(T) Information security professionals need constantly to ask themselves what are the requirements to secure the digital assets that they are in charge.
Today again in the headlines a new story about the loss of some valuable data. This time, it is in the UK and affects some personal information from 25 million people!
Information Security Challenges
Security threats are constantly changing and establishing on-going new security requirements. Security must be simple and global. Complex security is difficult to operate. Fragmented security is difficult to manage (such as is the case with wireless LANs security).
Internal and external business communications have different security requirements and different level of risks between business units, partners and customers. Every business communication needs an appropriate security design and acceptable risk level for all parties involved and regularly reviewed over its life cycle.
External business communications open the enterprise network to its business partners and customers vulnerabilities. And, perimeter security is inefficient to secure internal business communications.
Network Security Simplified!
Simplified, network security is about securing the I.T. infrastructure, securing the data and last but not least controlling the users accessing the I.T. assets and infrastructure.
Internal security solutions must protect data and control user access. Internal threats exist from users, processes, and applications. Perimeter security is inefficient for internal business communications.
Securing external business communication now requires:
–data encryption to enable communication over untrusted networks;
–and, customer or partner access control to limit network access to internal corporate applications and data.
Investing in Data Encryption and Access Control
Securing the infrastructure includes a large number of well-known and well-deployed technologies in particular: firewalls, IDS/IDP, Anti-X (anti-malware, anti-phishing…) and content filtering.
Enterprises have significantly invested since 2002 in network security equipment: firewalls, IDS/IDP, application-layer security (content, anti-X…). So moving forward, enterprises have to fulfill urgently their needs for tools securing their data and, policing and monitoring their users accessing those data.
Securing the data requires encrypted the data both at “rest” and in “motion” or in other terms data that resides on a computer and moving over the network.
User access control can now be provided from legacy authentication, authorization and accounting (AAA) technologies to federated identity and integrated network access control (NAC).
Balancing Data Encryption and Access Control
The trend is definitely to deploy more data protection and access control solutions. But this is not without problems.
Success lies in balancing data protection and access control as illustrated in the picture below.
Data availability is required for business productivity. Data protection mitigates information risks.
Data that can be accessed by users but is not protected can be at risk. But data that is protected but not available to the users is worthless.
Note: More on Today Story About The Loss of Personal Information of 25 Million People in the UK
The personal information from those 25 million people was stored on two computer disks. They contained information on families that receive government financial benefits for children and were sent out from a British government tax agency, via a private parcel delivery service, to Britain national audit office which monitors government spending.
The two disks never arrived at their destinations. They contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers (the British equivalent of the US social security numbers). They also held data on almost every child under 16. Data on the two disks were protected by a password but not encrypted.
Copyright © 2005-2007 by Serge-Paul Carrasco. All rights reserved.
Contact Us: asvinsider at gmail dot com.