Focus integrated data security strategy on insiders

Defending against data breaches requires an integrated data security strategy that is consistently maintained to address modern-day realities. Compliance alone is no longer the "gold standard," according to research just released by Vormetric.

The "2015 Vormetric Insider Threat Report – Trends and Future Directions in Data Security, Retail Edition" claims that part of that strategy must be focused on trusted insiders, called "privileged users." These include administrators with responsibilities for systems, networks, storage, virtualization/cloud, domains and databases, Sol Cates, Vormetric's CSO, told FierceRetailIT.

"It used to be that systems administrators and business users had privileged access to the most sensitive corporate data, with few access controls," Cates said. "The difference between now and then? Organizations now need to prevent the risks that can occur with this kind of access–both from admins that 'go rogue' and from the compromise of their credentials by hackers. Organizations that don't properly control privileged user or system administrator access are setting themselves up for infiltration by malicious insiders or crafty outsiders looking to take advantage of the wealth of data at their disposal."

The study showed a dramatic increase in concern about data security. For example:

  • 93 percent of U.S. retail respondents reported they were "somewhat" or "more" vulnerable to insider threats, with 51 percent saying they feel "very" or "extremely" vulnerable to insider threats—more than twice that of respondents in other countries (24 percent).
  • 48 percent of U.S. retail respondents have experienced a data breach or failed a compliance audit in the last 12 months.
  • When asked to name the top three IT security spending priorities, 63 percent of U.S. retail respondents cited preventing a data breach incident, 37 percent said protection of critical IP (Internet protocol), and 35 percent cited protection of finances and other assets.

Although respondents said meeting compliance standards was not a top spending priority, 77 percent of retailers said they were "very" or "extremely" effective at offsetting insider threats.

The study revealed where organizations plan to increase spending, Cates said, with the following results:

  • Analysis and correlation tools: 56 percent
  • Data-at-rest defenses: 56 percent
  • Data-in-motion defenses: 56 percent
  • End-point and mobile device defenses: 55 percent
  • Network defenses: 54 percent

"Organizations appear to not understand what security controls will help them most to offset threats," Cates said. "Retail plans to invest in end-point and network defenses that are consistently penetrated in insider attacks. Instead, organizations need to take a data first approach. By realizing data is the target, not the network, you can have your cake—sufficient use of privileged accounts—and eat it too—simultaneous protection of the data."

According to the study, retailers need to make a priority of developing a focused IT security strategy that includes:

  • Deploying a layered defense that combines traditional IT security solutions with advanced data protection techniques.
  • Prioritizing the protection of data at the source. For most organizations, this involves protecting a mix of on premise databases and servers, newer big data implementations and remote cloud resources.
  • Leveraging a range of data-centric security techniques that protect where the data is stored, and that can move with the data. Use data encryption, tokenization, data masking and other techniques that can de-identify data, control data access, thus increasing data access visibility.
  • Implementing integrated data monitoring and technologies such as security information and event management (SIEM) systems to identify data usage and unusual and malicious access patterns.

To achieve this, some of the tools involved will be OS/file system level encryption plus access controls, application level encryption, application level access control, tokenization and data masking, and SIEM along with other analytic tools, Cates told FierceRetailIT.

"The industry as a whole needs to take a good hard look at how they acquire, retain, use and protect data. Compliance requirements need to be seen as a good 'baseline' for data protection, rather than the 'gold standard' as they were in the past. Strong policies about when to collect data, how long to retain it and what data may be used for can cut down on the proliferation of sites housing sensitive data, and the amount of data that is at risk," he said.

The results also highlight that retailers should shift their mix of investments to protect data. Network and end point defenses are important, but higher investments in these areas have diminishing returns because of the nature of insider attacks and the compromise of insider credentials by attackers. Taking into account that your network is "porous" means that organizations need to shift IT security investments in favor of tools that help create the "vault" inside of the "castle," Cates said.

The study was conducted online in the United States by Harris Poll on behalf of Vormetric from Sept. 22 to Oct. 16, 2014, with respondents including 102 full-time IT professionals from retail industries.

For more:
- See this web page for the study, an infographic and the press release

Related stories:
Target found negligent in data breach
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot breach affects 56M debit, credit cards
Home Depot and Target hacks the work of different groups