Information Breach The Threat Is Internal

Author: Rajesh Parthasarathy
Founder, MENTIS Software
Many define sensitive information as personal or corporate data like social security numbers or credit card numbers or sales figures. But sensitive information is any data asset that you have a fiduciary responsibility to protect, and there is a gamut of them - from personal information, corporate information, customer and vendor information, to intellectual property. All of this is stored in enterprise-wide relational databases and applications.

Applications and databases were architected in a more carefree, less security-conscious era. They simply aren't built to protect data. In fact, they are built to make access to data easier. But the real issue is that it’s extremely difficult to know where all of the sensitive information actually is located within those databases and applications.

When these databases and applications were designed, organizations wanted to share information, both internally and externally. This resulted in deployment of enterprise-wide relational databases with complex data models and architectures. The vendors don’t document the locations of sensitive information – primarily because they don’t know what data is sensitive for a given organization.

Since you cannot secure data if you don’t know where it is, you have to locate all of the places that the database or application has designated for storage and map it to your application security and other access controls. But there’s an Achilles’ heel to this process and this is where the risk of data exposure becomes acute, which is undocumented locations of sensitive information.

For a very long time, information was put into databases and applications without worrying about exposure. For example, at one of our client sites, we found all the employees’ social security numbers in a table where the payroll clerk had copied them in order to simplify the check writing process. This was not just a few numbers; it was thousands of them in an undocumented, unknown, and totally unexpected location. Another example is of a developer creating a payables report that included vendor tax codes and addresses - a breach of several privacy acts.

Most of us do not even realize that we have a problem or do not understand the magnitude of it. One of our customers was expecting to find social security numbers in 17 places – but ran our discovery process and found upwards of 100 locations. What surprised them was not just the number of locations but how much of it was systemic – based on how their application and database logic was written.

So ‘­­discovery’ is important not only for locations, but to understand how and why the data gets propagated. One has to know their risks. There are many reasons why information gets exposed and discovering all sensitive information locations in extremely critical. Confirming and documenting all locations helps organizations understand their needs to fully protect their data. In fact, we felt this discovery to be so critical that we built it into MENTIS Framework, the engine that runs our solutions, the foundation for our platform suite. It is important to regularly discover sensitive information as your applications and databases change, to maintain full awareness of where your information is going and why. Only then can you fully protect it.

A common perception amongst most is that external attacks are the biggest threat; but according to the FBI security survey more than 70 percent of breaches are internal.
One needs to understand what a breach is. It can be as benign as a developer unknowingly extracting confidential information while creating a new report. Regardless of intent, one has already breached a number of laws.

Data breaches are a constant occurrence. In fact, since first January this year, over 100 breaches have been made public in the United States alone. Theses breaches range from those affecting a few records to the exposure of over 3 million records.

For a company, the cost of these breaches could be astronomical. Penalties by state governments are increasing, but the costs of credit monitoring services and lawsuits are extremely high. A breach can cost anywhere from $45 to $300 per record. The average cost of a breach in the US is $6.75 million. And that doesn’t even include the intangible costs — lost business, cancelled contracts, and so on. More than one company has actually had to fold due to this. In fact, the average customer attrition due to these reasons is 32 percent. Stockholder value is hit accordingly.

Our sensitive information management platform provides a comprehensive suite of tools to identify, protect, and manage sensitive information in production and non-production databases and applications. We automate the discovery process for specific applications and databases and have pre-built controls for auditing, masking, monitoring, and reporting for rapid deployment in multiple environments. It’s our approach – we have a comprehensive platform for sensitive information management. We don’t provide just a piece of the puzzle. The MENTIS solution is an integrated suite that includes discovery, masking, monitoring, and intrusion prevention – all the products to help customers protect their information throughout its life in their organizations. We designed them to be modular and scalable. Companies can start out with one or two products and can add products to protect more databases and applications as their needs change, as legislation changes, and as their company grows.
Write your comment now

Email    Password: 
Don't have SiliconIndia account? Sign up    Forgot your password? Reset
Reader's comments(2)
1: From: Mrs. Mary David

This mail may be a surprise to you because you did not give me the permission to do so and neither do you know me but before I tell you about myself I want you to please forgive me for sending this mail without your permission. I am writing this letter in confidence believing that if it is the will of God for you to help me and my family, God almighty will bless and reward you abundantly. I need an honest and trust worthy person like you to entrust this huge transfer project unto.

My name is Mrs. Mary David, The Branch Manager of a Financial Institution. I am a Ghanaian married with 3 kids. I am writing to solicit your assistance in the transfer of US$7,500,000.00 Dollars. This fund is the excess of what my branch in which I am the manager made as profit last year (i.e. 2010 financial year). I have already submitted an annual report for that year to my head office in Accra-Ghana as I have watched with keen interest as they will never know of this excess. I have since, placed this amount of US$7,500,000.00 Dollars on an Escrow Coded account without a beneficiary (Anonymous) to avoid trace.

As an officer of the bank, I cannot be directly connected to this money thus I am impelled to request for your assistance to receive this money into your bank account on my behalf. I agree that 40% of this money will be for you as a foreign partner, in respect to the provision of a foreign account, and 60% would be for me. I do need to stress that there are practically no risk involved in this. It's going to be a bank-to-bank transfer. All I need from you is to stand as the original depositor of this fund so that the fund can be transferred to your account.

If you accept this offer, I will appreciate your timely response to me. This is why and only reason why I contacted you, I am willing to go into partnership investment with you owing to your wealth of experience, So please if you are interested to assist on this venture kindly contact me back for a brief discussion on how to proceed.

All correspondence must be via my private E-mail ( for obvious security reasons.

Best regards,
Mrs. Mary David.
Posted by: mary lovely david - Monday 26th, September 2011
2: Hi my dear,
My name is Mounace, i would like to establish a true relationship with you in one love. please send email to me at ( i will reply to you with my picture and tell you more about myself. thanks and remain blessed for me,
Your new friend Mounace
Posted by: mounace love love - Thursday 09th, June 2011
More articles
by Kaushal Mehta - Founder & CEO, Motif Inc..
The retail industry is witnessing an increased migration of customers from traditional brick and mortar retail to E-commerce (online retail)...more>>
by Samir Shah - CEO, Zephyr .
You probably do because you are on the phone with them! For all of you working in some technical management capacity here in Silicon Valley,...more>>
by Raj Karamchedu - Chief Operating Officer, Legend Silicon .
These days are a mixed bag for me. Of late I have been considering "doing something bigger and better," in my life, perhaps seriously though...more>>
by Madhavi Vuppalapati - CEO of Prithvi Information Solutions .
IT Services Rise of Tier II companies The Indian IT outsourcing industry is going through very exciting phase in its business life...more>>
by Bhaskar Bakthavatsalu- Country Manager, India and SAARC of Check Point Software Technologies.
Data loss occurs every day through corporate email. In fact, given the sheer number of emails an organization sends every day, data loss inc...more>>