DPI16_Banner_300x250 WITH COPY

What’s the risk?

Data is king. We enter, collect, scan, process, analyze, store, print and transmit data all day, every day. It’s the heart and soul of most organizations, and they rely on it to achieve their goals and accomplish their missions. But how safe is this most precious asset of the business? How is it being protected? Is enough being done to ensure it is safeguarded?  What else can be done? 

In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and re-evaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization.

Chief privacy officers (CPOs) and privacy administrators work closely with CIOs and CISOs.  They are the watchdogs of the data who understand the personal identifiable information (PII), nonpublic information (NPI) and sensitive corporate information collected and housed within the organization. Privacy administrators provide education to the stakeholders to recognize sensitive data and define procedures aimed at protecting that data and the processes to be followed when a breach occurs. They are also passive participants in understanding and evaluating applications that use and manipulate sensitive data.

Isn’t What’s Being Done Enough?

Recently, at a cybersecurity summit sponsored by The Washington Post, Craig Mundie, senior advisor to Microsoft, said, “People need to understand, in the last 12 months there’s been a qualitative change where the attacks are moving to destructive types of attacks.” 

Gen. Michael Hayden, former director of the Central Intelligence Agency and National Security Agency, said at the summit, “The problem is getting worse. There are other actors out there now who are coming to your networks, not just to steal your stuff or maybe not even to steal your stuff. They want to hurt your network.”

Gone are the days when endpoints of the organization were confined to desktops and laptops connected to the LAN and somewhat easy to secure and manage by central IT administrators. Endpoints now included virtual users, smartphones, tablets, external consultants and even partner organizations with a need to exchange information. These additional complexities require information to be pushed and pulled to devices internally and externally, thereby increasing the risk of exposure and the likelihood of data theft.

A recent survey conducted by the Norse Corporation and published by the Ponemon Institute reported that 60 percent of respondents said they were unable to stop a security exploit due to a lack of outdated intelligence. Only 10 percent said they would know with certainty if such an incident occurred.

Beyond Network Security, What Else Is Being Done To Protect Data?

One solution organizations have migrated toward to address risk of data theft is data-at-rest (DaR) encryption for endpoint devices. A DaR solution encrypts all data stored or at rest on hard drives of laptops, desktops and even server drives. DaR encryption, however, employs a device protection philosophy that serves to protect data on the hard drive in the event the device, such as a laptop, is stolen or lost. DaR encryption does very little, if anything, to prevent data theft during a network intrusion. When the laptop is connected to the network and online, all the data is live and accessible. When the data is in flight inside or outside of the network, the data is “in the clear” and susceptible to theft from an intruder or man-in-the-middle attack. If implemented, device protection utilizing a DaR solution is a good start to data protection but should not be the only safeguard adapted.

In a recent Global Information Security Study conducted by Frost and Sullivan, 62 percent of CISOs rank data theft as a top-five concern, followed by hackers at 50 percent. Mobile devices scored the second highest concern at 70 percent; they are all related to protecting the organization’s data at rest and in flight. Be it employee theft; man-in-the-middle attacks or hackers trying to break into a network and steal data, or sensitive data pushed to a tablet or smartphone and then lost or stolen, all the top concerns of this study are related to the organization’s data being stolen.

What is Data-Centric Security and How Can it Protect Data?

To address this risk, a data-centric security solution targeted at directly protecting the data, versus the devices at the endpoints of the organization, will add additional fortification to security measures currently in place. Such a solution should focus on protecting data, files, documents and folders stored and used by the user community throughout its lifecycle. It should also protect the data when it is in motion and distributed to employees internally, externally and to partner organizations.

Additionally, the solution should be minimally disruptive to the end users’ workflow and include the ability for IT, security or privacy administrators to access the protected data as needed for auditing or mischievous employee behavior purposes.

Data-centric security is the only way to ensure the most important asset of the business—the data—is protected.

Not all data-centric security truly minimizes risk, however. Some organizations have chosen to invest in privacy training for their employees along with a few manual intensive tools to use when they believe data should be protected. They then trust that the good habits and sensible decisions of the users will serve to protect the organization’s most critical data as they store and move it internally or externally. Unfortunately, this still leaves data open to access by network intrusion and increases the risk of data theft and exposure of data in flight in the event employees forget to protect the data manually or do not believe it’s sensitive data they are handling. It may be a cost-effective solution, but it leaves uncertainty and doubt. In this scenario, risk has not been fully minimized and the cost to the organization can well exceed the cost of an automated data-centric security solution if a data breech occurs. The damage caused to the reputation of the organization may never be restored.

What Is the Best Approach To Implementing Data-Centric Security?

Best practices that fully minimize risk should revolve around automated data-centric security solution that features strong encryption and administrative controls through policy management. Policy management is an important ingredient that enables the organization to enforce standards and protection on data stored on the devices at the endpoints or the organization. Equally important is the ability to include a contingency key for access to encrypted data by security administrators for auditing purposes or in the event an employee leaves the organization.

In the federal government environment, the Federal Information Security Management Act and the Federal Information Processing Standards (FIPS) provide a framework, guidance and requirements for securing sensitive data. FIPS 140-2 mandate the use of strong AES 256 encryption, the use of digital certificates and digital signing to secure all sensitive data. Most, if not all, federal employees are assigned a digital certificate that is stored on their PIV or CAC card making deployment of a data-centric security solution supporting digital certificates a fairly easy and quick process. 

A checklist of features and functions in a robust data-centric security solution include:

  • Protect enterprise data by securing files, file names, e-mail messages and attachments regardless of security format or computing platform using strong encryption. For federal agencies, the solution should meet FIPS 197 and FIPS 140-2 requirements.
  • Reduce complexity by enabling a seamless user workflow and integration into desktop and office computing applications such as Word, Excel, Outlook, etc.
  • Reduce sensitive data exposure by securing files using PKI encryption (digital certificates) and/or complex passwords.
  • Prevent the recovery of sensitive temporary files that have been deleted by shredding.
  • Enforce the use of data protection using a centrally managed security policy in the enterprise.
  • Provide contingency key support to ensure access to all encrypted files by IT security for emergencies, protection against malicious employee behavior and audit purposes.
  • Provide for easy adaption into in-stream applications and job streams via a command line interface or API.
  • Ensure access to encrypted data on mobile devices.


Written By

James Wyne, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»