Home » The Art of Data Protection
Tsion GonenApril 16, 2015, 09:00 am EDT
It’s fitting that the theme for this year’s RSA Conference is “Change: Challenge Today’s Security Thinking,” because change is exactly what many corporate security programs need to do if they’re going to effectively safeguard their valuable data assets.
As the description of the conference theme points out, “the rules of information security are constantly changing with the age of the Internet and threats becoming more and more sophisticated.”
Security executives and programs should never be just about maintaining the status quo, turning to the same tried and true methods and technologies that have been around for years and in some cases decades. There’s no reason that information security can’t be innovative and that security executives shouldn’t be constantly on the lookout for better ways to do things or more effective technologies to explore.
Along those lines, it’s clearly time for organizations to focus on just perimeter defenses and start emphasizing what’s really urgent: protecting the data itself. We call this shift in thinking, “Secure the Breach,” which is about transforming the security mindset from one of breach prevention to securing the very assets the attackers are going after.
Companies have been using breach prevention tactics as the foundation of their security strategies for some time. But it’s clear that this approach has failed to stop the data breach epidemic. Consider all the high-profile—and many lesser known—attacks that have occurred recently.
According to the Gemalto 2014 Breach Level Index Report, data breaches totaled 1,574 in 2014, up 49% from the 1,056 in 2013. Even more dramatic was the increase in data records involved in the breaches. That jumped 78%, from about 575 million in 2013 to more than one billion in 2014.
Despite the frequent failure of the guard-the-perimeter strategy, organizations continue to invest a huge share of their security budgets in this area. To some degree they’re stuck in a bygone era when sensitive data was kept in a centralized data center, and the “edge” of the enterprise was typically a desktop PC in a known location.
In those days, network firewalls and other perimeter “breach-prevention” tools were effective enough in keeping hackers away from corporate information. But those days are over. Data is now distributed well beyond the walls of the enterprise, on numerous mobile devices and often in multiple cloud services. Put simply, the perimeter is dead – and so is data breach prevention for that matter.
Hackers and other attackers are a constant threat to compromise these widely dispersed information resources, and organizations clearly need to change their thinking when it comes to information security planning and execution.
Secure the Breach challenges the prevalent security thinking by focusing on the protection of data, through the strong use of technologies such as authentication, encryption and key management.
To be sure, there’s nothing wrong with companies deploying network perimeter security tools, because they provide a layer of protection and can be a key component of a security-in-depth strategy. But many organizations have come to rely on these technologies as the foundation of their security strategy. That’s a recipe for trouble, as we’ve seen.
A global study just released by Gemalto shows that there’s clearly a need for securing data more effectively than just guarding the perimeter. The report, Data Security Confidence Index, shows that while 87% of 900 IT decision-makers surveyed worldwide consider perimeter security effective at keeping out security threats, 34% are not confident that their organization’s data would be protected should a data breach occur. In addition, 30% admitted that their organization had suffered a data breach in the past 12 months – another proof point that breach prevention cannot stop cybercriminals.
Despite this reality, 64% of the respondents said their organization plans to increase their investments in perimeter security. And yet three out of every five (62%) said they are no more confident than they were this time last year in the security industry’s ability to defend against emerging security threats.
That last finding kind of sums up the problem in a succinct way: Many executives don’t feel confident that perimeter security can stop the rising tide of data breaches, yet they continue to use it as the foundation of their organization’s information security posture. That sounds like the definition of insanity, and it certainly sounds like it’s time for change in the way companies think about security. It’s finally good that this year’s RSA Conference has a theme that has real relevance about an issue that needs serious debate.
Andrew GertzApril 15, 2015, 03:27 am EDT
For the new Data Security Confidence Index (DSCI), Gemalto surveyed 900 IT decision makers to assess how confident they are in their companies’ abilities to prepare for and respond to a data breach as well as protecting customers’ sensitive data. In short, are they prepared to secure data from the edge to the core? In anticipation of the fast-approaching RSA Conference 2015, Gemalto announced the DSCI results today. Here are some highlights:
Take a look at some of the data breach stats from 2014:
- 1514 data breaches
- 1,023,108,267 data records stolen
- 55% of the breaches originated from malicious outsiders
In the infosec world, we’ve seen an increase in large-scale breaches, turning victims out of brands that are household names entrusted with customers’ sensitive data. Despite this, we’ve yet to see many companies dramatically change infosec tactics.
They continue to try to build walls around data with perimeter security rather than relying more heavily on data security to prepare for what happens when a cybercriminal scales those walls. The 2015 DSCI shows the pattern of infosec insanity – doing the same thing over and over again and expecting data to remain safe – hasn’t changed.
Over the past five years, 90% of respondents’ organizations have increased their perimeter security investment. Over the next twelve months, around two thirds (64%) of respondents’ organizations plan to increase investment in current or planned perimeter security systems.
While 87% of respondents feel that their organizations’ perimeter security systems are effective at keeping out unauthorized users, 34% are not confident that data would be secure if unauthorized users penetrated their network perimeter.
