Data security is top of mind for everyone these days, from business leaders responsible for ensuring their corporations manage the data they are responsible for effectively and keep it away from unauthorised users, down to consumers looking to keep the secrets on their mobile devices safe. To touch on a few of the salient points in data security today, Hi-Tech Security Solutions hosted a round-table with a number of guests from different areas of the business world.
Our goal was to find out what the main points businesses are facing today are, and what they could do to resolve them. Of course, taking on such a broad field in one round-table is impossible. In this report we have highlighted only a few of the points the attendees raised. The reality is, data security is a core competency of any company, whether they know it or not.
Our round-table comprised the following people:
Kendal Watt, solutions specialist at Mimecast was there to represent data security from a messaging and e-mail perspective. Mimecast focuses on things like content, reputation analysis as well as security from an outbound perspective. Watt says a large focus is on data loss prevention (DLP), corporate governance and certain legislative compliance requirements for business in South Africa.
Microsoft’s chief security advisor, Dr Khomotso Kganyago deals with security from a broad range of perspectives, from e-mail to the cloud, dealing with issues such as encryption, data movement, data classification and more.
Infoprotect’s Hans van Vreden is more operationally inclined. He says IT security has an impact on the whole company and infoprotect devises security strategies by including other, traditionally non-IT departments when developing policies. The biggest issue in many companies, he says, is helping them understand where to begin.
CA Southern Africa’s Ugendrin Gounden’s focus is on identity and access management as well as the increasingly important field of DLP.
Andrew Potgieter, sales manager at Westcon Security, a security distributor, works with a variety of vendors helping customers to gain a 360-degree view across their entire security platform.
Data security trends
To start with, we asked our guests to take a generic look at data security. What are the biggest issues business is facing today when it comes to securing data?
Kganyago says one of the biggest issues in business today is the problem of insiders selling information to competitors or crime syndicates to the detriment of the organisation. The information in demand ranges from competitive information to data concerning legal disputes, or even that dealing with transformation matters within an organisation. This problem cuts across the government and corporate worlds.
Gounden agrees, noting that companies are more aware of data security issues today and many are holding awareness campaigns to educate staff on the appropriate way in which to deal with sensitive data. This education comprises issues such as how to hold and store it, not to pass it on to others and not to abuse it, etc.
Watt adds that awareness is a serious problem that more organisations are aware of, probably because of the loose boundaries in terms of time and location for what is described as work today.
“People are not necessarily going to work from 8am until 5pm and then turn off their machines until the next day. Mobile devices have extended the boundaries as well as working times for many employees,” he notes. “This brings up the question of security. How are companies securing the user’s device and by default, their sensitive data?”
While most people see data security in terms of IT, firewalls and evil hackers, it also includes a physical security aspect. What happens if a smartphone or a laptop is stolen or lost? Can you be sure that the data is safe or automatically deleted? Are you encrypting the data on the machine or do your users avoid it because it is an extra step or yet another password they have to remember?
Watt adds that cloud computing is also adding a new dimension to security today. The business needs to be sure that not only is its data security measures effective, but what about the systems of its cloud service provider? And what about the information when it is in transit?
Potgieter agrees that the boundaries of old are gone. “With mobility and cloud computing in place, we now also have bring your own device (BYOD) becoming increasingly popular and this is an absolute terror to organisations because the data no longer sits within those locked confined doors of the building.”
Things like the laptops provided by the organisation can still be managed and controlled to a certain level, driven by policies and implementations within the organisation. But with BYOD organisations are in a bind. They need to learn to control the flow of data, whether it is actually physically on the device or whether it is just a portal view from that device. One of the most serious problems in data security is the uncontrolled replication of data, such as an entire Exchange directory onto a personal device that is not secured.
Awareness beyond the office
Van Vreden adds that awareness within the business is one thing, but even senior executives lose the plot when they take their ties off. He relates a story of sitting in a local coffee franchise that offers free WiFi, a good spot for people on the road, or on holiday to catch up on e-mail and handle a few personal affairs. While in the coffee shop, a businessperson wanted to connect to the free WiFi, but could not get it to work. The coffee shop manager came over and helped him disable his firewall so that he could connect – without any protest from the user.
Once connected, he logged into his bank account, downloaded e-mail and so forth, all without any protection and while on an open (read insecure) network. There are free tools anyone can download that will allow someone sitting near this person to easily get onto his machine and capture passwords or whatever the criminal wants.
Potgieter also reports on a recent CEO conference where his team set up a false free WiFi hot spot using the name of the hotel where the conference was held. He says 60% of the CEOs in the building connected through the hot spot. The person controlling it was a certified hacker (meaning he was a good guy), and he could have accessed all the information, including bank logons during those sessions.
“It all comes down to education,” he states.
This is where the IT department needs to play a role in preventing stupid mistakes as above. Issues such as the compulsory encryption of data or even entire laptops, as well as preventing mobile devices from downloading sensitive information – allow the user to see the information but not to actually download it – need to be addressed and enforced.
Kganyago says memory sticks are another bugbear. Not only do many companies allow any employees to use these USB sticks to copy any information from their office computers or servers, they do not even insist on encrypted USBs for vital information. Moreover, people are quick to simply insert a USB stick in their computers with no thought as to what it may or may not do. These devices are easy ways to spread malware that gives criminals a way into the company. Again, it is a question of awareness.
The technology is there to keep devices safe, whether within the office or out on the road, says Potgieter. The question is whether IT has taken the time to explain what these systems are and why they are necessary. And once again, it is about awareness, all mobile users need to be aware of the vulnerable situations they put themselves in and how to operate securely. A little informed common sense goes a long way.
