Securing critical data that may be used in a variety of contexts is a daunting prospect for any enterprise. But the harsh reality of regulations such as Sarbanes-Oxley and the PCI (Payment Card Industry) data security standard are helping set priorities for enterprises that might otherwise remain in denial.
In particular, Sarbanes-Oxley's requirement that companies audit the access of privileged users to sensitive data -- and PCI's requirement to track user identity information whenever credit card data is touched -- are pushing companies to home in on where sensitive data resides and how it is being used, Goldschmitt says.
At CDS, PCI and Sarbanes-Oxley prompted the company to take a close look at all of its processes for handling subscriber data, McCarthy says. In addition to doing its own SAS (Statement on Auditing Standard) 70 audits of internal security controls, CDS is regularly audited by third parties.
Increasingly, audits are forcing enterprises such as CDS to push security measures closer to where data resides, whether on laptops, in databases, or in shared directories, Stamp says. It's a simple prescription but one that's difficult to implement because most companies start out with a hazy understanding of what their sensitive data is, let alone where it resides on their networks.
"Companies wake up and realize, 'We don't know anything!'" Goldschmitt says. "We've had companies come to us and say, 'We have 20,000 data servers and absolutely no idea which of them have sensitive data on them'."
Zeroing in and locking down
When the panic subsides, the hard work of discovery begins. Fortunately, enterprises have more data security tools at their disposal today than ever before.
Most companies in the DLP space, including Vontu and Tizor, can audit network activity to find sensitive data such as credit card numbers, magnetic-stripe data, or intellectual property on database and file servers, and monitor user access to that data. Firms such as PointSec -- now part of CheckPoint -- and startup Provilla can perform similar audits at the desktop level, monitoring file copying to portable storage devices, as well as e-mail and Internet-based file transfers.
Once that key data has been identified, DLP firms offer various strategies for securing it -- from tagging key intellectual property with signatures that raise alarms whenever they pass outside of the company's control to blocking USB ports to prevent data transfer to portable devices. None of those approaches is sufficient to protect data without larger organizational changes, experts say.
"There are really cultural changes that need to occur," Guardium's Neray says. "You've got to focus on insiders and trust -- trust and verify."
Companies need to define security policies that cover critical data and educate employees about acceptable behavior. "If you've got an SAP application, your company might access the database 22,000 times a day as part of your normal business processes. But if someone's using Microsoft Excel and bogus credentials to access SAP, that's a violation of policy," Neray says, adding that traditional perimeter defenses and identity- and access-management products also play a vital role in data security. In particular, companies should use their identity-management platforms and strict policies to link specific IP addresses to specific users, rather than allowing shared credentials to muddy the waters should a forensic examination need to take place. "The problem is you've got applications like SAP and Oracle eBusiness Suite, which have privileged credentials to access the database, and those are widely available in the IT environment. Developers are using them, [database administrators], and the help desk," he says.
Enterprises also need to build practical, bottom-up policies that actually get enforced, rather than imposing unrealistic, top-down security policies that just get ignored, Stamp says. "Once you have a handle [on] where your data is and where it's going, you can start shoring up your infrastructure from the ground up."