As all who work in a professional setting know, data security and integrity are important obligations. In order to protect corporate data, we must secure devices and documents with passwords and store data in approved locations. While following corporate security guidelines is often an inconvenience, the necessity is clear. Much of the data we create and store on corporate networks contains trade secrets, personally identifiable information, or potentially privileged communications and we have an obligation to protect that data on behalf of corporate interests. We also want to avoid any potential bad press as a result of a security breach. Stories of corporate security lapses lead to breaches in trust with our customers, which no corporation wants to face. For these reasons and more, it is clear that corporate security is of critical concern.
Security has traditionally been about defining and securing a perimeter. Whether homesteaders circling their wagons to protect against outside threats or records managers putting corporate documents in a warehouse behind a lock and key, we have always needed to understand what is on the “inside” and where the “outside” begins. From a security perspective, the inside and the outside should never intermingle. In corporate computing security, the concept of defining the perimeter has been relatively straightforward. Computers inside the office and behind the corporate firewall need to be secure, and anything outside of the corporate firewall is considered unsecured. There has traditionally been a clear concept of what is on the inside and what is on the outside. In an Internet-based world, however, identifying the perimeter is becoming a more difficult, if not Sisyphean, task.
In our “always on” society, we now have innumerable ways to connect into the corporate data environment. Whether through smartphones, laptops, bring-your-own-device (BYOD) initiatives or working from home, defining the corporate security perimeter is no longer a simple concept. The definitions of “inside” and “outside” are no longer so clear. This change in data access has flipped the corporate security model on its head and has forced us to create new paradigms in fulfilling our security obligations. What follows are four broad considerations in modern data security and what you can do to make necessary changes.
Securing the data center
Data center security is a necessary foundation in today’s computing environment. Wherever we have data at rest, we need rock solid security and physical access controls. For most corporate environments, this is the easiest element in the data security process, since it is most akin to the traditional perimeter-based security models. Many corporate data centers already adhere to SAS 70 Type II or SSAE 16 security standards, which provide good platforms upon which to build the rest of our security initiatives. It is more difficult to define what constitutes our data centers. For example, our corporate servers may live in a secure building with all essential security precautions taken, but what if our colleagues use data storage services such as Dropbox or Sharefile? It is necessary to identify all data centers — those officially authorized and also those not formally condoned — and ensure best practices are being followed.
In the past, it was assumed that all corporate data would be accessed over secure channels of communication, such as an Ethernet cable which connected an office wall outlet to a data center on an adjacent floor. In today’s world, however, we must assume that all data transfers are being made over unsecured channels, such as a home network, coffee shop Wi-Fi or through shared cellular connections. As such, all data that is transmitted from our data centers must be encrypted with no less than 128-bit encryption using PKI (public-key infrastructure) cryptography, such as SSL (secure sockets layer) or TLS (transportation layer security). This encryption will allow us to know that data sent from our data centers to our data endpoints (smartphones, laptops, etc.) will be protected from anyone “snooping on the line.”
Endpoint protection – encryption
Our always-on world and need for responsiveness requires that we use any and all means to access corporate data. As long as we are properly securing our data centers and data transportation, we next need to make sure that our data endpoints are also secure. Endpoints such as iPads, Android phones and laptops are difficult to secure, especially if an organization is deploying a BYOD initiative, in which employees are able to use their personal mobile devices to connect to corporate data. Device encryption and enhanced user identification/authentication are two steps which will immensely help improve endpoint security.
Many modern mobile devices provide the ability to encrypt device contents. Even if the device is lost or forgotten, if the device’s contents are encrypted, it will be impossible for third parties to read the encrypted data. Using common techniques, such device encryption, can be enforced even on BYOD devices.
Endpoint protection – user identification and authentication
It is also important to abide by enhanced user identification and authentication strategies. User identification refers to knowing each person who is accessing corporate data and have the ability to remove access based on identity. This is easier said than done, as corporate networks are often rife with individuals who have access to the system even though they are no longer affiliated with the organization.
Multifactor authentication is also highly recommended for all data access. Multifactor authentication requires the use of some proof of identify beyond passwords. You may be familiar with numeric key fobs which change numbers every minute in a unique way per user account. By typing in the unique number along with your password, the authentication process is orders of magnitude more robust and secure.
In today’s Internet-based world, securing corporate data is increasingly complicated. Since security perimeters have been pushed to the very edge of the Internet, traditional security techniques no longer apply. We can make significant steps toward proper corporate security by securing our data centers in accordance with modern standards, encrypting data which leaves our data centers, securing data endpoints such as smartphones and laptops, and verifying every user who connects to our corporate systems. By enforcing these four broad areas of corporate security, we can continue to leverage the benefits of our Internet-based world while living up to our obligations to corporate interests.