Lock the Door and Make Sure Your Data is Protected
by Calum Macleod - Cyber-Ark - Monday, 23 July 2007.
For example, the Payment Card Industry (PCI) standard requires the protection of stored cardholder data, and restricting access to cardholder data by business need-to-know. SOX mandates that corporate management take responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. In other words, if you are staff are able to have unauthorized access to sensitive data once they have access to a privileged password then you’re only addressing half the problem.

That two major companies have made headlines is more an indication of the overall state of data security within organizations. No one would deny that both organisations have the means to deploy the best technology, the problem I would suggest is that they both appear to have placed to much trust in the integrity of staff, and where overly dependent on staff carrying out their responsibilities effectively. Despite the fact that the buck stops at the top, the first people who should come under serious scrutiny are the senior security staff whose job it is to ensure that these incidents do not happen.

Passwords – Protecting the Key

Passwords remain the primary key used to unlock access to business-technology systems. Passwords need to have limited use-life. System-level passwords, such as those used to gain access to networking equipment and server/application administration need to be changed regularly, and in some cases should be “one-time-only”. All privileged or “super” user passwords should be centrally maintained and managed. Basic employee passwords used to access business applications, computers, e-mail accounts etc., should be similarly recycled regularly. Despite widespread knowledge of sound password policy, many organizations still fail to adequately create, manage, and retire their usernames and passwords effectively.

Securing Data – Hiding the Family Jewels

Given the continuous news of lost backup tapes and unauthorized access to corporate databases, more attention needs to be given to the effective encryption of “data-at-rest”. Encrypting stored data can be one of the most critical facets of an organization’s defense-in-depth strategy.

Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, with more and more organizations adopting an “Internet Centric” model, so do the risks that information will be intercepted or altered in transmission difficult to manage.

This is the very essence of the Vaulting Technology. Vaulting Technology makes certain that an inevitable slip in an organizations security posture won’t result in stolen intellectual property, or having to inform customers that they’re at risk of identity theft because their personally. Today many companies are still exchanging highly sensitive data by couriers because the infrastructures they have in place have not addressed the protection of highly sensitive data. It’s a bit like having email but still relying on the Pony Express for the really critical stuff! Certain traditions are not worth keeping!

There was a day when everything was committed to paper and locked in a secure vault or safe in the office. Nowadays everything is digital but it still needs to be locked away in a digital vault. After all somebody is bound to forget to lock the door sooner or later.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th