Don’t just secure the network – secure the breach: three simple steps
By Kirk Spring
As we’ve seen by recently reported hacks of healthcare networks, security breaches are becoming commonplace. Attacks on secure networks can come from internal or external sources. “Breach prevention” is no longer a workable strategy.
Instead, organizations must understand and accept that breaches will happen. Rather than making your top priority securing the perimeter, put the emphasis where it should have been all along – securing the data. In short, don’t just secure the network. Make it your real strategy to “secure the breach.”
There are three steps any agency must take to secure the breach and protect critical data:
- Know where your data resides
- Know how your data is stored and managed, and
- Know who has access to your data.
Know where your data resides
You can’t protect data by securing the perimeter; you have to encrypt the data assets themselves. That way, you know that even if your network is breached, your data stays safe.
A solid encryption strategy means fully understanding where your agency’s sensitive data resides. Data encryption can cover structured and unstructured data over multiple locations. Where is your data stored -- in databases, file servers, endpoints or storage networks? Is in kept on-premise, virtually or in the cloud?
Remember that over time the value of your data changes. Some archived data may no longer be a security risk. On the other hand, new data usually demands an immediate security strategy.
Know how your data is stored and managed
Real security depends on the secret cryptographic keys to encrypt and decrypt sensitive data. When those keys are lost or stolen, it can threaten your whole data and security infrastructure.
Unfortunately, because of the volume and variety of encrypted data, we’re talking about millions of possible encryption keys. But keys are often stored in a variety of places (sometimes on the systems that actually contain the sensitive data). That leaves them exposed to being stolen or misused. And if the keys aren’t secured in transit, the security risk is even higher.
Good key management is essential; it’s almost impossible to protect keys if they’re isolated and disconnected. You need to adopt a crypto management platform across your extended organization to centralize management of the entire key lifecycle.
Security surrounding the key storage container is also critical. Without it, your encryption keys can be stolen, copied, and misused. Software key wrappers don’t protect encryption keys as well as hardware-based options. For better protection, consider vaulting keys in a hardware security module.
Know who has access to your data
While good crypto management will protect sensitive data, that data is only as secure as the people authorized to access it.
User identities must be both protected and authorized. With a strong authentication protocol, you can block unauthorized access and ensure accountability for people authorized to use data. And by having different user group use different authentication methods you can further prevent misuse of data and systems internally.
It’s clear that data breaches are becoming more widespread. Even as agencies continue to invest in outmoded breach prevention strategy, new ways to breach the network are being developed. That’s being complicated further still as networks and data are extending into the cloud and onto mobile devices.
Clearly, security needs to be attached to data. That’s the only way to maintain control of sensitive information on any device or platform, even when it falls into the wrong hands.
Encrypt all sensitive data at rest and in motion. Securely manage and store all of your keys. Control user access and authentication. With those three simple steps, you can be sure your data is protected, and you can be better prepared in the event of a security breach.
Kirk Spring is President of SafeNet Assured Technologies. He can be contacted at [email protected]