They’re right not to be confident. There has been an increase in breaches over the last 12 months, with 30% of respondents’ organizations reporting that they have been breached in that timeframe. Three quarters of perimeter security breaches experienced by respondents’ organizations were from external sources (malicious outsider, hacktivist, and state sponsored).
Perhaps most eye-opening of all, nine in ten (90%) of respondents’ organizations whose perimeter security systems experienced a breach, suffered negative commercial consequences of the breach. Some of those consequences include:
- Delay in product development (31%)
- Decreased employee productivity (30%)
- Decreased customer confidence (28%)
- Negative press (24%)
- Delayed getting products to market (23%)
Customer Data Protection
In respondents’ organizations more budget (75%), resources (55%), and time (61%) is spent on protecting customer data than protecting the organization’s IP. Organizations are putting their customers’ data security first.
Unfortunately, 24% of respondents admit that they do not feel their organization has the security capabilities necessary to keep up with emerging threats and technologies, and 15% of IT decision makers surveyed would not trust their own organization to manage and store their personal data.
While that’s an improvement in confidence in organizations’ security capabilities over the 2014 DSCI results, it shows organizations still need to make widespread improvements in their security systems.
Finally, high-profile data breaches have driven 71% of respondents’ organizations to adjust their security strategy. As discussed above, however, the adjustment seems to be coming in the form of investing more in perimeter security – in building a bigger, stronger wall.
While breach prevention tools can still provide some value, it’s time to change the status quo and put more emphasis on protecting what cybercriminals are really after – the data.
I’m excited that this year’s RSA Conference theme is “Change: Challenge today’s security thinking,” as it shows that many infosec professionals are of a similar mindset. If you’ll be attending RSA, stop by the SafeNet booth, #3329, to discuss the Data Security Confidence Index as well as our three-step approach to breach preparation.
Andrew GertzApril 13, 2015, 02:00 pm EDT
If you’ve checked out SafeNet’s Cipher Technology Partner program recently, you know we team with numerous partners to create one-of-a-kind solutions that address organizations’ unique data security needs. If you’ll be attending RSA Conference 2015, not only do you have the chance to hear from some of our authentication, encryption, and crypto management experts, but we’re also proud to host many representatives from our partners.
Here’s a handy partner presentation checklist, so you know when to make your way to the SafeNet/Gemalto booth (3329):
Tuesday, April 21
Partner: Blue Coat
Time: 11:30 a.m. & 3:30 p.m.
Topic: Learn how Gemalto’s SafeNet Luna SP HSM and Blue Coat’s ProxySG and SSL Visibility Appliance integrate to ensure that essential encryption keys never leave the enterprise, and consequently, that network traffic is always secure.
Time: 5:30 p.m.
Topic: Don’t let remote access jeopardize your data security. SafeNet Authentication and IBM Security Access Manager (ISAM) provides strong authentication for eSSO users for both web and mobile workstations.
Wednesday, April 22
Time: 11:30 a.m.
Topic: A leading provider of cloud data protection solutions, Perspecsys leverages Gemalto’s SafeNet KeySecure to store and manage encryption keys, giving CIOs and CISOs more peace of mind that their private data in the cloud will stay private.
The SafeNet/Gemalto booth will also be featuring representatives from Dell, F5, and NetApp during the conference. Look for an update to this post as their presentation details become available.
Don’t miss the chance to hear directly from all of these SafeNet Cipher Technology Partners’ experts and learn how you can fully leverage our joint data protection solutions to enhance your security practices. See you at booth 3329.
Tsion GonenApril 10, 2015, 10:00 am EDT
The high-profile data breaches of the past year have apparently had an impact on organizations’ willingness to invest in stronger security measures. A new study by consulting and professional services firm BDO USA, which included a survey of 100 CFOs at U.S.-based technology companies, shows that 67% of the finance executives queried have increased their spending on cyber security measures during the past year. Of those CFOs who have taken steps to boost security, a huge majority (90%) have deployed new software security tools, says the eighth annual 2015 BDO Technology Outlook Survey. BDO commissioned research consulting firm Market Measurement Inc. to conduct a national phone survey of the CFOs from December 2014 to January 2015.
While the survey did not ask CFOs what kinds of security tools they plan to invest in this year, according to BDO survey, nearly three quarters of the organizations surveyed (72%) created a formal response plan for security breaches, about half (48%) retained an external security consultant and 30% hired a chief security officer. One of the focal points of new security efforts is protecting intellectual property (IP), with nearly half of the CFOs surveyed saying foreign IP infringements have had the greatest impact on their IP security, followed by changes in patent law and patent trolls.
The executives are also concerned about online security threats that might emerge from geopolitical issues as countries prioritize cyber security efforts to guard against possible domestic and foreign hack attacks.
“The threat assessments of likely cyber threats from unknown entities is causing the tech industry to be on high alert,” said Aftab Jamil, partner and leader of the Technology and Life Sciences practice at BDO USA. “In addition to navigating everyday business challenges—both domestically and internationally—managing operations and maintaining compliance with regulatory requirements, U.S. companies will also need to implement or enhance their data privacy initiatives to mitigate any risks or vulnerabilities to their IT infrastructures, particularly with cyber capabilities evolving at rapid speed.”
