Information-Centric Approach to Security Date:   Wednesday , August 17, 2011 Most of us who watch action movies where a skilled hacker holds an organization or even a country to ransom will dismiss it as fiction. However, the case of Stuxnet – the first computer worm to affect real-world infrastructure, easily reads like the latest blockbuster. This is the first publicly widespread threat that has shown a possibility of gaining control of industrial systems used in critical infrastructure and placing it in the wrong hands. Stuxnet confirms that cybercriminals are targeting four key areas of weakness which puts enterprise environments at risk: poorly enforced IT policies, poorly protected information, poorly managed systems and poorly protected infrastructure. It also signals a shift in the cyber security landscape – attackers who were earlier motivated by fame or financial gain, are today aiming to sabotage real-world systems. At the same time, Indian enterprises also need to secure themselves against the growing insider threat to data. While malicious insider data breaches by disgruntled employees are increasing, the well-meaning insider threat to data has also grown. Symantec’s State of Enterprise Security Survey 2010 revealed that 54 percent of Indian enterprises feel external attacks are growing, 42 percent feel internal malicious attacks are growing and 52 percent feel internal unintentional instances of data loss are rising. The survey also revealed that 23 percent of Indian enterprises experienced data breaches due to malicious insiders and 31 percent experienced data breaches to insider negligence. Data loss by well-meaning insiders occurs due to employees accidentally disclosing confidential data, causing internal data spills, trying to undermine security, falling victim to social engineering tactics, or bypassing key company processes. All these security risks are aggravated by the explosion of mobile devices in the enterprise. According to industry reports over 80 percent of Fortune 100 companies are using or testing a tablet, an increase from 65 percent three months ago. Symantec’s Enterprise Security Survey 2010 also revealed that 73 percent of Indian enterprises are witnessing a growth in smartphones connecting to the network. The increasing mobility of the workforce and the resulting heterogeneity of enterprise environments mean information today is more dispersed, and much more difficult to manage and secure. This is aggravated by the fact that the volume of digital information that is being generated is also exploding. Information explosion in enterprises today is particularly in the form of unstructured data – for example, spreadsheets, documents and emails – that does not reside in traditional databases. IDC predicts the growth of unstructured data to continue at over 60 percent per year, and in many organizations it accounts for more than 80 percent of all data. This deluge of unstructured data is much more difficult to manage and secure. An organization’s most valuable information – its intellectual property – is often buried within a growing volume of unstructured documents, many of which are not sensitive. Unstructured data stores are also typically less secure than other data repositories, making them more vulnerable to data loss from both internal and external threats. Compounded by trends such as cloud computing and virtualization, enterprises today are struggling to manage the mounting volumes of information stored and accessed across multiple devices and locations and facing attack from outside and within. In fact, today the infrastructure is becoming almost irrelevant – it is people and information that are driving technology. From intellectual property to customer records, data has become critical to the bottom-line. Additionally, as users access confidential data stored on the cloud through a variety of devices, it is becoming more important for enterprises to trust that the applications, users and devices connecting to the network are authentic. Organizations are struggling with multiple point solutions to manage and secure their data and need technology to work together to solve problems. Apart from the pressing need to secure information, enterprises are also facing regulatory pressures. While compliance, certification and adherence to laws, standards and business practices were earlier a requirement only for a few Indian enterprises that had global operations, the scenario is changing. Security and compliance is starting to be seen as a business investment as regulations are being proposed for Indian enterprises across various sectors. From new regulations by the RBI governing the way technology is used in the financial sector, to directives for telcos from the Intelligence Bureau, global Indian enterprises today need to comply with a mix of local and international regulations. A recent Symantec survey found that Indian enterprises are, on an average, exploring 19 standards and frameworks, eight of which they currently comply with. In such a scenario, businesses need to manage risk proactively, protecting not just the infrastructure that data resides in, but also the information itself. The dynamic nature of threats from a multitude of sources now means organizations have to effectively reduce risk and ensure data is protected at all times, no matter where it is used or stored. Moving forward, enterprises require a security strategy that is risk-based and policy-driven, information-centric and operationalized across a well-managed infrastructure. This means that enterprises need to: * Develop and enforce IT policies and automate compliance processes. * Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organization. Utilize encryption to secure sensitive information and prohibit access by unauthorized individuals. * Authenticate identities by leveraging solutions that allow businesses to ensure only authorized personnel have access to systems. Authentication also enables organizations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorized devices to the infrastructure. * Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status. * Protect the infrastructure by securing endpoints, messaging and Web environments. Organizations also need the visibility and security intelligence to respond to threats rapidly. * Ensure 24x7 availability. Organizations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. * Develop an information management strategy that includes an information retention plan and policies. Organizations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies. The author is Vice President, India Product Operations, Symantec