Layering Security for Effective Data Protection
In the age where digitizing information is the norm, organizations large and small rely on a myriad of applications, systems, and tools to create, collaborate, calculate, and report large volumes of data pertaining to the success of their business. Examples of such data are Financials, PII, Bills of Materials, Trade data, Customer data, Engineering drawings, Sales forecasts, and more which all reside within your SAP system. Alongside efficient data handling, effective data governance is also a key concern as security pitfalls can lead to potentially damaging consequences both monetarily and by reputation for a business.
As part of an effective data governance plan, securing a company’s valuable information by deploying reliable security solutions both inside and outside the IT perimeter in which the data resides and travels is key. Current security solutions can be categorized based on what they protect and we can visualize this simply by looking at your IT security ecosystem as a layered model within which the different solutions can be deployed.
Let’s start with the outermost layer, the Network, which is the medium by which your information travels. Protecting this layer is paramount to keep out malicious attacks and to prevent unsecured access to your information. Inside your organization, setting up a secure intranet with proper network router and switch security with timely management of users and applications access is necessary. For protection beyond your internal perimeter, one of the most common and widely deployed technologies is the firewall, which protects the integrity of your private corporate intranet by keeping out unauthorized access. For those authorized users outside your network such as a remote worker or third party collaborator, you can use a Virtual Private Network or VPN to grant access. This is done via a virtual point-to-point connection that can be set up either by direct connections or by virtual tunneling protocols. A more advanced network security solution is Data Loss Prevention, which can be deployed on the network or at an end point in your IT network landscape. When configured effectively, a DLP solution can monitor user activity, restrict confidentially tagged information from being emailed or copied, scans storage medium for sensitive information, and monitors end point activity.
Now that your information highways are secure enough for data to travel, lets turn our attention to where your data rests once it has travelled. The medium on which your information lives comprises of the storage this can be the servers in which your ERP, CRM, or PLM reside, the hard drives in the front end computers or workstations used by employees, the personal mobile devices allowed to access company information per your BYOD policy, and so on. Protecting this layer also deters malicious access to your data via a compromised storage medium by protecting against accidental destruction, modification, or infection of this information. Installing virus and malware protection on the device is a common mitigation technology. Another set of technology solutions that work in tandem is encryption and authentication. In Full Disk Encryption, all the data on your hard drive is scrambled when the machine is turned off and is decryptable when the machine is running making it impossible for data to be accessed in the event a storage medium is lost or stolen. Trusted Platform Module (TPM) is an encryption method that is used to verify the hard disk drive is tied to specific device using an embedded crypto processor attached to the device motherboard. This is useful in the event the hard drive is stolen and placed in another device. The information is rendered useless as the TPM prevents decryption of the data. Authentication on the other hand is a broad based method to gain access to a storage medium involving passwords, pins, biometrics, smart card, or key fob access. A common example is a 4-digit pin entry prompt to access your cell phone.
You are now close to an effective data protection ecosystem. You have protected your data at rest by implementing storage security measures and in motion by securing the paths on which this data travels, however, protection based on the information itself is an incredibly effective way of securing your data in the case the other methods are compromised. The best file based protection methods are ones which encrypt and place policy based access limitations to a file allowing for only permitted users to use specific operations such as view, edit, copy, print on that information. One of the best solutions out there in this space is Microsoft’s Active Directory Right Managements Services, which by definition is a form of selective functionality denial to limit certain actions that a user can do to a file. This technology has evolved to account for the leaps in the current business IT infrastructure such as BYOD, applications that consume file types other than native office documents, cloud environments, ease of federating trust relationships with third party collaborators, and so on. Once enabled and properly utilized your information now has persistent protection regardless of whether it is in motion, at rest, or in use. Below are some of the data protection areas that a good IRM solution such as Microsoft’s AD RMS can be utilized as stated in official MS documentation:
- Persistent usage policies, which remain with the information, no matter where it is moved, sent or forwarded.
- An additional layer of privacy to protect sensitive information —such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.
- Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use
- Prevent restricted content from being copied by using the Print Screen feature in Microsoft Windows
- Support file expiration so that content in documents can no longer be viewed after a specified period of time
- Enforce corporate policies that govern the use and dissemination of content within the company
A good approach to get started is to assess your current security gaps and to create a risk mitigation plan which includes evaluating the different security technologies within each of the above mentioned layers against your objectives, timeline to implementation, resources, and budget. A successful IT security policy is a key requirement in today’s age of digitized big data and your eco system should include threat mitigation solutions in each of the three main layers of digital security to give your organization its best chance of protecting your confidential information.