Industry View
It's the Information, Stupid
Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.
By Jason Stradley, BT Senior Security Consultant
Technology controls to protect information
While the organizational and people oriented elements just described are critical to the success of any program to protect data and information from abuse and improper disclosure, those elements alone are not sufficient to provide the fullest possible level of protection.
To this point we have discussed the need for a data classification policy in an organization and the need to have the proper structure, incentives and capabilities around user awareness, training and incident response to educate the community with regard to that policy on an ongoing basis.
To properly monitor and enforce those policies, there needs to be a sound implementation of appropriate technology solutions to provide the "teeth" for the policies and processes established around the protection of data and information in the enterprise.
There are several technical elements that make a good information and data protection framework. These elements include:
- Mature Identity Infrastructure
- Digital or Enterprise Rights Management
- Data Leakage Prevention
- Encryption
Identity infrastructure is the base on which the majority of the other tools and solution types are dependent to properly operate. Without proper identity there can be no consistent assignment of rights and privileges to information resources across the enterprise. Most organizations have many moving parts in their identity infrastructures. Invariably some parts are either missing or not working up to their full potential. Without a viable identity infrastructure, many of the tools specifically designed for monitoring and protecting information and data will have only limited success at best; at worst they could possibly be seen as a failure. Once there is a solid identity infrastructure in place with a granular set of user attributes, additional solutions can be deployed for the protection of data and information.
The DRM/DLP Conundrum
Digital Rights Management (DRM) solutions encrypt content at a document level making use of access and authorization criteria from identity infrastructure to prevent the misuse, modification, loss or theft of intellectual property and sensitive information.
In contrast Data Leakage Prevention (DLP) solutions monitor for content on networks and endpoints based on defined criteria such as tags in documents, key word searches and so forth. As content is scanned and the criteria of the search parameters are met, rules are triggered. In less sophisticated solutions, these triggered rules result in some type of alert, typically an email to an administrator who makes decisions and inquiries based on established response procedures. In more sophisticated solutions, content can actually be interdicted or quarantined by the solution based on a rule set.
information security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
