We have seen a concerning pattern in the recent data breaches, including the breach at the Internal Revenue Services (IRS) and other US government agencies in that the primary target was Social Security Numbers (SSN) and other Personal Identifying Information (PII). Criminals typically started by stealing data from smaller, less protected organizations and then used that data to attack larger but better protected organizations.
Organizations handling SSN and other PII should secure all sensitive data across all data silos, but medium-sized enterprises in particular face the following challenges:
- In-house resources with limited budget for IT security
- Traditional IT security mindset and skills
- Less flexibility to customize security and IT solutions
- Fewer compliance audits driving security posture improvements
- Extensive use of cloud services
- Holding data attractive to attackers targeting partners elsewhere in the data flo.
Businesses in this position should adopt modern data protection technologies to thwart attackers targeting less protected enterprises as the first step.
Risk and breaches
Many big name big data breaches have hit headlines over the last two years but little attention has been paid to the ‘main street’ breaches that account for 62 percent of the 34,529 known computer security incidents every day in the U.S., according to Travelers.
Breaches of small and medium-sized businesses without the technological advantages that larger enterprises have often do not even realize they have been attacked until the breach is identified by a third-party. “These things are stressful—they’re a wild pain in the butt… it’s a small and medium-sized company killer,” according to Travelers’ Timothy Francis, Enterprise Lead for Cyber Insurance. “In proportion to the size of the companies, the expenses can be pretty big.”
Lack of resources
There is much evidence that while most organizations are aware of the technology solutions that help improve performance and outcomes, many do not have the resources necessary to address their security and compliance concerns. According to TeamLogic IT’s President Stewart Paul, of the 86 percent of medium-sized companies that have internal IT staff, these teams tend to consist of generalists with neither the expertise nor ongoing training and certification in newer technologies and security areas or industry compliance requirements.
Solutions for the extended enterprise
To secure against breaches medium-sized enterprises need to look for data security that can secure payment card information (PCI), healthcare and privacy data, including SSN, names, addresses, etc. and select solutions that provide multiple protection options such as coarse and fine grained encryption, vaultless tokenization, masking, and monitoring.
Tokenization is a reversible security method that replaces sensitive data with fake data that looks and feels just like the real thing while making it worthless to potential thieves. Tokenization can provide equal or better security than encryption, while retaining the vital usability of data for analytics and other business processes.
Flexible, format-preserving token types, including numeric, alphanumeric, date, time, address, and other structured tokens can be created with “bleed through” with parts of the original data exposed for business purposes, preserving privacy when applications require only part of the sensitive data for processing.
Next generation tokenization eliminates all of the challenges associated with standard “vault-based” tokenization – no stored sensitive data, no performance drains and no scalability limits – and offer high performance and unlimited scalability with the fast creation of new data tokens and quick recovery of the original data when needed.
Medium-sized enterprises that require solutions to scale linearly and increase throughput as their business requirements demand should look for flexible deployment in a distributed environment, including on each node in an MPP system, or in a central topology to allow optimized performance and security for each unique use case.
As part of a comprehensive solution, platform-agnostic tokenization capabilities can be leveraged throughout a heterogeneous enterprise and solutions should support cloud environments, a wide range of operating systems and databases, and in some cases EDWs, Mainframe and Big Data platforms.
A diverse set of functions is needed to protect sensitive data across heterogeneous environments throughout the enterprise.
Solutions that provide central security policy management integrated with distributed protection points and enterprise key management for encryption offer easier, cost-effective, controlled data protection across different platforms.
Security Officers can take a ‘separation of duties’ approach to apply automated protection attributes that define the proper data protection method to make data unreadable and to control what type of access to the sensitive data is given to the various groups of users. For example, database administrators will not be able to view encrypted sensitive data in the clear but will be able to continue to perform their responsibilities in administering and optimizing the database.
Use of Cloud Services
Cloud services often offer dramatically reduced overheads and increased flexibility over traditional solutions for stretched medium-sized enterprises. However, corporate risk management policies, privacy standards and compliance concerns create numerous data security challenges for businesses that are increasingly relying on cloud services that are holding more of their sensitive data.
Cloud data protection gateways easily leverage tokenization and encryption to transparently isolate and protect sensitive data before it gets to the cloud and offer activity monitoring, including cloud-based big data, databases, or applications giving businesses the freedom to use any type of private or public cloud service without the risk of exposure.
Tokenization can enable responsible data management, analytics and monetization of PII to medium-sized enterprises while keeping the data secure. Medium-size enterprises should look for solutions that provide a comprehensive path beyond the duties of due care required by industry regulations to keep customer and employee data and their brand reputations secure.
As Gartner put it in their report covering enterprise and cloud data protection and data access governance solutions, “Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act.”