Cyber security woes continue to burden the minds of organisations of all sizes.
This has been further exemplified by the announcement from C5 Capital to launch the first cyber security-focused venture capital fund in Europe, as concerns about leaks and digital technology securities grow. The London-based firm is looking to raise $125 million to invest in security and data companies in Europe, and highlights that the cyber security threat has certainly become a boardroom issue.
Even previously well protected and “secure” industries such as the public sector have realised that they must take extra steps in order to secure their data.
Industry concerns
Every CIO knows that if they don’t get security right, customers, employees and the institutions they work with alike can suffer directly, and their role can be perceived as ineffective. Data is powering the transformation of businesses today. Data is powering a new wave of businesses.
The broad adoption of cloud and mobile computing, global and outsourced workforces, and the advent of Big Data are challenging Chief Information Security and Risk Officers to locate, track and protect sensitive and company confidential data while ensuring compliance to data residency and privacy regulations. Responding to the common question asked by CEOs and Boards of Directors, ‘How Secure Is Our Data?’ often is difficult to impossible to answer.
Therefore, a new data-centric security paradigm is required and necessary in order for security teams to be able to define data classification and use policies including at the data’s source. These policies need to follow the data – independent of how it gets proliferated, who requests access, or where it persists, including in the cloud.
Further concerns lie with knowledge in this sector, with the lack of cybersecurity professionals. The demand for trained cybersecurity professionals who work to protect organisations from cybercrime is high in many regions, but the shortage can particularly be seen in the government, which does not offer salaries as high as the private sector.
Data masking as a security enabler
Modern data security strategies therefore need to consider two layers: the layer where data is being stored and organised, and the layer where data is being retrieved. Data masking has emerged as a versatile technology for data storage. It is a method of camouflaging data in order to maintain confidentiality of data. The technique is used when the format or type of data needs to remain intact, but the actual data values must be hidden from a user or process.
For example, an organisation that has developed an application to report on its customer data may wish to send the application to a third-party consultant for testing. Wanting to test the application against the actual data set, but not wanting to reveal its customers’ names or addresses the organisation first masks the data, and then sends the application and the masked data to the tester. With this, sensitive information fully remains within the organisation.
Data masking may be offered as an option with database products, or third-party data-masking products can be purchased separately from vendors. Data masking may also be included as part of a data management service on a software-as-a-service (SaaS) platform.
In spite of the growing threat from targeted attacks and the general best practices, data masking deployment remains sporadic and even non-existent in otherwise highly secure organisations. Why? In the past, data masking techniques like encryption required a lot of processing powe
r, limiting their usage. Additionally, many organisations found data masking tools too expensive for broad application. However, these long-held beliefs are no longer accurate, as faster and cheaper tools have emerged in recent years, making data masking an option for organisations of all sizes.
Threats on the horizon
In modern day, the biggest hazard an organisation faces is the lack of knowledgeable skill sets in mobile security and potential threats. Data security expertise has been one of those skill sets considered in serious shortage for some time now. Given the rapid change of the mobile device landscape, as soon as you invest in training your team on the latest threats, new technologies emerge that require more catch up training.
Also, given that consumers and the next generation of the entitled workforce have expectations that they can conduct business from their mobile devices, the pace of application development and rollout will accelerate faster than the security’s team can keep up.
It is imperative for vendors to work together to jointly create an optimum process to combat cybersecurity. Data Integration products do not make security products redundant, but they can make them more effective by pointing them at the highest-risk data that needs to be protected. Data integration complements rather than competes with security technologies, and it is designed to help organisations narrow down where sensitive data resides, physically and logically. Only then they can prioritise which stores need to be better secured, with which types of security technologies.
So it is more than high time for all businesses to implement an adequate and efficient data security strategy. For this, the starting point should always be: what data do I store, where do I store that data and who has access to data? Once a clear picture emerges what happens to data where, when and by whom, its storage and retrieval can be made more secure.
Data is increasingly perceived as a currency, and it should therefore be treated as such: by putting it in a safe place and making sure any exchange is authorised.
Julie Lockner is vice president of ILM product marketing at Informatica