The BDO USA report is by no means the only one forecasting increased spending on information security. CSO, in its annual State of the CSO report, which surveyed 366 security professionals online in 2014, reported that more than half of the executives surveyed (52%) said their organization’s overall security budget would increase over the coming 12 months compared with the previous 12 months. Only 5% of the organizations surveyed by CSO expected to see a decrease in spending. In financial services, 67% of the respondents expected an increase.
And in a survey released earlier this year, investment bank and asset management firm Piper Jaffray said three quarters of 112 CIOs in eight industries, primarily in North America, were expecting to increase spending on security in 2015. That’s up from 59% in 2014. “CIOs clearly have heightened concerns from the many security breaches that occurred in 2014, resulting in an inflection in overall security spending,” the report stated. The firm’s fourth annual Piper Jaffray CIO survey showed that security was the top spending priority for organizations across a number of technology categories, which also included mobile devices, off-premise enterprise software, storage and servers.
With so many reports saying security budgets and spending are up, you would think there is an opportunity to finally make some real progress in fighting the data breach epidemic in which we saw more than 1,500 data breaches and one billion data records stolen last year. This might not be the case, just yet.
While security professionals now have the budgets they want, it looks like they plan to just spend more money on the same perimeter security technologies. For example, according to a recent study by 451 Research, firewall management claims the number one spot when it comes to top information security-related projects planned over the next 12 months. In an age where the perimeter has been declared dead, firewall management shows no signs of going into retirement.
The problem we face is that many of the breach prevention technologies in use today continue to be the foundation of security strategies which have not been able to stop the data breach epidemic. This is not to say there is nothing wrong with these technologies. It’s the overreliance on them that is the problem.
Let’s look at some numbers. Below is a table from 451 Research of network security technologies and their use within enterprises today.
Contrast that with another chart from 451 Research that looks at top information security projects planned over the next 12 months, and you see how much breach prevention, monitoring and perimeter security continue to dominate the mindset of today’s security professionals.
Here is the issue in a nutshell. Over the past five years, the security industry has grown every year both in terms of revenue, new vendors and the services that are available to businesses and other organizations to protect their data and information. However, just as the industry has grown, so too have data breaches year after year. During this time, the dominant approach to data security has been breach prevention. Problem is this approach hasn’t been preventing much. Maybe it’s time for a new approach that shifts the focus away from the perimeter to the data itself.
If you’ll be at the 2015 RSA Conference, stop by the SafeNet booth, 3329, and let us know what you think about the spending trends. And stay tuned for my blog next week, in which I’ll address the issue further and discuss other infosec trends as we prepare for RSA 2015.
In the last few years, encryption has become one of the shields used to protect the sensitive data organizations produce and are entrusted with by their customers. In 2013, in response to revelations about government surveillance and censorship concerns, companies like Google, Facebook, and Yahoo made public efforts to strengthen their encryption efforts. Google Inc. Chairman Eric Schmidt went as far to say the “solution to government surveillance is to encrypt everything.”
In 2014, well over a billion data records were lost or stolen as a result of 1,541 breaches, including some like the Home Depot and Sony Pictures Entertainment hacks that made headlines and had long-term business consequences. Despite the new emphasis on enterprise encryption, more than 95% of the 2014 breaches involved data that was not encrypted, providing the perpetrators with access to the stolen information.
Companies are playing the encryption games — whether they know it or not. Winning begins with fundamentally changing the security paradigm. IT decision makers need to shift focus from breach prevention to breach acceptance. Accept that a breach will likely occur at some point in some way and prepare for it. Encryption for data at rest and in motion is a cornerstone to that approach.
And as more data is produced, shared, and distributed in more locations outside of organizations’ control, stronger encryption will continue to be adopted more broadly throughout the enterprise. That rise in encryption then leads to a rise in the number of encryption keys generated that must be safely stored and managed, and at that point you’re playing the encryption games at a higher level.
If you’ll be attending RSA Conference 2015, I hope you’ll attend my session, BC-W5N, to hear more on the topic. Join me on April 22nd at 1:30 p.m. in the Expo Briefing Center for The Encryption Games: Going from Encryption to Crypto Management.
Tsion Gonen April 16, 2015, 09:00 am UTC
Andrew Gertz April 15, 2015, 03:27 am UTC
Andrew Gertz April 13, 2015, 02:00 pm UTC
Tsion Gonen April 10, 2015, 10:00 am UTC
Doron Cohen March 13, 2013, 08:15 am UTC
Paul Ardoin February 19, 2015, 02:15 pm UTC
Holiday Hacking Season: For Retailers, It’s the Most Wonderful Time of the Year…to Encrypt Your Data
Jennifer Hindle December 15, 2014, 04:10 pm UTC
Stephen Helm June 3, 2014, 10:30 am UTC
Cheryl Barto Shoults December 11, 2014, 10:00 am UTC