Watt adds that this is a job for HR and IT. Businesses have to deal with people using any devices to access business servers, but they need to do it securely. In other words, the business needs to offer access, but ensure it is with an encrypted connection, for example. Moreover, it needs to be made as simple as possible to ensure users actually follow the rules.
He says it is important to make sure the user understands why these measures are necessary and to make the security process as seamless and simple as possible.
Dealing with threats
It is easy enough to talk about what the threats out there are, but what does a company do when it wants to protect itself?
Van Vreden says an important starting point is to understand what needs to be done by asking a few simple questions such as ‘What needs to be secured?’
“You can put up all the security measures in the world, but if you are protecting your Exchange server and e-mail is not a core value of your organisation while everything that is sitting on your file server is, which you are not protecting, you are missing the point completely.
“So you start by identifying what needs to be secured. From there you decide who needs access to what data. The next step is crucial, accurately documenting everything in your security policy and then educating the users.”
While South Africans are all specialists in physical security, we have got burglar bars, alarm systems, CCTV, access control and all that, we do not think of security in the same way when we look at our data, says Potgieter.
Naturally the concept of access is linked to the discussion on data security. One of the basic protection mechanisms all companies use to some degree is limiting people’s access to data and applications according to who they are and what they do. Gounden brings in the idea of identity management and access, noting that tying a person’s job role to his/her access to data is a good start that many companies already implement.
In this scenario, the danger is allowing permissions to run out of control and you end up with a PA with access to the accounting system because his boss asked for temporary permission at some stage for a very good reason, but nobody bothered to revoke it. The old problem of having functional access for people who have left the company is also pertinent here.
Role-based control has come into play in most corporations today. What this means is each person gains easy access to what they need but no more. “Take a teller at a bank, for example. He would need access to system one, two and three, but the customer consultant does not need access to all these systems, she just needs one and two. Role-based access control takes care of that in terms of using your identity to authorise or deny access.
“And when automated and integrated to the company’s business applications, temporary permissions can be granted, but are automatically removed after a specified period. Similarly, when people leave the company their access is automatically terminated.”
Today, more companies are looking beyond passwords to control access, since passwords are easily abused. Whether the answer is biometrics or some other form of identification, sensitive information is being better protected than ever. However, we still have regular security breaches, which means the process is not being handled as it should.
Gounden says we are also seeing multiple authentication methods in many cases where the user has something, such as a card or tag; knows something, such as a password; or presents a biometric to ensure they are who they claim to be. Of course, this type of security is usually reserved for special access for specific people to specific information. Access for those in lower pay grades is normally still the default password, making it easier for the criminals to get their foot in the door.
Kganyago adds a note of caution here, saying we need a balance between security and privacy. While South Africans have no problem having their fingerprints scanned, in Europe people would be less willing, seeing it as an invasion of privacy. A balance is crucial if users are to comply with all their employer’s security processes.
He is looking forward to the day when your identity travels with you. For example, the CCTV cameras will identify you as you drive into the office complex, open the door as you walk in and open the doors you are authorised to walk through as you go about your business. Even your workstation will log you on as you sit down because it recognises you. Such seamless identity and access is still a way off, but we can dream.
Start at the beginning
So what does one do when you need to secure your data, but you do not simply want to go out and buy a product and install it for the sake of having it? Additionally, you want to do it without frustrating your employees’ attempts to do their jobs.
Watt says he believes in the policy: “Just enough security, just enough infrastructure, just enough technology”.
Van Vreden says it is important to help your customer to understand the risks they face. Most companies will not complain too loudly about buying antivirus and firewall solutions, but may start questioning the need for encryption. They need to understand the risks to their data if a laptop is stolen or your smartphone is left lying on a counter, for example.
Potgieter adds that the biggest failure of the industry is still selling security as a catalogue sale instead of a consultative sale. “Salespeople look at a potential client’s infrastructure and tick off the products they have and try to add in whatever they do not. It should be a consultative process that solves a problem.”
Taking a different approach, Kganyago believes it is a matter of compliance to industry standards. He says there is no need to build a security policy from scratch, there are existing best practices and standards to adopt and build on.
There also needs to be a change in the mindset of the high-ranking managers, adds Gounden. The ‘it will not happen to me’ mindset needs to be abolished in favour of a more practical approach to security based on a realistic assessment of your vulnerabilities and what a breach could cost.
IP dangerous
While on the subject of data security, Hi-Tech Security Solutions would be remiss not to ask about the security data transmitted over IP networks, such as video surveillance. Are these data streams also at risk? The simple answer is yes.
Kganyago says people are hacking into boardrooms via CCTV cameras to spy on competitors after security systems are integrated into the IP networks, for example. In very secure locations, you will find there are still two separate networks, one for data and one for security, and there is a good reason for this. Integration may mean simpler management, but it increases the risk. Whoever thought you need to worry about more than image quality when it came to surveillance footage?
Data security is a problem that will not go away. As information increases in value, it is reasonable to expect criminal elements to increase their efforts to get hold of any information they can make money from. And with so many weak links to exploit, they are having a great time. We have only scratched the surface of an industry that is on a steep growth path in this article. Needless to say, data security is everyone’s responsibility, whether you are in HR, IT, managing access control or even installing CCTV cameras.
| Tel: | +27 11 543 5800 |
| Email: | [email protected] |
| www: | www.technews.co.za |
| Articles: | More information and articles about Technews Publishing |
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version