Blogs

Keeping Your Company Out of the News

Protecting organizations from data leaks can guard reputations

Program Director, Analytics Platform Marketing, IBM

If ever there was a time when data security and privacy were issues for experts to address in a back room, that time has come and gone. Data security and privacy have moved from the back room to the boardroom to the newsroom and to the front page of newspapers around the world.

When governments or businesses are threatened by high-profile security breaches, what can be done to protect them against increasingly complex and sophisticated attacks? How can these entities guard against leaks by employees or contractors? Consider the following two data points:

  • Asked about IT risks posing the greatest threats to corporate reputation in the 2012 IBM Global Reputational Risk and IT study, 61 percent of respondents rated data breaches, data crimes, and cybercrime collectively as the top concern.1
  • Asked about the greatest risk to sensitive data in an IBM-sponsored study by the Ponemon Institute, 43 percent of responding senior executives named negligent insiders as their top concern, followed by lost or stolen devices and insecure third parties.2

While security in general is a multiheaded beast that requires a holistic approach, specific data protection issues can be addressed with focused solutions that offer concrete benefits in the near term. The protection of sensitive information from eyes that do not need to see it—whether the eyes reside within the organization, a contractor, or other trusted partner—is a reasonable and achievable objective.

The implementation of data protection is reasonable for obvious reasons. It is achievable because the technology is readily available and because the investment can be easily justified. Two primary factors that can justify a data protection spend are the reduced costs of data breaches and legal defense.3

 

Ensuring data remains private without impacting applications

Data masking is one focused data protection solution that is readily available today, and it helps keep sensitive data private without reducing performance or otherwise impacting business applications. For example, a health benefits organization in the United States was having trouble keeping up with rapid growth within its heavily regulated industry. The combined myriad regulations, numerous applications to test, and many very rapid application updates motivated the organization to focus on test data and privacy. Rather than tackle every data security risk at once, the organization looked for a way to keep up with the demand for new applications and application updates while increasing its protection of sensitive data.

Its goal was achievable because current technology makes masking sensitive data and using rightsized subsets of data for testing purposes possible. Masking data is also preferable to using full copies of the production database, which can expose production data to technical staff members who have no need for access to the sensitive information.

Data masking on demand is one of the emerging technologies designed to keep up with the complex threat landscape. Today, data can be masked across platforms and across data sources by using a standard and repeatable process to help ensure data privacy without impacting the stability of applications or performance. An optimal data masking solution includes the following key capabilities:

  • Application-aware capabilities help ensure masked data—such as names and street addresses—has the look and feel of the original information.
  • Context-aware, prepackaged data masking routines make de-identifying elements such as payment card numbers, social security numbers, and email addresses easy.
  • Persistent capabilities can propagate masked replacement values consistently across applications, databases, operating systems, and hardware platforms—including big data environments.

 

Paying attention to patterns

Recognizing a change in data access patterns that could signal a breach is another aspect of data protection that is achievable with today’s technology. For example, consider a major global banking institution that needs to secure enterprise data and preserve data integrity across multiple business units including its retail, corporate, investment, and mortgage divisions. The organization needs to pass audits for multiple regulations including the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act.

The bank decided to focus on monitoring activity to protect against both internal and external threats and avoid front-page news about its data leaks. What began as a single project quickly evolved to become part of the standard bank infrastructure for data protection. And something else important happened: awareness of the importance of data security increased—changing the culture within the organization—with potential long-term benefits.

 

Masking data to minimize security risks

The IBM® InfoSphere® portfolio of security and privacy offerings helps protect sensitive data, reduce the risk of data breaches, and deliver other important benefits. For example, the health benefits company challenged by growth in a heavily regulated industry deployed IBM InfoSphere Optim® software and achieved compliance in its test environments by using data masking. It was also able to help significantly reduce the time to develop a new application.

The bank that wanted to monitor data activity and receive alerts when data access patterns deviated from baseline activity deployed IBM InfoSphere Guardium® Data Activity Monitor software, helping reduce both security and storage costs while protecting data from internal and external threats. The bank reduced security costs by US$20 million and also saved US$1.5 million per year in storage costs. The banking institution was able to achieve these cost benefits because it no longer needed to rely on native audit trails for monitoring data-related activity.

 

Linking security to the data

Once sensitive data has been exposed, there is no turning back. Tying security to the data itself can be an optimal way to identify potential problems before they occur and help ensure adequate protection consistently over time.

What keeps you up at night when it comes to protecting sensitive data? How do you handle the stress of audits? What regulations give you the biggest headaches?

Let us hear from you so we can explore ways to turn anxiety into a solution that offers a competitive advantage. Share your thoughts in the comments.

 

Acknowledgement

Kimberly Madia assisted with the development of this column.

 
1 Reputational Risk and IT,” IBM Global Technology Services research report, September 2012.

2,3 The Business Case for Data Protection: What Senior Executives Think About Data Protection,” Ponemon Institute, February 2012.
 

[followbutton username='paulawilesigmon' count='false' lang='en' theme='light']
 
[followbutton username='IBMdatamag' count='false' lang='en' theme='light']