Defending the data will be a focus for 2007
Regulations, data breaches heighten need for data-level controls, IT managers say
Computerworld - ORLANDO -- Regulatory requirements and increasing consumer concerns about information security breaches are making data-level security controls a top priority for 2007, according to IT managers at the Computer Security Institute trade show held here this week.
After years of implementing technologies such as firewalls and intrusion-detection systems to keep network perimeters safe, companies now must move similar controls down to the data level, they said.
"The data now matters above everything else," said John Ceraolo, director of information security at JM Family Enterprises Inc., a $9.4 billion auto distribution and financing company based in Deerfield Beach, Fla.
Nonpublic information of all sorts needs to be protected, whether it is at rest or in transit, he said. And that requires an increasing focus on measures such as data classification and encryption, stronger user access and authentication and usage monitoring and auditing, Ceraolo said.
Most of the "blocking and tackling" that was needed to handle network threats has, to a large extent, already been accomplished via technologies such as firewalls and intrusion-detection and -prevention systems, said Mark Burnett, director of IT security and compliance at Gaylord Entertainment Co. in Nashville.
The goal now is to put multilayered defenses around the data as well, he said. "We are layering technology controls to make sure we can identify where the information is passing across our network" and protect it.
"The overall driving force behind our [security] program is reputation management. We have worked hard to build the Gaylord brand," he said. "Any one incident could ruin all that work."
Also driving the focus are regulations that Gaylord is required to comply with, such as the Sarbanes-Oxley Act and the Payment Card Industry (PCI) data security standard, which is mandated by the major credit card companies, he said. "We absolutely recognize the need to protect sensitive information and are working hard to fulfill that obligation," he said.
Ann Garrett, the chief information security officer at the North Carolina state office of information technology in Raleigh, said that a new state law governing the use of personally identifiable information has elevated the need for security controls at the data level. The law went into effect for private industry on Oct. 1 and will apply to state agencies on Oct. 1, 2007.
"We have a strong network firewall, intrusion-detection system and intrusion-prevention system," Garrett said. What's lacking are controls for mitigating user errors at the end point, she said. As a result, there's an increased focus on data encryption -- and on ways to log and audit user transactions. "We have to add accountability and auditability" at the end point, she said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts