April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Taking a ‘data-centric’ approach to protecting what matters
A new European Union regulation that requires mandatory data breach disclosures by telecoms operators and Internet service providers (ISPs) has recently become official.
It requires all EU telcos and ISPs to notify national authorities within 24 hours of detection of any incident that involves the theft, loss or unauthorized access to personal customer data (e.g., emails, calling data and IP addresses). This new regulation also requires EU telcos and ISPs to disclose -- within three days of reporting any breach -- the specific measures they have taken to address the data breach.
And that's just the start of it. There is a much broader Draft Data Protection Regulation in the works that requires a similar response from every EU business that handles personal data. Moreover, there are numerous efforts afoot involving new data breach notification requirements in both Asia and the U.S.
For multinational companies, the bar is set even higher, because they will have to ensure they can meet the specific data security requirements set forth in every member state in which they operate. It's a daunting task, to say the least. And, like Sarbanes-Oxley accounting requirements in the U.S. for publicly-held companies, compliance is mandatory, not optional.
Given these new data breach regulations and the rising tide of both advanced persistent threats (APTs) and privileged user threats, the vast majority of companies will have to re-visit -- and quite likely re-think -- their data security strategy.
According to experts in the field, perimeter security is failing and it is no longer a matter of if a data breach will occur, but rather when it will occur, and how well (and quickly) you will be able to respond. Consequently, it is time to move past the network itself and take a "data-centric" approach to protecting valuable data, such as customer information or IP.
It's also important to think about both process and technology. To stop an APT or insider threat in its tracks, enterprises must implement both best practices (around data access, for example) in conjunction with strong technology solutions architected to ensure that their valuable data remains sufficiently protected. The best way to do this is with a "defense-in-depth" strategy that includes application-transparent encryption, strong privileged user controls, automation tools and the ability to gather and analyze security intelligence information. Moreover, having the ability to "watch the watcher" is of paramount importance because it lets organizations detect attacks against the data, the data security infrastructure and their privileged user accounts.
Identifying unusual and anomalous access patterns by security administrators is a good way either to uncover a malicious insider within the security organization or an administrative account that has been compromised. Businesses would be well advised to review their current data security approach and put in place a scalable data-centric solution that can protect any file, any database and any application, regardless of whether it resides in a physical, virtual or Cloud environment.
These new regulations, such as the one that recently went into effect in the EU, send a clear mandate to companies: aggressively protect personal customer data or risk significant financial and brand reputation consequences. The good news is that there are ways for enterprises to protect themselves from both financial penalties and brand reputation issues, as more and more of these regulations come into force.
Paul Ayers is vice president for EMEA at Vormetric. He can be reached at: