Information Breach the Threat is Internal

Date:   Tuesday , June 01, 2010

Many define sensitive information as personal or corporate data like social security numbers or credit card numbers or sales figures. But sensitive information is any data asset that you have a fiduciary responsibility to protect, and there is a gamut of them - from personal information, corporate information, customer and vendor information, to intellectual property. All of this is stored in enterprise-wide relational databases and applications.

Applications and databases were architected in a more carefree, less security-conscious era. They simply aren't built to protect data. In fact, they are built to make access to data easier. But the real issue is that it’s extremely difficult to know where all of the sensitive information actually is located within those databases and applications.

When these databases and applications were designed, organizations wanted to share information, both internally and externally. This resulted in deployment of enterprise-wide relational databases with complex data models and architectures. The vendors don’t document the locations of sensitive information – primarily because they don’t know what data is sensitive for a given organization.

Since you cannot secure data if you don’t know where it is, you have to locate all of the places that the database or application has designated for storage and map it to your application security and other access controls. But there’s an Achilles’ heel to this process and this is where the risk of data exposure becomes acute, which is undocumented locations of sensitive information.

For a very long time, information was put into databases and applications without worrying about exposure. For example, at one of our client sites, we found all the employees’ social security numbers in a table where the payroll clerk had copied them in order to simplify the check writing process. This was not just a few numbers; it was thousands of them in an undocumented, unknown, and totally unexpected location. Another example is of a developer creating a payables report that included vendor tax codes and addresses - a breach of several privacy acts.

Most of us do not even realize that we have a problem or do not understand the magnitude of it. One of our customers was expecting to find social security numbers in 17 places – but ran our discovery process and found upwards of 100 locations. What surprised them was not just the number of locations but how much of it was systemic – based on how their application and database logic was written.

So ‘­­discovery’ is important not only for locations, but to understand how and why the data gets propagated. One has to know their risks. There are many reasons why information gets exposed and discovering all sensitive information locations in extremely critical. Confirming and documenting all locations helps organizations understand their needs to fully protect their data. In fact, we felt this discovery to be so critical that we built it into MENTIS Framework, the engine that runs our solutions, the foundation for our platform suite. It is important to regularly discover sensitive information as your applications and databases change, to maintain full awareness of where your information is going and why. Only then can you fully protect it.

A common perception amongst most is that external attacks are the biggest threat; but according to the FBI security survey more than 70 percent of breaches are internal.
One needs to understand what a breach is. It can be as benign as a developer unknowingly extracting confidential information while creating a new report. Regardless of intent, one has already breached a number of laws.

Data breaches are a constant occurrence. In fact, since first January this year, over 100 breaches have been made public in the United States alone. Theses breaches range from those affecting a few records to the exposure of over 3 million records.

For a company, the cost of these breaches could be astronomical. Penalties by state governments are increasing, but the costs of credit monitoring services and lawsuits are extremely high. A breach can cost anywhere from $45 to $300 per record. The average cost of a breach in the US is $6.75 million. And that doesn’t even include the intangible costs — lost business, cancelled contracts, and so on. More than one company has actually had to fold due to this. In fact, the average customer attrition due to these reasons is 32 percent. Stockholder value is hit accordingly.

Our sensitive information management platform provides a comprehensive suite of tools to identify, protect, and manage sensitive information in production and non-production databases and applications. We automate the discovery process for specific applications and databases and have pre-built controls for auditing, masking, monitoring, and reporting for rapid deployment in multiple environments. It’s our approach – we have a comprehensive platform for sensitive information management. We don’t provide just a piece of the puzzle. The MENTIS solution is an integrated suite that includes discovery, masking, monitoring, and intrusion prevention – all the products to help customers protect their information throughout its life in their organizations. We designed them to be modular and scalable. Companies can start out with one or two products and can add products to protect more databases and applications as their needs change, as legislation changes, and as their company grows.

The author is Founder, MENTIS Software