Data Centric Security

Analytics Brief: 5 Key Steps To Cybersecurity

Technologies like DLP, crypto, and strong access controls help lock down data.
By Richard Dreger
InformationWeek
December 5, 2009 12:00 AM (From the December 7, 2009 issue)

In our recent InformationWeek Analytics Government IT Priorities survey of federal technology decision makers, cybersecurity was the No. 1 IT initiative within respondents' organizations in terms of importance and leadership focus. For most, cybersecurity means dealing with the Federal Information Security Management Act and its 17 control areas.
The upside to FISMA is that agencies have a consistent and broadly applicable standard for how information security should be applied. The downside is that the true goal of securing sensitive information and preserving core mission processing sometimes gets lost in a maze of requirements. /p>

Here's a summary of our five-step, data-centric plan to ensure you don't lose sight of your end goal. Download the full report free for a limited time.

1. Master controls are out--think data-centric instead
A defense-in-depth architecture relies on a series of integrated, overlapping controls that work together seamlessly to form a strong, homogeneous whole. This approach moves away from using a single master control or appliance that can "do everything" and promotes a distributed and tailored security posture.

2. Embrace data encryption
Whenever sensitive file stores can be copied, the protections afforded by strong physical controls are muted. But if a laptop is secured using an approved whole-disk encryption system, or even if the data resides in separate encrypted "canisters" on the drive, additional authentication credentials are required before accessing the data.

3. Implement strong authentication controls
Authentication involves that most subjective of concepts: attempting to prove that you are indeed who you're asserting yourself to be. Once users have established their identities, role-based access controls can then be applied to limit their actions to only those authorized for a given job.

4. Use data loss prevention to "watch the watchers"
At a gut level, think of data loss prevention technology as an information-vetting system that reviews data content with an eye toward possible threats or policy violations. If a potential problem is found, appropriate actions can be taken to stop the data flow before it leaves the trusted perimeter.

5. Layer on data integrity controls
When systems and applications start breaking or acting in unusual ways, right away we ask, "What changed?" A seemingly simple question, but one that can be very difficult to answer conclusively. Think of data integrity controls as helping to ensure that information, system settings, and file configurations are as you expect them to be--that is, highly secure.


Richard Dreger is president of WaveGard, a vendor-neutral consultancy.