The risk of data theft -- here, there and everywhere

data center

Protecting data in the past was comparatively easy. The key data that needed protection resided on large databases in a data center. Most of the mechanisms used to protect it took the form of perimeter security devices, such as firewalls and intrusion protection systems.

For a number of years, I was responsible for such a monolithic database, filled with millions of records of key consumer data. It all resided on disk arrays in two data centers. I made the data very difficult to reach from the outside world. While plenty of issues kept me up at night, losing data was not at the top of the list.

Today, the challenge of protecting sensitive data has increased exponentially. This has happened, to a large extent, because this data has been leaking out of the monolithic data center, and into the cloud, individual PCs and mobile devices. We can no longer protect it with a secure perimeter, because the perimeter for all intents and purposes no longer exists.

I would venture to guess that most companies simply don't know for certain where all of their data is.

Particularly troubling is the migration of sensitive data to mobile devices. Because of dramatic increases in storage densities and mobile computing power, it is now easy for sensitive data to reside in such devices. Even if company policy exists prohibiting the storage of such data on mobile devices (and surprisingly few companies have such policies), well intentioned employees will put it there anyway, often in an effort to just be more efficient at doing their jobs. These intentions while admirable, are dangerous.

There is evidence that most organizations do not understand the extent of the problems they face with data migration to mobile devices. The most recent "Cost of a Data Breach" report produced by IBM and the Ponemon Institute found that the average cost of a data loss has risen by 7 percent. At the same time, the adoption of endpoint security measures has dropped 6 percent since 2010.

The risks posed by the movement of data to the cloud are equally troubling. While cloud environments can usually be secured at least as easily as the data center, most companies don’t really understand the difference between the data center and the cloud, or appreciate what they must do differently. In his article "6 hidden challenges of using the cloud for big data and how to overcome them," Prat Moghe sums up the problem well: “Like men and women, cloud services and on-premises data centers are vastly different worlds -- a fact often underestimated by enterprises.”

Cloud-based data usually resides in a commercial data center, on networks shared with other customers. The data may live on multiple disk devices in the data center, and potentially multiple data centers for the purpose of redundancy. Protecting data in the cloud requires thoughtful planning and architecture, and strong ongoing discipline.

While protection of data across the storage spectrum is very, very difficult, it is not impossible, particularly with new technologies being introduced to help. Here are some suggestions:

Don’t move it out of the data center without a compelling business reason

It will usually be easier to protect data that is within your data centers. The cost of protecting distributed data is very high, and the risk greatly increased. As such, make sure the value of the business reason for moving the data exceeds the increased cost of protecting it.

Track and inventory your data

It is crucial that the location of sensitive data be tracked and inventoried. Put simply, you can't protect what you don't know about. Every company will, at one time or another, deal with the theft of a mobile device. If this happens to you, can you easily determine what data was on the device that is now at risk? If not, you have a big problem. A good, well maintained data inventory will help.


The concept of data encryption is almost ubiquitous in our society. Despite this, it is not used as often as one might think, and is implemented poorly in many cases. Encryption is a relatively easy approach to the protection of data that is outside of your direct control.

Manage mobile devices

Theft and loss of mobile devices is very common. In the early days of smartphones, theft was common because of their high value and novelty. Now that seemingly everyone has a smartphone, thieves are more interested in any data of value on these devices. It is important to have some means of protecting such data, and wiping it after the report of a theft. Many products, such as VMware's AirWatch, can help to keep mobile data under control.

Penetration test your cloud installations

While many organizations conduct regular penetration testing on their core networks, the security of cloud networks is often overlooked. After all, they are often run by large corporations that do know a thing or two about security. Don’t be deceived by this, because the introduction of a vulnerability is all too easy. Conduct regular penetration tests on each of your cloud networks. Good vendors will support and encourage your testing. If your provider does not, it is time to shop for a new one.

Bottom line -- the Pandora's box of data migration outside of the perimeter is now open, and we cannot close it again. Instead, we must adapt our methods and approaches to protect our data, wherever it resides.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.