Having a “data-centric” policy may sound like a sensible option, but according to one chief security officer most businesses have no clue.
Speaking to IT Security Guru, Sol Cates, CSO at Vormetric said that while the concept of encryption and encrypting data is great, all it does is stop the person running an infrastructure from seeing the information. “Our research found that 73 per cent of respondents said that they had no way of protecting sensitive data; the driver has got to be proactive,” he said.
“There is no proactive control to prevent data loss from happening, nothing can make data protect itself but you can protect environments yet 53 per cent of spend is going on network perimeter defence as people don’t know any better and it has always been an access control problem, but this doesn’t get rid of the risk to data.
“Attacks are still the same, the operating system still tells you what to do and it is the system administrator with physical access to do this. After the details about Prism were revealed this summer, the NSA cut their number of systems administrators by 90 per cent. Yet if your systems administrator is blind to the data, it will constantly improve your risk experience as they will be able to manage data but not see it.”
Cates said that with a data-centric policy, a company can own the data, but have centralised management of it.
He said: “We have never got rid of the inherent problem: you should be able to do systems management without risk and exposure to data. Our argument is that only privileged users should be able to see the information and by putting in better controls, you consolidate it and end up hiding silos within the data centre.”
Cates said that with a data-centric policy, this will help on Big Data being restructured, as at the moment the problem is that there is too much unstructured data to make a decision and do decent analytics.
He concluded by saying that efficient privileged user management and the company knowing what is important to the company will allow for better security. “Definition, discovery and defence, what is core to the business and what do you share.”
IT Security Guru’s Dan Raywood talks to Sol Cates on this subject in our video here