Luther Martin, chief security architect at Voltage Security asks - is there a better way to secure your data?

Are businesses keeping their data secure? The answer to this question depends on exactly what type of data you mean. You can divide all business data into two general categories: internal data and customer data. The high-profile data breaches that you hear about in the news these days typically expose sensitive customer data. That may be just because many data security and privacy laws require businesses to disclose data breaches that expose customer data. There may be just as many incidents that disclose internal data that we never hear about, but there’s no way to be sure. It’s probably the case that internal data isn’t compromised as often as customer data is, but that may soon change.

Cyber-crime is big business these days. There’s now a multi-million dollar underground economy in the theft and resale of sensitive data like credit card numbers, bank account numbers and ATM PINs. Cyber-criminals steal this type of information in bulk and resell it to other cyber-criminals who then use the data for a wide range of fraudulent purposes. Today’s cyber-criminals are skilled, determined and well equipped. They’ll take advantage of any security weakness that they can find, and there are lots of them.

The 2008 edition of CompTIA’s Trends in Information Security report, estimated that 30 percent of serious data breaches are caused by human errors, another 30 percent are caused by a hacker taking advantage of a human error, and only 40 percent are caused by a hacker actively overcoming flaws in technology. These numbers are quite a bit different than they were five years ago. The 2003 edition of the same report estimated that only 8 percent of serious data breaches didn’t involve some sort of human error. People are getting better at protecting sensitive data, but they’re still not very good at it. It’s still the case that most serious data breaches are caused by a failure of people instead of a failure of technology.

Human error can never be eliminated, so we need to find a different approach to security that will still protect data in the face of unavoidable mistakes.

Is There a Better Way?
Current information security architectures focus on keeping hackers away from sensitive data by keeping them out of the network that stores the sensitive data. Firewalls, proxy servers, and related technologies try to do this. Because it may not be feasible for people to configure and operate such architectures securely enough to keep hackers out, another approach may be needed. Instead of protecting the network, why not try protecting the data itself?

In such data-centric security architectures, you encrypt all sensitive data and only give authorized applications the ability to decrypt it. Then, if cyber-criminals manage to penetrate the network they won’t get anything that they can resell at a profit.
Take away their profit and they’ll find something else to do.

Today’s cyber-criminals have been so successful that they may soon run out of sensitive customer information to steal. The Privacy Rights Clearinghouse estimates that over 252 million data records of U.S. residents have been exposed by security breaches since January 2005. Since the population of the U.S. is only 303 million, there is probably already significant overlap between the data that’s been exposed in different breaches.

As the number of overlaps in the data exposed by breaches increases, the value of the data to cyber-criminals will inevitably decrease, and they will look for new sources of revenue. When this happens, sensitive internal data will probably be their next target. The same types of human errors that make it hard to protect sensitive customer data also make it hard to protect internal data, so we shouldn’t be surprised if cyber-criminals will be just as effective at stealing internal data as they have been at stealing customer data.

On the other hand, data-centric security will protect internal data as well as it protects customer data. It’s a method for protecting all sensitive data in a way that’s much less sensitive to the types of mistakes that make network-centric security so hard to implement successfully. Network-centric security has proven to be too hard to do well. Data-centric security may be a better alternative.