approaches solves the problem of manipulating encrypted data. Homomorphic encryption has been saluted as the Holy Grail that will remedy our need to use dynamic but encrypted data. However, this solution is still in a testing stage and is not yet a functioning security product.

Just as security mechanisms become more sophisticated, so do the tactics deployed by malicious attackers. Without a robust multifaceted security system in place, even the most protected data will be vulnerable to the attempts of hackers. These days, the question about data hacks is not how, but when. Implementing strategies that not only allow an organization to prepare, protect and react, but also increase the opportunity cost for would-be hackers will be integral to data defense.

Elden Nelson, is editor in chief at Wisegate, a private crowd sourced IT research service for senior IT professionals, including CSOs and CISOs.

Join the CSO newsletter!

Error: Please check your email address.

Tags WisegateapplicationssoftwareCSOdata protection

More about CSODLPIPC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Elden Nelson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place