Tag Archives: data security

Data Is Precious: Secure it Accordingly

Data Is Precious: Secure it Accordingly

Data Is Precious: Secure it Accordingly

Security professionals are in dire need of a solution that provides visibility into where sensitive and confidential data resides, as well as visibility into the data’s risk. [1] This knowledge would allow those responsible to take an effective, proactive approach to combating cybercrime. By focusing on the data, Informatica and our customers, partners and market ecosystem are collaborating to make data-centric security with Data Security Intelligence the next line of defense.

Security technologies that focus on securing the network and perimeter require additional safeguards when sensitive and confidential data traverse beyond these protective controls. Data proliferates to cloud-based applications and mobile devices. Application security and identity access management tools may lack visibility and granular control when data is replicated to Big Data and advanced analytics platforms.

Informatica is filling this need with its data-centric security portfolio, which now includes Secure@Source.  Informatica Secure@Source is the industry’s first data security intelligence solution that delivers insight into where sensitive and confidential data reside, as well as the data’s risk profile.

To hear more from Informatica and an esteemed panel of security experts about where the future of security is going and why Informatica Secure@Source is an ideal solution for the data challenges around security, please register here. Panelist include:

The opportunity for Data Security Intelligence is extensive. In a recently published report, Neuralytix defined Data-Centric Security as “an approach to security that focuses on the data itself; to cover the gaps of traditional network, host and application security solutions.” A critical element for successful data security is collecting intelligence required to prioritize where to focus security controls and efforts that mitigate risk. This is precisely what Informatica Secure@Source was designed to achieve.

What has emerged from a predominantly manual practice, the data security intelligence software market is expected to reach $800M by 2018 with a CAGR of 27.8%. We are excited about this opportunity! As a leader in data management software, we are uniquely qualified to take an active role in shaping this emerging market category.

Informatica Secure@Source addresses the need to get smarter about where our sensitive and private data reside, who is accessing it, prioritize which controls to implement, and work harmoniously with existing security architectures, policies and procedures. Our customers are asking us for data security intelligence, the industry deserves it. With more than 60% of security professionals stating their biggest challenge is not knowing where their sensitive and confidential data reside, the need for Data Security Intelligence has never been greater

Neuralytix says “data security is about protecting individual data objects that traverse across networks, in and out of a public or private cloud, from source applications to targets such as partner systems, to back office SaaS applications to data warehouses and analytics platforms”. We couldn’t agree more. We believe that the best way to incorporate a data-centric security approach is to begin with data security intelligence.

[1] “The State of Data Centric Security,” Ponemon Institute, sponsored by Informatica, June 2014

Share
Posted in Data Security | Tagged , | Leave a comment

Best Kept Secrets for Successful Data Governance

data governance

Best Kept Secrets for a Successful Data Governance

If you’ve spent some time studying and practicing data governance, you would agree that data governance is a challenging yet rewarding endeavor.  Across industries, a growing number of organizations have put data governance programs in place so they can more effectively manage their data to drive the business value. But the reality is, data governance is a complex process, and most companies practicing data governance today are still at the early phase of this very long journey.  In fact, according to the result from over 240 completed data governance assessments on http://governyourdata.com/, a community website dedicated to everything data governance, the average score for data governance maturity is only 1.6 out of 5. It’s no surprise that data governance was a hot topic at last week’s Informatica World 2015.  Over a dozen presentations and panel discussions on data governance were delivered; practitioners across various industries shared their real-world stories on topics ranging from how to kick-start a data governance program, how to build business cases for data governance, frameworks and stewardship management, to the choice of technologies.  For me, the key takeaways are:

