Enterprise security primarily comprising of data protection and privacy continues to be an area of focus for enterprises, be it on the production or the non-production side of the entity. Little wonder enterprise security spending remained surprisingly resistant to enterprise budget pressures even during the recent economic mayhem.
Whether we like it or not, today enterprises are witness to four major evolutions that make enterprise security mission-critical. Social media is here to stay, and security teams must continue to balance real business needs with the risks and threats, mobile devices are becoming more common, more important and more complex, the human factor continues to be the biggest lacuna in all security programs and last but not the least domain name system (DNS) which provides one of the most critical functions on theiInternet also has inherent structural risks.
Some of the security risks the enterprises face can be averted or at least minimized by intelligently investing in firewalls, audit trials, encryption algorithms, etc. As a matter of fact many organizations are aggressively doing this as well. Having said that, in the case of enterprise security it is sad but true that most of the times the enemy is within. For example, in July 2009, former US Department of State employee William Celey pleaded guilty to inappropriately accessing passport files belonging to 75 celebrities and in Japan, a middle manager at Mitsubishi UFJ Securities copied the entire contents of the firm’s customer database — 1.4 million records — to removable media. Account details included names, addresses, and annual incomes. A simple intrusion tool setup on the internal network can reveal a lot of customer sensitive information and enterprises have not yet recognized this as a threat. The test data is copied from production most of the times and there is limited investment on removing sensitive data. As of now organizations ‘trust’ the employees and don’t consider this as a risk but when this data is exposed / misused, the impact can be very highly negative.
Today most enterprises are aggressively investing on data leak prevention (DLP) and enterprise rights management (ERM) software to combat the enemy within. But the truth is that DLP and ERM today are largely limited to pilot projects chiefly because of the high price tags making it hard for enterprises to fully justify the spend. Going forward, this is bound to change as more and more CIOs and CFOs understand the fact that it is better to be safe than sorry as far as enterprise security is concerned. Also, all of the top-tier security companies have DLP products in their portfolios moreover many ‘lite’ and ‘express’ versions of DLP are being launched. The result of these activities will see the DLP market enter the commoditized realm, with better prices as the inevitable result.
Enterprises are also considering full disk encryption deployment, Full disk encryption (FDE) protects against an important paradigm: theft or loss of a laptop/ disk / data. New regulations like the American Recovery and Reinvestment Act’s healthcare provisions (also known as HITECH) create incentives to encrypt healthcare information on mobile devices.14 Breach-disclosure laws such as California’s Senate Bill 1386, Massachusetts’ MA 201, and Nevada’s NRS 603A all advocate - encrypted data is exempt from disclosure obligations. These safe harbor clauses mean that it is often easier for IT organizations to buy and install FDE than to worry about notification processes or negative press exposure. Expectations of data-breach legislation in the European Union should create additional incentives for organizations to embark on FDE.
No conversation about enterprise security is complete without discussing one of the most important facets that is infiltrating enterprises big and small - cloud based service offerings. While more and more enterprise around the world value the utility that cloud computing brings, fear the security issues that may accompany it. The fear rallied is only natural with one or the other form of private, public or hybrid cloud offering being used by most enterprises around the world. This could range from web-based interactive applications, applications offered in the cloud, application components available on cloud, multiple software platform components, virtual infrastructure and physical infrastructure – the more gateways that are available more the chances of security breaches. According to Forrester approximately 70% of enterprises on both continents (North America and Europe) say they are “concerned” or “extremely concerned” about how to protect data stored. Concerns about cloud services are security, privacy and compliance including legal implications of intellectual property (IP) of the data on the cloud.
Though with at least a granule of skepticism organizations around the world are considering cloud based offering essentially because it makes much economic sense. In other words cloud offerings help change computing economics by facilitating shared, multitenant use of computing resources, optimize expense and capital outlays for computing power by allowing enterprises to pay only for what they use and create business flexibility by allowing rapid provisioning and deprovisioning of computing resources.
The responsibility of pragmatically addressing the range of security concerns of an enterprise rests with both the service provider and the enterprise but more so with the service provider because the enterprise expects the service provider to give a solution that not just solves the problem on hand but is also secure in every sense of the word. It is the responsibility of the service provider along with an expert testing vendor to identify loopholes if any and have them fixed before the solution is cut into production for its customer. Today most enterprises also work directly with testing specialists to ensure the products supplied by their service providers meet the security cut be it for web-based interactive applications; applications offered in the cloud; application components available on cloud; multiple software platform components; and virtual and physical infrastructure.