Information AND network protection: Finding the right mix

For years, with organizations increasingly opening their networks and data centers to external business partners and mobile employees, experts have been claiming that the perimeter is dead. At the very least, perimeters are riddled with enough holes that restricted data from the creamy center is leaking from endpoints and pouring out of databases and file-shares.

This story is part of a special Security Trend Watch issue, in PDF format. Download now.

The industry, of course, is still stinging from the most notorious example of this - the TJX Companies case. An ongoing Secret Service investigation resulted in last August's indictments of a ring of 11 attackers that also had been in the transaction-processing systems of six other brand-name retailers - some of them hidden since 2004. As a result, the criminals compromised nearly 45 million credit and debit accounts.

The porous perimeter needs protection from more than the bad guys attempting to make a buck off stolen credit card numbers: It needs protection from the gung-ho employee who, while trying to get some extra work done at home, inadvertently sends restricted material across the Web.

"A typical organization has lots of connections through its firewall - customers, Web services, suppliers, outsourcers," says Steven Bellovin, professor of computer science at Columbia University and co-creator of the Usenet online discussion system. "We haven't been protecting this data effectively enough. And I'm asking the community, 'What should we do differently?'"

Bellovin raises the notion of security at the center to protect against attacks getting to critical data in databases and file-shares. This idea is similar in many ways to The Open Group's Jericho Forum, which advocates assigning priorities to data, focusing on the most critical areas, and applying secure communications and encryption around these classified resources.

Neither Bellovin nor the Jericho Forum is suggesting organizations do away with their edge security. The perimeter, which serves an invaluable role in filtering the "noise" of network-based attacks, can be tuned to serve more data-centric functions. Nor are they claiming to simplify the processes of information protection. If anything, their approaches mean creating more layers, complexities and choices to be made around best-of-breed and point-product integrations.

"The problem is we don't look at data holistically. Consequently, data breaches are all over the news," says Jeff Boles, director of validation services at server and storage consultancy Taneja Group. "The way to get there is to look at a resource being accessed in context of the relationship between who the user is, what the user normally does, and the nature of the data." 

A holistic approach to critical data protection would suggest integrated options for IT pros trying to cross the chasms between data that is structured and unstructured, at rest, in use, and in motion. Unfortunately, the jobs of prioritizing, encrypting, monitoring and controlling the access to and use of sensitive data are anything but integrated. As a result, organizations are taking a variety of approaches to protect their data from flowing out of their organizations, including data loss prevention (DLP), access controls and encryption.