  1. Old but still true – To do data governance the right way, you must start small and focus on achieving tangible results. Leverage the small victories to advance to the next phase.
  1. Be prepared to fail more than once while building a data governance program. But don’t quit, because your data will not.
  1. Why doesn't it fit?!One-size doesn’t fit all when it comes to building a data governance framework, which is a challenge for organizations, as there is no magic formula that companies can immediately adopt. Should you build a centralized or federated data governance operation? Well, that really depends on what works within your existing environment.
    In fact, when asked “what’s the most challenging area for your data governance effort” in our recent survey conducted at Informatica World 2015, “Identify roles and responsibilities” got the most mentions. Basic principle? – Choose a framework that blends well with your company‘s culture.
  1. pptLet’s face it, data governance is not an IT project, nor is it about fixing data problems. It is a business function that calls for people, process and technology working together to obtain the most value from your data. Our seasoned practitioners recommend a systematic approach: Your first priority should be people gathering – identifying the right people with the right skills and most importantly, those who have a passion for data; next is figuring out the process. Things to consider include: What’s the requirement for data quality? What metrics and measurements should be used for examining the data; how to handle exceptions and remediate data issues? How to quickly identify and apply security measures to the various data sets?  Third priority is selecting the right technologies  to implement and facilitate those processes to transform the data so it can be used to help meet  business goals.
  1. Business & IT Collaboration“Engage your business early on” is another important tip from our customers who have achieved early success with their data governance program. A data governance program will not be sustainable without participation from the business. The reason is simple – the business owns the data, they are the consumers of the data and have specific requirements for the data they want to use. IT needs to work collaboratively with business to meet those requirements so the data is fit for use, and provides good value for the business.
  1. Scalability, flexibility and interoperability should be the key considerations when it comes to selecting data governance technologies. Your technology platform should be able to easily adapt to the new requirements arising from the changes in your data environment.  A Big Data project, for example, introduces new data types, increased data speed and volume. Your data management solution should be agile enough to address those new challenges with minimum disruption to your workflow.

Data governance is HOT! The well-attended sessions at Informatica World, as well as some of our previously hosted webinars is testimony of the enthusiasm among our customers, partners, and our own employees on this topic. It’s an exciting time for us at Informatica because we are in a great position to help companies build an effective data governance program. In fact, many of our customers have been relying on our industry-leading data management tools to support their data governance program, and have achieved results in many business areas such as meeting compliance requirements, improving customer centricity and enabling advanced analytics projects. To continue the dialogue and facilitate further learning, I’d like to invite you to an upcoming webinar on May 28, to hear some insightful, pragmatic tips and tricks for building a holistic data governance program from industry expert David Loshin, Principal at Knowledge Integrity, Inc,  and Informatica’s own data governance guru Rob Karel.

Get Ready!

Get Ready!

“Better data is everyone’s job” –  well said by Terri Mikol, director of Data Governance at University of Pittsburgh Medical Center.  For companies striving to leverage data to deliver business value, everyone within the company should treat data as a strategic asset and take on responsibilities for delivering clean, connected and safe data. Only then can your organization be considered truly “Data Ready”.

Share
Posted in Data Governance | Tagged , , , , , , , , , , , | Leave a comment

SailPoint Partners with Informatica Secure@Source

Secure@Source

Informatica World 2015

As part of the Informatica Secure@Source launch, Data Security Group Director of Business Development, Christophe Hassaine, interviewed our partner SailPoint’s Vice President of Product Management, Paul Trulove.  They discuss the importance of data security intelligence to ensure effective identity and access management

Christophe: Tell us a little more about what SailPoint does?

Paul: SailPoint is a leader in Identity and Access Management. Our products, IdentityIQ and IdentityNow help customers get the right access to the right users at the right time. This helps keeps users productive while at the same time minimizing the risk of inappropriate access or non-compliant access to sensitive resources or data for the customer.

Christophe: What are the challenges you are seeing in the market?

Paul: One of the most significant challenges we’re seeing in the market today is around the amount of data being generated and stored in the enterprise. This is creating issues for IT security teams to restrict access to only those users with a valid business reason.

