Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
02 March 2009  
Untitled Document
Sections

Market
Management
Technology
Technology Life

Express Intelligent Enterprise

Events

Technology Senate
Technology Sabha
Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Exp.Channel Business
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Express Healthcare
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Technology - Article

Vendor Accent

Enterprise Data Security System

Amuleek Bijral talks about how an Enterprise Data Security System is a good investment for financial institutions

These days, every organization is under the microscope when it comes to protecting sensitive information. Few industries, however, are subject to as much worldwide regulatory scrutiny as financial services. Some examples include the Basel II provisions; the Markets in Financial Instruments Directive (MiFID), which is applicable across the 30 member states of the European Economic Area; and Anti-Money Laundering/Know Your Customer (AML/KYC), which requires that financial organizations gather and vet customer information.

For these firms, sensitive information encompasses a wide range of data, from personal and financial information relating to customers and employees, to strategic plans and intellectual property. A data breach, therefore, can not only lead to fines and other penalties imposed by regulators, it can also lead to lost business due to customer defection, diminished reputation, and the need to transfer resources from marketing and sales to damage control.

The flip side of this is that effective data security, aside from being an essential business process, can also be a valuable business enabler, preserving and promoting growth. It is also extremely challenging to do, the primary reason being that sensitive data exists in various forms throughout the organization: in applications and databases, on servers and storage tapes, and on desktops and other network endpoints, where employees, customers, partners, and third-party services providers can transform and transmit it. Financial institutions also tend to have complex, siloed IT infrastructures that support multiple lines of business but with little visibility from one to the next, making it difficult to locate sensitive data and control user access to it.

Time for an enterprise approach

So what is the solution? We believe the time has come for an enterprise approach to protecting sensitive information via a seamlessly integrated data security system—one that is part and parcel of a financial organization’s infrastructure, able to cover its data center, desktop and server endpoints, and transmission across enterprise networks. This data security system must tightly combine both policy and technology; to that end, organizations must first decide what constitutes sensitive data (according to relevant regulations and internal business considerations), how it should be handled, and by whom. Only with a data protection policy that is both strategic and comprehensive can a technology solution provide reliable and consistent security.

The technological component that is tightly coupled with policy to form the data security system must perform three processes: discovery, enforcement, and reporting.

Discovery—First, using policy-based rules, it has to be able to discover in real time and throughout the entire enterprise where sensitive information exists – whether at rest, in motion, or in use – and who is trying to access, download, or transmit it. This requires the ability for agents to detect sensitive data on banking portals and trade execution systems; in e-mail, Internet, intranet, and instant messaging applications; and in files shares, eRoom and SharePoint sites, databases, and SAN/NAS systems. Data loss prevention (DLP) solutions play a key role in the discovery of sensitive content throughout the enterprise.

Enforcement—Once that is accomplished, the system must enforce controls to ensure that the right people can access the right data at the right time, while also keeping data safe from unauthorized use. There are various ways this can be accomplished. Particularly sensitive information may require an additional credential such as a one-time password or knowledge-based authentication to be used before access is granted. Files that unauthorized users are trying to view or send may be quarantined or encrypted, or a notification may be sent to the user prompting him or her to confirm whether or not the action is intentional (i.e., malicious) or an accidental breach of policy.

Reporting—Finally, the system must provide auditing and reporting capabilities via a Security Event and Information Management (SIEM) platform to enable organizations to ensure compliance with internal policies and external regulations. This valuable information also makes it easy to assess the effectiveness and reliability of the system, and to perform forensic analysis in the event of a breach.

To secure the data itself, encryption has emerged as the most robust and reliable way to make sensitive data unusable even if intercepted. The primary advantage of encryption is that it lives and moves with the data, enabling it to protect the data when it is at rest, in use, or in motion. Unlike a perimeter defense that may keep outsiders away but leaves personal and financial data vulnerable to insider attacks, encryption serves as a close-at-hand bodyguard for data that only permits access to users with appropriate keys. An important component of an enterprise data security system, therefore, is an enterprise encryption solution with centralized key management to ensure that keys are generated, renewed, expired, and destroyed quickly and efficiently as needed.

A holistic solution

As you can see, the capabilities for a comprehensive data security system are varied, which means that it must integrate different technologies and incorporate a range of services to facilitate policy creation, system integration and deployment, and user training and change management activities. While the whole will be greater than the sum of its parts, each individual component my be scalable, accurate, reliable, and cost-efficient to own and operate. Typically, a lead vendor will assemble and manage the partner relationships on the customer’s behalf, but like the technologies themselves, it is important that the lead vendor and the other companies involved are trusted and experienced organizations.

Taken as a whole, vision for an enterprise data security system should:

  • Represent an integrated, holistic solution
  • Involve a tightly managed partner ecosystem leveraging relationships with key partners
  • Be built on a best practice framework
  • Driven by centralized, policy-based management
  • Include a suite of services that extends from strategy development to implementation

For too long, vendors have been providing, and financial services organizations have been deploying, point solutions that are limited in scope and strategy. They may deliver a measure of security for files but they do not provide protection for the business as a whole. Ultimately, securing data effectively is not about firewalls or passwords. Rather, it is an information management process that takes a comprehensive, strategic view of your most important asset–your data–and helps you exploit its value more efficiently while ensuring it remains a competitive advantage rather than a potential liability.

The author is Country Manager, India & SAARC, RSA, The Security Division of EMC

 


Untitled Document

UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: The Indian Express Limited. All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of The Indian Express Limited. Site managed by BPD.