Taking Defense Down to the Data

Computerworld - As an organization that is mandated by law to comply with data privacy and security regulations, The Henssler Financial Group has implemented all of the usual technologies, such as firewalls and intrusion-detection systems, to protect its perimeters and networks.

About two years ago, the Marietta, Ga.-based company decided to augment its security measures by deploying a data-auditing tool from Acton, Mass.-based Lumigent Technologies Inc. behind its firewalls.

Lumigent's Entegra product allows Henssler to monitor data access, changes and views, and modifications to its SQL Server database structure.

The tool is crucial to ensuring the integrity of the company's stored content, says Chief Technology Officer Tim O'Pry.

"As a financial services company, if someone does something they are not supposed to, we need to know that," O'Pry says. An auditing tool such as Entegra allows Henssler to detect all database-related activity "regardless of what someone might do" to conceal that, he says.

Increasing concerns over data loss and compromise are pushing companies such as Henssler to consider measures for securing hitherto unprotected data lying in storage networks and databases. The trend marks a shift from the traditional approach of deploying purely network- and perimeter-oriented defenses.

Driving the trend are privacy regulations that require companies to demonstrate due diligence when it comes to protecting data, such as the Health Insurance Portability and Accountability Act (HIPAA) and California's SB 1386 database-breach notification law.

A less-stated yet equally important reason for the increased focus on data protection is that traditional network perimeters have begun to fade away. As companies use the Internet to link up with partners, suppliers and customers, the notion of a clearly definable network edge has fallen by the wayside. The trend is prompting greater scrutiny of technologies for protecting stored data.

Image Credit: Gina Triplett

"There are massive piles of sensitive data in storage networks and databases that have gone largely unprotected," says Richard Moulds, a director at nCipher Corp., a vendor of encryption products in Cambridge, England.

Companies have myriad ways to try to protect such data, including measures for access control, activity monitoring and auditing, as well as encryption of sensitive information, says Richard Mogull, an analyst at Stamford, Conn.-based Gartner Inc.

Prat Moghe, president of Tizor Systems Inc., agrees. "In terms of security technologies, there are many different approaches to this problem," says Moghe, whose Maynard, Mass.-based start-up offers a data-access auditing tool similar to Lumigent's.