Breaches Push Companies to Improve Internal Safeguards

Security managers shifting their focus to preventing accidental data leaks

SAN JOSE -- After spending years implementing controls designed to protect their network perimeters from external threats, companies are under growing pressure to do the same thing to guard against internal data lapses, according to attendees at RSA Conference 2006 here this month.

Driving the trend are concerns about accidental data leaks or thefts resulting from internal miscues at a time when companies are increasingly opening up their networks to business partners, suppliers and customers -- and when a rash of recent data breaches caused by the mishandling of information has put several businesses in an unwanted spotlight.

Also playing a role are regulations that require companies to exercise greater control over the data they handle, conference attendees said.

"Even up to last year, there was a huge focus on strengthening the perimeter to make sure the hacker from outside didn't get in," said Stuart McIrvine, director of corporate security strategy at IBM. "Everyone was concerned about malware penetrating the perimeter."

More recently, though, "there's been a big shift in focus to what's going on inside the enterprise," McIrvine said.

More Data to Protect

Companies need to look at their internal proc-esses and data flows to see what controls should be put in place to ensure that information is secure, said Gene Fredriksen, chief information security officer at Raymond James Financial Inc., a financial services firm in St. Petersburg, Fla., that manages almost $28 billion in assets.

"Traditional information security has been very good at protecting structured data," Fredriksen said. But now, he added, there's a whole class of unstructured data in spreadsheets, Web forms and other formats that is just as critical to business operations but has little of the formal rules that protect structured data.

As a result, "a lot of the compensating and reactive controls that I used to have are no longer effective," Fredriksen said. As part of its efforts to bolster internal controls, Raymond James is now considering a product from San Francisco-based Vontu Inc. that's designed to monitor confidential data and prevent it from leaving a network.

A New Way of Thinking

The need for better internal security is pushing many companies to look for new tools to help them monitor network traffic, databases and applications in real time, said Murray Mazer, vice president of corporate development at Lumigent Technologies Inc., a vendor of database monitoring products in Acton, Mass.

"Governance and disclosure requirements are forcing companies to think differently about their responsibility for data," Mazer said.

In the past, businesses could quietly fix a breach and not disclose it to anyone, he noted. "But that is simply not acceptable anymore," Mazer said. "People are being held more accountable for the data [they collect]."

There's also growing interest among IT and security managers in stronger tools for authentication and access management, content filtering, document management and digital rights management, according to security professionals at the conference.

IBM has been focusing on delivering products that allow companies to better control what employees "can and cannot do in an enterprise," McIrvine said. One example: The vendor has refined the role-based access management capabilities of the identity management products in its Tivoli software suite.

In addition, IBM recently developed software that works with the Tivoli tools to help companies spot, audit and report unusual behavior within an enterprise network, McIrvine said.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon