IT security professionals engaged in a game of cat and mouse with hackers . As fast as they deploy security countermeasures, these rogue elements discover loopholes or entirely new avenues of attack.
Traditional security methods have relied upon closely guarding the perimeter of a company’s network. The continuously escalating and mutating threat environment has led many firms to layer security countermeasures one upon another; starting with firewalls, companies have added intrusion detection and prevention systems, malware filters, client-side firewalls, and encrypted network tunnels. Networked business can create a virtual fortress around its infrastructure but still must share information with mobile employees, external business partners, and remote customers. This fortress is not providing business with the adequate level of security and stopping from hackers preying for sensitive data.
In most organizations, 70-90% of business data is in an unstructured or semi-structured state and recent research indicates that only 23% of organizations feel this data is properly protected. Unstructured data includes files of any kind such as office documents, images, videos and so forth, not to mention the billions of emails and instant messages generated every day. Much of this is sensitive data, such as personally identifiable information (PII) and intellectual property (IP) that must be protected with appropriate measures.
Another challenge of unstructured data is that the data must support multiple distribution needs: from enterprise servers, to laptops, to USB drives, through email or on top of cloud storage.
Many businesses now realize that rather than continuing to add layers of infrastructure security, it’s more effective to protect critical data throughout its life cycle, regardless of where it resides or moves. This concept of protecting data rather than devices is known as data-centric security.
Data-centric security must provide data protection at rest (storage) and transit. The unstructured data that requires protection is encrypted before it is transferred or stored.
Paul Stamp from Forrester Research said that: "In an evolving, more complex business and IT environment, organizations need to work toward a more data-centric approach to protecting the most sensitive information. Sensitive data needs to be encrypted as close to its point of creation as possible, and decrypted as close to its point of use as possible."
In practical applications the point of creation is one user's PC and point of use is same user's PC or other user's PCs. Data is created and used in decrypted form only, using computer software residing on user's PCs. Therefore for security reasons - decrypted data must be manually destroyed after creation and/or use.
Any data-centric technology must include: data rights management, real-time strong authentication and encryption.
Not everyone is a technology guru. Most users concentrate on getting their work done, not on the underlying technology powering that work. And when security solutions are deemed too difficult to use, many users will circumvent the solution as well as the security. Data rights management and strong authentication require user intervention and therefore cannot be transparent. The issue is how easy these steps for users. Reviewing the example below:
http://www.sentry-
we see that creating encrypted file, includes the steps of:
1. choosing file for encryption,
2. defining rights management rule
3. defining file sensitivity (medium or high)
and takes ~15 sec of user's time.
Deleting decrypted file after encryption will take another ~5 sec of user's time.
In order to prepare for use and decrypt the encrypted file we will take the steps of:
1. choosing file for decryption
2. user's strong authentication.
which takes ~10 sec of user's time.
Deleting decrypted file after viewing will take another ~5 sec of user's time.
So encrypting/decrypting routine of medium to high sensitivity files will take ~20-25 sec.
Overall this scheme is applicable across the board, independent of enterprise infrastructure and for any type of unstructured data.
What is missing from this discussion: transaction-
Last year there were more online bank robberies than there were actual on-site bank robberies .Many consumers suffered ID theft and decided to abandon Online Banking altogether.
Gartner analysts published in December 2009 that all existing means of strong authentication are inadequate to protect transaction integrity - for simple reason that Trojan horse malware resident on our infected PCs circumvent existing means. Nearly 50% of PCs worldwide are infected with some sort of malware.
Therefore US regulators and FBI recommend that all financial activities will be performed only from dedicated computers. Obviously this is short-term solution. The need exists for long-term malware-resilient solution to the problem.
Our solution is based upon Software-as-
Our solution is generic and is applicable to Banking transfers, E-commerce purchases, Insurance claims, Healthcare prescriptions, E-Gov voting.
This solution is 2 part : user signing transaction as shown below:
http://www.sentry-
and service provider (bank, e-commerce site , etc) authorising transaction as shown below:
http://www.sentry-
For presentation summary of data privacy trends and data-centric solution see :
http://www.youtube.com/
