"

Estimated reading time: 4 minutes, 17 seconds

Making Sure Data Storage Helps Meet Security Requirements

Safe imageForty-five states now have security breach notification laws. Numerous federal laws and regulations require breach notifications and some, such as HIPAA and Gramm-Leach-Bliley, require the use of encryption technology to protect confidential information. Failing to comply with these mandates can result in anything from a serious financial disaster to business failure. For example, businesses with customers or clients in Florida are subject to the Florida security breach notification laws which impose fines of up to $500,000 for failure to properly report breaches of customer of client confidential information.  On top of this, add the adverse effects of having business plans and trade secrets compromised.  

Step 1 – Figuring Out Where All Your Confidential Information Resides
In days gone by, we tried to protect data by forcing people to store documents on secure network servers housed within our brick and mortar. Thing have changed. Laptops, cell phones, PDAs, flash drives, and dozens of other devices are now common repositories. Even on-premise servers are generally accessible using technologies like VPNs (Virtual Private Networks) and other remote access technologies. According to IDC Analyst Cynthia Doyle perhaps 60 percent of corporate data resides unprotected on PC desktops and laptops.

Technologies such as Colligo Contributor Client replicate documents locally, synchronizing content to a local encrypted data store leaving copies of documents scattered numerous computers which are not under the LAN’s security umbrella.  

The first task is to find out where confidential data resides. This process will likely result in some surprises and unless there are policies and procedures governing where and how secure data is stored, they must established.  

A good source of guidance on such policies and procedures is the SANS Institute (http://www.sans.org/security-resources/policies/). For example, the sample Information Sensitivity Policy defines requirements for classifying and securing an organization's information in a manner appropriate to its sensitivity level.   Defining what information is confidential and ascertaining its physical location is a necessary first step to establishing comprehensive approach to securing confidential documents.  


Solutions for Documents Stored On Servers
Protecting documents stored on servers is fairly straight forward. These servers should always be behind “professionally managed” firewalls. This professional management could come from internal IT staff (if there is one) or a third-party consultant. Simply installing a hardware firewall and assuming it is running correctly isn’t the same as having a professionally managed firewall. Organizations like SecureWorks, Paladion and VeriSign provide professional firewall management with 24x7x365 monitoring.   

Next, encrypt data on servers. Both Microsoft Windows Server 2003 SP1 and Microsoft Windows server 2008 R2 can provide full-drive encryption yet almost nobody is using this protection. If someone steals a small business server from an office having whole drive encryption enabled could save a company from going out of business and make the event just a bad day at the office.


Solutions for Documents Stored On Endpoint Devices
(Desktops, laptops, phones, PDAs, flash drives)  

In 2006, reported laptop thefts increased by a whopping 81 percent.  This was when thieves discovered that the information on stolen laptops is far more valuable for ID theft than the value of the laptop.  One in ten laptops will be stolen in its lifetime, less than 4 percent of these laptops are recovered, and most business of these contain confidential data.  More than half of laptops are stolen from offices and according to the Microsoft Security Intelligence Report Volume 6, the largest cause of security breaches is lost or stolen equipment.
 

will's chart


Encryption is once again the answer for securely storing data on desktops, laptops and other portable devices.  Products like TrueCrypt, PGP Desktop, BitLocker from Microsoft, Beachhead Solutions, and MacAfee Endpoint can secure not only documents and data on local hard drives but can also encrypt email and data on flash drives and other external hard drives.  The best of these solutions also provide for centralized management.  PGP Desktop and Beachhead Solutions, for example, provide Lost Data Destruction (LDD) capabilities which allow the user to remotely destroy data on lost or stolen computers as well as monitor their location.  

For handheld devices like iPhones, Blackberrys, Palms and Windows CE devices, inexpensive software solutions provide both secure login and LDD.  The iPhone can require users to login before accessing data like contact information although I have yet to see anyone (other than members of the K2 team) utilize this feature.  Inexpensive products like Mobile Me can locate a lost iPhone and/or remotely destroy all data on a device.  Other devices like the Blackberry, Palm devices and Windows CE devices have similar software available.  In many cases, these devices (ex. the Blackberry) come with very good encryption built in but very few people utilize it.  

Conclusion

Failing to secure confidential customer, client, and internal business information can have disastrous results.  The solutions are also clear and represent well-established and easy-to-implement solutions.  These solutions almost always involve encryption technology which is plentiful and inexpensive.   Lots of people who fail to properly manage these risks will luck out and get by without incident.  Some will not fare so well and will suffer substantial financial losses and even business failure.  With clearly defined, relatively easy to implement, cost effective solutions available to mitigate these risks, what will you choose?  

Read 7593 times
Rate this item
(0 votes)

Visit other PMG Sites:

Template Settings

Color

For each color, the params below will give default values
Tomato Green Blue Cyan Dark_Red Dark_Blue

Body

Background Color
Text Color

Header

Background Color

Footer

Select menu
Google Font
Body Font-size
Body Font-family
Direction
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.