2

Does Your Encryption Based Data Security Solution Protect You From Insider Threats?

In a May 2012 report just released by the Ponemon Institute, 69 percent of organizations find it difficult to restrict user access to sensitive information in IT and business environments. On top of that 66% say their organizations find it difficult to comply with privacy and data protection regulations. So organizations are finding it hard to keep up with new regulation at the same time they are unable to secure data from internal users. It’s no wonder that in this same report 50% say that data has been compromised or stolen by malicious insiders such as privileged users.

What are companies doing about it?

Many have deployed encryption solutions. In the May 2012 report by Ponemon, 67% say they are very familiar or familiar with the use of encryption to protect sensitive data at the record level. And encryption solutions leverage role-based access to enforce data privacy at the application tier where personal information could be otherwise exposed. The challenge with encryption is that it often requires source code changes, meaning (1) potential performance overhead and (2) additional code and maintenance for applications that continue to change. For organizations with homegrown applications or packaged applications like PeopleSoft, Siebel, SAP or Oracle, encryption requires additional code changes their organizations may not want to support. Additionally, because developers would be required to implement the code changes, enforcing segregation of duties becomes more difficult. An ideal solution would allow for data to be protected with minimal (or no) performance or application code impact.

In addition, encryption does not prevent access by standard IT users or when authenticated applications and tools access the databases. In these cases all values are returned “in the clear.” An ideal solution would ensure that access is restricted for DBAs, system administrators, and other privileged users.

So what are organizations missing? Is there a way to augment encryption so that you can:

  • Restrict data access for DBAs, system administrators and other users who see data unencrypted, or in the clear?
  • Protect data of variable length or in unstructured or semi-structured format?
  • Dynamically mask data without impact to the database or application?
  • Protect data as the test, QA or training environment is created?

Hear Larry Ponemon discuss the survey results in more detail during a CSOonline.com/Computerworld webinar, Data Privacy Challenges and Solutions: Research Findings with Ponemon Institute, on Wednesday, June 13

 

FacebookTwitterLinkedInEmailPrintShare
This entry was posted in Application ILM, Data masking, Data Privacy and tagged , , , , , , . Bookmark the permalink.

2 Responses to Does Your Encryption Based Data Security Solution Protect You From Insider Threats?

  1. Anand says:

    we have been trying to address the same challenge w.r.t Highly Restrcited Data but the major challenge is ,
    This type of a “security wrapper” around the “data in rest and in motion” needs a buy in from both the Infrastructure Team(Server,OS,Database,Network,Storage) as well as Application owner team.
    Which is a challenge. and there would not be a silver bullet solution to this since there are various exposure points in the data lifecycle from inception to Disposition.
    so the approach would be a mix of :
    Encryption( at Rest and in Motion)
    Masking n tokenization(static and dynamic)
    Database Firewalls to augment in Place Encryption of data
    IAM and RBAC
    still something is open……….guess what…social Engineering :) ….there is always a kevin Mitnick out there.

    • Karen says:

      Yes, data masking augments and integrates with encryption solutions. Many companies have deployed Informatica Dynamic Data Masking because it anonymizes data for all users, including DBA’s, sys admins, and other privileged users, based on role, location, and privacy rules. It can support sophisticated masking rules and decide dynamically which queries to mask based on other logic. For example: mask bank number only if user has invoked a specific application role. In addition to masking application screens for Oracle, SAP, Peoplesoft, and homegrown, Informatica masks all types of data. For more information see http://www.informatica.com/us/products/data-masking/dynamic-data-masking/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>