Information Governance and Data Security
Analyst Coverage: Fran Howarth
Information is the lifeblood of any organisation, whether that be sensitive intellectual property and trade secrets, financial records, or information related to those involved in the business, from employees, to customers and business partners. That information can have enormous value—both to the organisation and to those looking to gain commercial or financial advantage by stealing it, for their own purposes.
It is essential that adequate and appropriate security controls are applied to all information and data at all times so that that information is properly governed, including when they are being used, transmitted over networks or at rest in storage. Those controls should tie all actions taken regarding data usage to the identity of the user, as well as other contextual information such as the location from which they are accessed, the device used and the time of day.
Appropriate information governance and data security controls will help to shield an organisation from data loss or corruption that could harm the business, from causing financial loss to reputational damage that can harm the organisation’s competitiveness. Such controls will also provide secured audit trails that will help organisations to achieve their internal corporate governance goals, as well as aiding in compliance with regulations and industry standards, which demands that sensitive data is adequately protected to ensure its integrity and confidentiality.
There are many technologies that can be used to improve data security, including:
- Malware controls: where once a reactive stance to protecting data against viruses and other malware was acceptable, today’s sophisticated and targeted attacks require that a more proactive stance be taken. Among the useful recent technology developments are those of application and configuration control and whitelisting; see here and here.
- Messaging and web security: as the perimeters of organisations are being eroded, real-time communication and collaboration with colleagues, customers and business partners is the order of the day. Yes, that interactivity often involves a great deal of sensitive information being shared, much of it through cloud and web-based applications; see cloud-based security, unifying electronic communications for advanced security and essential email security.
- Endpoint protection: the number of endpoints is proliferating rapidly as mobile devices, in particular, come into ever more widespread use for business. This is being exacerbated by growing demands by users to bring their own devices (BYOD), which means that organisations need to cater to an ever wider range and number of devices, many of which are not under their direct control. Because of this, there is a growing need to invest in technologies for enhancing the security of endpoints and the data that they contain: cloud-delivered endpoint security.
- File-based controls: documents are routinely used to transmit information and to collaborate in an organisation, both with internal and external constituents. They are a favoured threat vector for attackers looking to introduce malware in order to gain a foothold into the organisation since the underlying structure of most of the commonly used formats make it relatively easy to embed exploits into documents and files. Therefore, controls are needed that can inspect the contents and structure of all files and documents to ensure that exploits are sanitised before the document is sent on to the intended recipient.
- Data leakage prevention: DLP controls are essential for ensuring that sensitive or confidential information does not leak out of the organisation, or is not accessed inappropriately as documents are transmitted around the organisation. Such controls should be able to identify information deemed to be sensitive and to redact it so that it cannot be spread.
- Encryption, access controls and authentication, and data protection and privacy controls: all these controls are essential for ensuring that information can only be accessed by those with the appropriate authorisation in order to ensure that data is adequately protected and that privacy is maintained for all individuals. The technology should take into account all mandates in government regulations and industry standards related to this area.
- Data archiving: organisations are facing growing requirements to archive data in a secure, tamperproof manner. Those requirements include the need for users to quickly be able to retrieve information for productivity purposes, as well as data archiving for internal governance purposes, and for meeting regulatory compliance needs, the demands of industry standards and for addressing legal challenges. It is possible to move email archives offsite to the cloud.
- Other useful controls include security analytics (sometimes known as security information and event management or SIEM) tools, log management controls, application security, network security tools, and disaster recovery and business continuity.
Although many information governance and data security tools are purchased by the IT department, such security matters should have executive sponsorship and should be considered in the light of the overall risk management needs of an organisation. Such controls should also be considered to be part and parcel of every user’s interaction with network resources, requiring that users are adequately educated about the risks of data security and what the organisation requires of them for ensuring data security, privacy and confidentiality so that effective information governance and accountability can be achieved.
One the one hand, there has been consolidation in this sector of the security market as larger vendors have acquired specialists to build out their portfolios, including such behemoths as IBM, Cisco and Microsoft. On the other hand, many specialists are seeing success in specific areas, presenting them with many opportunities. As with the larger players, more specialist vendors are broadening out their portfolios and services, such as setting up specialised security labs to research the latest threats seen to data security.
Corporate perimeters continue to be eroded through factors such as increased take-up of mobile technologies and cloud computing, which is leading to changes in the way that data security is delivered and information governance should be handled. More and more vendors are looking to expand their portfolios to cater to these needs, leading to further opportunities for combining cloud and on-premise protection to form a hybrid offering.
The growth in the use of mobile devices, the expansion of cloud and web-based services, and the growing devices such as industrial sensors and smart meters that are being connected to networks is leading to one further trend in technology—that of big data. Harnessing ever-expanding sources of data provides organisations with many advantages, such as the ability to improve operational performance. However, big data also provides many opportunities for improving IT security, such as the ability to mine massive amounts of data to reveal trends and exploits that negatively impact data security. This is a fast growing trend that is quickly gaining momentum.
One particular trend being seen is that increased attention is being paid to document content security, using file-based security controls and endpoint and messaging security mechanisms combined owing to the importance of documents and files for collaboration and information sharing, as well as being a threat vector increasingly favoured by attackers.
The vendor landscape for data security is a mix of large IT and security vendors and smaller specialists. Vendors in this market segment have shown strong levels of innovation recently, with most reporting strong growth and many winning awards. There have been a number of changes in this space recently. A number of vendors, including CloudPassage, LogRhythm and Symplified, have seen recently funding injections. Two vendors—McAfee by Intel and Sensage by KEYW—have been acquired by larger players. Qualys became a public company in 2012. App River expanded into Europe in 2012. Veracode acquired Marvin Mobile Security in 2012.
In terms of information governance, the market is a mix of larger players, including technology behemoths and security specialists, and of startup operations. More players are moving into this space and consolidation is likely.
- GRC realities - what are organisations really doing?
- Driving into the future with connected cars - PKI technology helps assuage the security concerns of increased connectivity
- The Chief Data Officer: getting the basics right
- The importance of a data protection platform for GDPR compliance - unified data protection controls will smooth the path to compliance
- How to raise your organisation’s security maturity level - the need for Security Intelligence and why it should be a board-level concern