Christophe: Specifically what gaps do you see in customers’ data security posture?

Paul: There are two important gaps that we see in the approaches being used today: one is a general lack of visibility to where sensitive data is within the enterprise; the second is how access to it is managed as customer generally think about managing access from a higher-level than data. These issues are compounded by the fact that in most organizations the data management teams and technology don’t link tightly with the IAM teams and systems. This can create blind shots and slow reaction time when a security event is detected.

Christophe: Why is Data Security Intelligence important to your customers?

Paul: Data security intelligence is important because you can’t manage everything. You have to prioritize security controls based on risk or you don’t have a chance.

Christophe: What are your integration plans with Informatica Secure@Source?

Paul: We are working on several innovative integration options with Secure@Source. One of the main focus areas is around providing identity context for data events. Since SailPoint knows who has access to what across every system in the enterprise, we can tell Secure@Source who it should be looking at when a security event is detected.

We are also automating risk responses with Informatica. For example, when Secure@Source identifies and locates sensitive and confidential data, SailPoint IdentityIQ ensures only authorized users have appropriate levels of access, no matter where the data proliferates – on-premises or in the cloud.

Christophe: How will the joint offering benefit your customers?

Paul: By combining our industry-leading approach to identity and access management with Informatica’s innovative Data Security Intelligence, our joint customers can proactively gain control of risk and improve their security posture by managing and securing all end users and tying them to the data they create.

If you are not able to view the video, click here.

For more information, check out our product website at https://www.informatica.com/products/data-security/secure-at-source.html

Share
Posted in Data Security | Tagged , , | Leave a comment

Vormetric Partners with Informatica Secure@Source

Secure@Source

Informatica World 2015

Informatica recently launched the industry’s first data security intelligence offering, Secure@Source. Informatica’s Data Security Group Director of Business Development, Christophe Hassaine, interviewed our partner Vormetric’s Vice President of Product Management, Derek Tumulak to get his take on how our complementary solutions address the need for more data centric security.

Christophe:  Derek, tell us a little more about how Vormetric customers benefit from your offerings.

Derek: Vormetric provides data security solutions. We help organizations protect sensitive information assets and we enable them to achieve regulatory compliance and security requirements. We also help them protect against data breaches. Our solution benefits customers by protecting information in database and file servers, big data, and cloud environments.

Christophe: What are the shifts in the industry you see and what new challenges it creates?

Derek:  The challenges we see in the market today are data breaches that are occurring more frequently. The largest gaps are in the fact that historically organizations have focused on anti-virus and anti-malware solutions. Even today many organizations continue to focus on network/perimeter and host based solutions when they need to be more focused on data-centric security solutions that bring the controls closer to the data itself. Organizations need to be implementing encryption, tokenization, access control and comprehensive auditing solutions in order to better protect their sensitive data in any environment.

Christophe: Why is data security intelligence so important to your customers?

Derek:    Data security intelligence is important for our customers since they not only need to understand and classify the data they have but also need to understand potentially anomalous/suspicious access patterns and even failed attempts to access sensitive information by various users and applications. Based on this type of threat intelligence and analytics organizations can be proactive about adapting their access policies particularly in situations where an organization may be under attack.

Christophe: How will the integration between Vormetric and Secure@Source benefit your customers?

Derek: We are integrating with Informatica Secure@Source in two distinct areas. The first allows customers to implement encryption, tokenization, and sophisticated access controls in environments that Informatica identifies as having sensitive information and potentially inadequate data security controls. The second integration is around providing rich data access audit information to Secure@Source for increased threat intelligence and analytics. This benefits our common customers by giving them an end-to-end solution and a comprehensive view around the data security lifecycle. Customers can discover, protect, and continuously monitor sensitive data.

If you are not able to view the video, click here.

For more information, check out our product website at https://www.informatica.com/products/data-security/secure-at-source.html

Share
Posted in Data Security | Tagged , , | Leave a comment

Big Data Crashes Twitter Earnings

twitter-fail-whale- Big data

Unmanaged Data may Result in Loss

The unintended consequences of big data, real time data and loose data security all showed up for the Twitter Q1 earnings release this week and showed how not having good control of data can cause some bad things to happen.

What happens when information is released because it is accidentally made public? In this case the damage might seem small, only 18% shaved off the share price of Twitter, but this amounts to about a $5 billion dollar drop in valuation and millions changing hands for some investors. Given earnings were a miss maybe the drop in stock value would have happened anyway but the surprise element may have increased the impact of the news.

This is a great example to anyone wondering about data security and what it means to properly manage public or private data. This episode will pass but it will leave a blemish on Twitter’s reputation and should lead them to take a closer look at how they are managing data that is accessible publicly or meant to be secured.

In this case the data leak was caused when a company, Selerity, who provides real time content analytics that specializes in financial market data and sentiment, picked up the Twitter earnings release in a PDF posted on their public investor relations website with one of their web crawlers about an hour before Twitter pushed out the earnings release. They simply reported the information that was on a hidden URL but public information since it was not secured. (A great lesson for many non-technical marketing and PR people)

My favorite quote from Selerity comes from The Verge. “Any time a company’s earnings are due for release, we check the website periodically to see if the earnings are available. In this instance, I am assuming that Twitter mistakenly posted the earnings to the website early. But they did make the earnings available on the website.”

Earnings have been accidentally released many times before and this will not be the last. The good news is there are any number of simple ways stop or control data so it is not accidentally or purposely made publicly accessible by both using data publishing best practices as well as data management and security products. This is a good reminder to companies to review their data publishing, management and security practices and policies. Do nothing and your company could be the next one being talked about.

Share
Posted in Big Data | Tagged , | Leave a comment

Informatica World 2015 – Are you Ready for the Data Security and Privacy Track?

Data security and Privacy track

Informatica World 2015

For the first time ever Informatica will have a Data Security and Privacy track at our annual Informatica World event. This highlights the fact that Informatica is investing in a new and exciting area called Data Centric Security. Data Centric Security is comprised of two inter-related components: Data Security Intelligence (understanding where sensitive data resides and analyzing your risk) and Data Security Controls (traditional methods of protecting sensitive data through masking, archiving and retention/disposal).

The Data Security and Privacy (DS&P) track is packed with informative sessions to help you engage with Informatica colleagues, customers and partners around your topics of interest. A session guide for all of DS&P track sessions is published below as a ‘cheat sheet’ to help you quickly find the sessions of interest.

Here are some quick highlights of the Data Security and Privacy track-

  • Over 20 content filled breakout sessions
  • Hear from industry experts – IAPP, Neuralytix and Securosis
  • Customer Stories – JP Morgan Chase, Cisco, Agrium and Comcast share their successes
  • Latest roadmap and vision for Data Archive, Test Data Management (TDM) and Data Masking
  • Get a first look at the award winning Secure@Source application (Data Security Intelligence)
  • Hands on Lab Sessions- Sign-up for live demos of Secure@Source, Data Masking, TDM and Data Archive
  • Meet the Experts sessions where you can talk one-on-one with Informatica experts to get their guidance
  • Pavilion – Walk-up sessions where you can meet with Data Archive, Data Masking and Data Security experts

I hope you take advantage of these great resources and have a great Informatica World 2015.

Download ‘Data Security and Privacy Session’ Guide here or can go through the same as listed below:

Breakout Sessions, Tuesday, May 12th

Session Time Location
The New Security Perimeter: Data (DS&P Track Keynote, Amit Walia, SVP and GM Data Security) 10:45am – 11:15am Gracia 5
Data Centric Security for a Data Centric World (Jeff Northrop, IAPP, Robert Shields, Informatica) 11:30am – 12:15pm Gracia 5
First Look at  Secure@Source V1:  The CISO Perspective (Bill Burns, CISO, Informatica, Gary Patterson, Informatica) 1:30pm – 2:30pm Gracia 5
Informatica Big Data Ready Summit: Keynote Address (Anil Chakravarthy, EVP and Chief Product Officer) 1:40 – 2:25 Castellana 1
Big Data Keynote: Tom Davenport, Distinguished Professor in Management and Information Technology, Babson College 2:30 – 3:15 Castellana 1
Governing Data While Minimizing Risk with Data Security Intelligence  (Deloitte) 2:40 – 3:25 Gracia 5
Shore Up your Most Vulnerable Environments – Data Security & Privacy in Test Environments (Tom Petrocelli, Neuralytix, Research and Panel Discussion) 3:35pm – 4:20pm Gracia 5
The Big Data Journey: Traditional BI to Next Gen Analytics (Johnson & Johnson, Transamerica, Devon Energy, KPN) 4:15 – 4:30 Castellana 1
Data Security Vision and What’s New in Informatica Data Archive (Claudia Chandra, VP, Data Security Group, Informatica) 4:30pm – 5:30pm Gracia 5
Accelerate Big Data Projects with Informatica (Jeff Rydz, Informatica) 4:35 – 5:20 Castellana 1
Big Data Topic, Michael J. Franklin, Professor of Computer Science, UC Berkeley 5:20 -5:30 Castellana 1
  • Informatica World Pavilion 5:45 PM – 8:00 PM

Breakout Sessions, Wednesday, May 13th

Session Time Location
How JP Morgan Chase Created Testing Efficiencies and Secured Test Environments (JPMC) 10:45am – 11:45pm Gracia 5
Risky Business: How Data Archiving Can Save the [Compliance] Day (Brenda Kononen, Agrium) 2:00pm – 2:45pm Gracia 5
Securing Private Data:  Test Data Management and Data Masking Developer Tricks (Informatica) 2:55pm – 3:55pm Gracia 5
Application Consolidation & Migration Best Practices: Customer Panel (Discount Tire, Cisco, Verizon) 2:55pm – 3:55pm Gracia 2
Key Considerations for Next Generation Test Data Management Solutions (TCS & Comcast) 4:05pm – 4:50pm Gracia 5
Data Masking on Premise and in the Cloud:  What’s New and What’s Next (Informatica) 5:00pm – 5:45pm Gracia 5

 Meet the Experts Sessions, Wednesday, May 13th

Session Time Location
Data Security – Data Security and Privacy for Sensitive Data (Robert Shields, Gary Patterson) 12:00pm – 12:50pm, 1:00pm – 1:50pm and 2:55pm – 3:55pm Castelena 2

Informatica World Pavilion                     11:45 PM – 2:00 PM

 Breakout Sessions, Thursday, May 14th

Session Time Location
Security Controls: Mind the Gaps! (Adrian Lane, Securosis) 9:00am – 10:00am Gracia 5
Optimally Provision, Protect, Augment, and Maintain Test Data Sets with the Informatica Secure Testing Suite (Informatica) 10:10am – 11:10am Gracia 5
Retire Legacy Applications – Improve your Bottom-line while Managing Compliance (Cisco) 11:20am – 12:20pm Gracia 4
Data Security & Privacy:  Meet the Experts in Data Security (Informatica) 2:30pm – 3:30pm Gracia 5
  • Informatica World Pavillion 12:30 PM – 2:30 PM

