- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Page 2 of 4
To get started, organizations need to know which data needs protection, and how to locate it - the cornerstone of the Bellovin and Jericho models.
Too many organizations, however, don't know what and where that data is, says Derek Brink, vice president and research fellow at Aberdeen Group. In an Aberdeen survey of 120 IT security professionals released in May, 50% of the best-in-class respondents had discovered and classified their critical information.
"You don't want to spend the same money protecting e-mail to the family about Sunday's barbecue as you do [protecting] your financial data," Brink says. "You only want to protect the resources that matter. But classifying those resources is the real challenge."
San Diego's Sharp HealthCare, with 16,000 employees at seven hospitals and two medical groups, is one enterprise well on the way. It uses a variety of manual and automated processes to understand and manage its critical data, says Starla Rivers, technical security architect.
Sharp uses Symantec's Vontu Data Loss Prevention product suite to discover critical unstructured data, such as health identification-card and Social Security numbers. Vontu does this by fingerprinting that data in a few key databases in which Health Insurance Portability and Accountability Act-specified, financial and other regulated data is processed. Then it looks for instances of that data outside the database on file-shares and endpoints. (Compare DLP products.)
In keeping with the Bellovin and Jericho theories, DLP tools are best used when they monitor for the least number of data types necessary, say DLP vendors. So, Vontu doesn't need to tag every type of data in a critical database for its initial scan. People generally tag the top five or six data types requiring protection. Like Sharp, most organizations start by classifying and protecting their regulated customer and reputational data, according to Aberdeen survey findings.
Vontu discovers sensitive data on network file-shares, tracks data movement at the endpoints and enforces group policy around that data. Sharp needed a second product, however: Varonis Systems' Varonis DatAdvantage, for governance and auditing. (Compare Network Auditing and Compliance products.)
"Group A may have 120 people, and I want to assist the department's data owner in determining the appropriateness of the individual, not just the group, with access to the folders containing sensitive data. That means determining who is accessing the folder, how often, and whether or not he should have those privileges," Rivers notes. "Our challenge now is tightening these permissions. Right now we're using Varonis to assist us in that."
Once the Vontu agent determines that a folder contains sensitive data, Rivers provides the file list to the managers accountable for that data. In turn, these managers are responsible for determining whether the folders and the files contain the minimal amount of information necessary to conduct the business function. They are expected to think in terms of records, fields, people and time, she says.