RSA: Companies pushed to bolster internal security efforts

Computerworld - SAN JOSE -- After spending years implementing controls to protect their network perimeters from external threats, companies are under growing pressure to do the same thing to guard against internal ones as well, security professionals at last week's RSA conference here said.
Driving the trend are concerns about accidental data leaks and theft resulting from internal lapses at a time when companies are increasingly opening their networks and data to business partners, suppliers and customers. Also playing a role are regulations that require companies to exercise greater control over the data they handle.

"Even up to last year, there was a huge focus on strengthening the perimeter to make sure the hacker from outside didn't get in," said Stuart McIrvine, director of corporate security strategy at IBM. "Everyone was concerned about malware penetrating the perimeter."
More recently, though, "there's been a big shift in focus to what's going on inside the enterprise," he said.

Increasingly, companies need to look at their internal processes and data flows to see what controls should be put in place to ensure good information security, said Gene Fredriksen, chief information security officer at Raymond James Financial Inc., a St. Petersburg, Fla.-based financial services company that manages close to $28 billion in assets.

"Traditional information security has been very good at protecting structured data," he said. But now there's a whole other class of unstructured data in spreadsheets, Web forms and other formats that are just as critical to business operations but have little of the formal rules that protected structured data, he said.

As a result, "a lot of the compensating and reactive controls that I used to have are no longer effective," Fredriksen said.

As part of its efforts to bolster internal controls, Raymond James is considering a product from San Francisco-based Vontu Inc. to monitor and prevent confidential data from leaving its networks, according to Fredriksen.

The need for better internal security is pushing companies to look for new tools to help them monitor network traffic, databases and applications in real time, said Murray Mazer, vice president of corporate development at Lumigent Technologies Inc., a vendor of database monitoring products in Acton, Mass. Lumigent has seen a growing demand for its products from corporations that want to use it to detect and prevent database tampering, Mazer said.

So far, the company has sold its products, which can cost "up to the high six figures," to more than 400 companies, many of them large ones, Mazer said.

There's also growing interest in better authentication and access management products, content filtering, document management and digital rights managements tools, according to security professionals at the conference.

For its part, IBM has been focusing on delivering products that allow companies to better control what employees "can and cannot do in an enterprise," McIrvine said. One example: The company has been refining the role-based access management capabilities of its Tivoli suite of identity management products. IBM also recently developed a product that works with Tivoli to help companies spot, audit and report unusual user behavior within an enterprise network, McIrvine said.

"Governance and disclosure requirements are forcing companies to think differently about their responsibility for data," Mazer said. In the past, companies could quietly fix a breach and not disclose it to anyone, he said. "But that is simply not acceptable anymore. People are being held more accountable for the data" they handle, Mazer said.