Hands-On Labs

Session Time Location
Data Security & Privacy
Data Archive (Global Customer Support) Mon: 1:00, 3:00
Tue: 7:30, 11:45, 2:40, 4:25
Wed: 10:45, 12:45, 2:55, 5:00, ….7:00
Thu: 9:00, 11:20, 1:15
Fri: 7:30, 9:20, 11:15
Table 06a
Test Data Management (Global Customer Support) Mon: 2:00, 4:00
Tue: 10:45, 1:45, 3:35
Wed: 7:30, 11:45, 2:00, 4:05, 6:00
Thu: 7:30, 10:10, 12:15, 2:15
Fri: 8:25, 10:15
Table 06b
Retire Legacy Applications and Optimize Application Performance with Informatica Data Archive Mon: 1:00, 2:00, 3:00, 4:00
Tue: 7:30, 10:45, 11:45, 1:45, 2:40, …… 3:35, 4:25
Wed: 7:30, 10:45, 11:45, 12:45, ….2:00, 2:55, 4:05, 5:00, 6:00, 7:00
Thu: 7:30, 9:00, 10:10, 11:20, ….12:15, 1:15, 2:15
Fri: 7:30, 8:25, 9:20, 10:15, 11:15
Table 23
Protect Salesforce Sandboxes with Cloud Data Masking Mon: 1:00, 3:00Tue: 7:30, 11:45, 2:40, 4:25
Wed: 10:45, 12:45,

Thu: 1:15
Fri: 7:30, 11:15

Table 24a
Optimally Provision Test Data Sets with Test Data Management Mon: 2:00, 4:00
Tues: 10:45, 1:45, 3:35
Wed: 7:30, 11:45, ,2:00, 2:55, ….4:05, 5:00, 6:00 7:00
Thurs: 7:30, 9:00, 10:10, 11:20, ….12:15, 2:15
Fri: 8:25, 9:20, 10:15
Table 24b
Data Security Intelligence with Secure@Source Mon: 1:00, 2:00, 3:00
Tue: 10:45, 11:45, 2:40, 3:35
Wed: 10:45, 11:45, 2:00, 5:00, ….6:00, 7:00Thu: 7:30, 9:00, 10:10, 12:15, 1:15
Fri: 7:30, 8:25, 10:15, 11:15
Table 36a
Data Centric Security with Data Masking Mon: 4:00
Tue: 7:30, 1:45, 4:25
Wed: 7:30, 12:45, 2:55, 4:05Thu: 11:20, 2:15
Fri: 9:20
Table 36b
Share
Posted in Data Security | Tagged , | Leave a comment

The Cost versus Risk of a Security Breach Conversation

The Chief Information Security Officer (CISO) and the Chief Risk Officer (CRO) generally speak in different languages. One speaks about how to secure an organization and its assets. The other speaks about the potential of losing something of value. One area where they find common ground is in the shared conversation of the Cost versus Risk of a data breach.

A data breach costs an organization in the US on average $201 per stolen record.[1] The risk of a data breach is a number between 1 and 10 that indicates how at risk your organization is.[2] The cost of implementing security measures and controls ranges based on the acceptable levels of risk an organization is willing to take.

This is the conversation that needs to be mastered in order to communicate the need for more resources to Chief Financial Officers and the rest of the C-Suite.

As organizations conduct vulnerability assessments of their IT landscape, they get a sense for how at risk their environments and systems are of being breached. Yet, in many cases, these vulnerability tools have significant blind spots when users replicate data to applications and systems that are not within reach of their assessment tools. This requires the addition of a data-centric approach to classifying, categorizing and measuring the value of data and its potential risk.

In the Informatica Secure@Source launch event, Larry Ponemon of the Ponemon Institute describes during a panel session how great it would be if there were a tool that could tell you ‘ here is the risk of the data’ and ‘here is the cost of that risk to the organization’.  That is exactly what Secure@Source was designed to accomplish.

If you are unable to view the video, click here.

Security teams are not surprisingly consistently under-resourced.  Teams are constantly responding to alerts and intelligence feeds which causes a cry of need for more resources. Yet, if these teams had a view into where the data was most at risk and could focus their energy on prioritized assets that if secured at the source would eliminate downstream risk, they may find their world less overwhelming.

[1] http://www.ponemon.org

[2] http://breachlevelindex.com

Share
Posted in Data Security | Tagged , , , | Leave a comment

Build Security-Mindedness in Your Organization

Throughout the RSA conference this week, there was a steady drumbeat calling out the need for building a security mindset in an organization. Many breaches are caused by people making mistakes in our work places. How can you stop breaches caused by the human factor? It is all about increasing awareness and actively making an effort to build security mindedness into everything we do.

During one RSA breakout session entitled, How One Smart Phone Picture Can Take Down Your Company, Dr. Larry Ponemon, Founder of the Ponemon Institute, describes how a hacker really only needs one piece of valuable information to unlock a large-scale data breach, which can be achieved by taking a snapshot of log-in credentials on a screen and other low-tech means.  In his research report, Visual Hacking Experimental Study, he cites how ‘certain situations are more risky. Documents on vacant desks and data visible on computer screens are most likely to be hacked.’ This research report was sponsored by 3M – which makes sense since they sell privacy screens for computers, iPads and iPhones.

What is really needed is to make teams aware of the risk and vulnerabilities through education and training, through policy definitions and enforcement, and through constant reminders from leadership.

One startup company, Apozy, took a novel approach using gamification to incentivize employees to incorporate best practices in their day to day routines. Informatica’s own CISO, Bill Burns, is using an internal competition between departments to motivate management to incorporate best practices.

While we continue to invest in technology to automate the implementation and enforcement of policies through controls, we also need to look at who we are hiring and incorporating the security conversation into the on-boarding process.

When recruiting, look to colleges and universities that offer courses and degrees in cybersecurity. (Check out the Ponemon Institute 2014 Best Schools for Cybersecurity).  Arnold Federbaum, Adjunt Professor of Cyber Security at NYU School of Engineering discusses Data Security Culture and Higher Education in a panel video recorded during the Informatica Secure@Source product launch.

If you unable to view the video, click here.

Even the IRS has great training videos and podcasts to build awareness on potential risks of identity theft.

As we continue to see more data breach related news, it will be important to emphasize a security mindedness in an organizations culture, build policies that make sense and that have the appropriate level of enforcement, and if it is critical to your business, prioritize hiring those with a formal education and background in cybersecurity.

Share
Posted in Data Security | Tagged , , , | Leave a comment

Retailers: Who’s Checking Out Your Data?

Data-Security

Protect Your Data from Unauthorized Checking

Secure Your Data, Before It Becomes Front Page News

In 2014 we saw many retailers suffer at the hands of hacker’s intent on stealing customer credit card details and personal information. With Target, Michaels, Neiman Marcus, Albertsons & SuperValu, all getting plenty of coverage in the press, resulting in significant financial loss and impacting consumer confidence. Retailers, including JC Penney and Wal-Mart, now list data security as a new risk factor in their annual filings.

Insiders, particularly current or former employees, are cited as a source of security incidents by most Retail & Consumer respondents. PWC

 Despite the headlines and damage to reputation retailers still struggle to understand how their data is collected, stored, and used. While a lot of time and money is invested protecting the perimeter on the assumption that higher walls and wider moats will keep intruders out. But what if the intruder is already on the inside?

Last week AT&T paid a $25 million civil penalty assessed by the FFC – for call center employees in Mexico, Colombia and the Philippines accessing personally identifiable information from some 280,000 customer accounts without authorization.

A recent Ponemon study showed that 57 percent of IT practitioners do not know where all the sensitive or confidential data exists within their organizations

As retailers increasingly modernize legacy applications, consolidate systems, digitize the business and outsource IT projects to serve customer s more efficiently and create a great customer experience they are exposed to the ever increasing threat of data breaches. Increased threats and complex IT environments make it difficult for retailers to protect sensitive data especially from the inside, from those authorized to view confidential data.

“Not knowing the location of sensitive or confidential data keeps most respondents up at

night and represents a significant security risk.”

As you look across the IT landscape where are the potential areas of exposure from the inside?

  • Test/Reporting Copies: Many copies of production (often full) used for test, training, and analytical purposes
  • Development and Support: DBA’s, IT have unlimited access to sensitives data. Many use SQR reporting, Toad, SQL plus to bypass existing security
  • Outsourcing:  Outsourcers have access to sensitive data in non-production and production systems. Are  your contracts stipulating sensitive data is not allowed offshore
  • Authorized Users: Store associates, contact center employees are required to view account details in order to answer customer queries or resolve questions and disputes. Commercial off-the-shelf applications not designed to deploy restrictions by data element.

There are many facets to a successful risk mitigation strategy. One way to is to discover and permanently mask confidential and sensitive data from non-production environments, such as test and development environments. Another is to dynamically mask data stored in production systems to provide more tightly controlled access, and give control of this function to the business users who understand the nature and context of the data.

Why now stop by our Booth #S2626 at RSA Conference 2015 where we will showcase Secure@Source, the industry’s first Data Security Intelligence software, which discovers, analyzes and visualizes data relationships, proliferation and sensitivity. Secure@Source monitors data risks and vulnerabilities to protect organizations from external breaches and insider abuse. If you cannot attend you can learn more about Informatica’s Data Security and Privacy solutions here.

For anything on Retail Security, here is the key @INFARetail

Share
Posted in Retail | Tagged , | Leave a comment

Data Privacy Needs Data Security Intelligence and Controls

logo_rsac

RSA Conference, San Francisco

In an RSA Conference session entitled IAPP: Engineering Privacy: Why Security Isn’t Enough, Sagi Leizerov, E&Y’s Privacy Practice leader began with a plea:

‘We need effective ways to bring together privacy and security controls in an automated way”

Privacy professionals, according to Sagi, essentially need help in determining the use of information – which is a foundational definition of data privacy. Security tools and controls can provide the information necessary to perform that type of investigation conducted by privacy officers.   Yet as data proliferates, are the existing security tools truly up for the task?

In other sessions, such as A Privacy Primer for Security Officers , many speakers are claiming that Data Security projects get prioritized as a result of a need to comply with Data Privacy policies and legislation.

We are in an age where data proliferation is one of the major sources of pain for both Chief Information Security Officers and Chief Privacy and Risk Officers (CPO/CRO). Business systems that were designed to automate key business processes store sensitive and private information are primary sources of data for business analytics. As more business users want access data to understand the state of their businesses, data naturally proliferates. Data proliferates to spreadsheets and presentations, emailed in and out of a corporate network, and potentially stored in a public cloud storage offering.

Even though the original intention for using this information was likely all above board, one security violation could potentially open up a can of worms for nefarious characters to take advantage of this data for mal intent. Jeff Northrop, the CTO of the International Association of Privacy Professionals (IAPP) suggests we need to close the gap between security and privacy in a panel discussion with Larry Ponemon, founder of the Ponemon Institute.

Sagi concluded his session by stating ‘Be a voice of change in your organization. Pilot products, be courageous, give new ideas a chance.’ In the recent launch of Informatica Secure@Source,  we discuss the need for more alignment between security and privacy teams and the industry seems to agree. Congratulations to the Informatica Secure@Source development team for their recent announcement of winning Gold Medal in the New Product and Service Category at the Info Security Products Guide 2015 Global Excellence Awards!

For more on the importance of Data Security Intelligence in Privacy, watch Larry Ponemon, Founder of the Ponemon Institute and Jeff Northrop, CTO IAPP discuss this topic with Arnold Federbaum, former CISO and Adjunct Professor, NYU, and Linda Hewlett, Sr Enterprise Security Architect, Santander Holdings USA.

If unable to view the video, click here.

Share
Posted in Data Privacy, Data Security, Governance, Risk and Compliance | Tagged , , , , | Leave a comment