Three essential pillars of transparent data security

null

Data security practices that disrupt workflow place an undue burden on users and administrators.  The best data security tools work in the background – transparently – and provide automated, non-disruptive protection of assets and seamless authentication of network users.  Similarly, administrative tools should provide consistent support for corporate data security policies and minimise the need for manual oversight or time-consuming, hands-on procedures.

Implementing data security solutions that are universally applied across the organisation is also important for regulatory compliance.  This aspect of transparency focuses on eliminating device and platform differences as obstacles to deploying universal security protection.  Through this model, the widest possible range of devices, hardware platforms, and operating systems operate within the security umbrella, under a single point of control.  In other words, device characteristics and hardware platforms become transparent – manageable within the overall framework

Pillar #1: Support transparency on multiple levels

The individual characteristics of computing devices, hardware platforms, and operating systems should all be as transparent as possible within the data security framework.

To this end, an effective data-security solution should:

  • Include all commonly used hardware platforms under one administrative framework
  • Accommodate the typical computing devices in use by staff members. Need to talk around mobile working not BYOD as we don’t do tablets and phones any more
  • Make encryption part of routine security policy throughout the organisation, for all forms of communication and data storage

Continuous security coverage

Using multiple security solutions to accommodate different devices and operating systems in use within an organisation is inefficient and prone to error.  Without a means to oversee the “big picture,” gaps and vulnerabilities in security can arise.  The way to avoid gaps in the visibility of security coverage is to place the full range of organisational assets – desktop machines, laptops, tablets, portable storage devices, USB flash drives, and individual files and folders – under central console control.  In this way, encryption can be applied and verified from the top level to the lowest level.  Similarly, centralised authentication techniques can monitor and log network accesses, a necessity for meeting regulatory mandates.

Encryption is central to IT security strategies

Encryption deployment is on the rise globally, driven by strategic security issues, compliance requirements, and the reputational impact of data breaches.  Encryption is increasingly viewed as a staple in data security strategies by corporate leadership.    Compliance is a top motivating factor for using encryption.  Making encryption automatic and routine is an important step in ensuring compliance.

Pillar #2: Automate vital security processes

If users can’t disable security protections and key processes are automated — minimising manual intervention — this can reduce compliance risks and lower the total cost of ownership (TCO) of a data security solution.

The basic guidelines are:

  • Automate those operations that are necessary to asset protection so that users (and administrators) don’t need to perform tasks manually
  • Integrate authentication mechanisms deeply into the data security umbrella by tapping into existing systems, such as directory services
  • Integrate hardware options whenever possible, such as Opal-compliant, self-encrypting drives (SEDs), to increase performance and reliability of security processes

Automated protection

Controlling access to sensitive corporate information requires a mix of security tactics: authenticating valid users, enforcing access controls, and managing encryption on end-point devices.  Unsurprisingly, these tasks have become increasingly complex with the introduction of cloud computing.

Manual provisioning and enforcement of these processes represents a substantial workload for IT staff members, particularly if permissions and access rights are being assigned across hundreds or thousands of servers, involving tens of thousands of employees.  If IT cannot track the actions of specific users to an account (for example, if privileged passwords are shared), it makes it extremely difficult to prove protections were adequate during a compliance audit.

Data security solutions that are both automated and operable across a heterogeneous computing environment preserve data protections while providing the necessary monitoring to demonstrate regulatory compliance.

Improved authentication mechanisms

Positive authentication is a vital factor in protecting sensitive assets, both in terms of granting access to encryption keys that unlock data and controlling entry to network resources.  Depending on the techniques used to implement authentication, the process – if not effectively automated – can be time-consuming, non-productive, and disruptive to everyday workflow.

Pre-boot authentication solves a key problem.  If the authentication mechanism takes place before the operating system loads, it can be handled in a uniform, consistent manner, regardless of device type or operating system.  Pre-boot network authentication can further harden data security, by detecting authentication mismatches against corporate directory services.

Hardware-based encryption

One of the most significant security technology advances in recent years has been the release of SEDs, based on the Opal standard.  Encryption embedded in the drive hardware performs encryption and decryption transparently, outside of the operating system, whenever the drive is operating.  When power is removed, the encrypted data is locked and secured, so drive theft does not result in an increased data breach risk.

Pillar #3: Administer security from a central point

Transparency as it applies to data security administration means that all assets and devices on the network are visible and manageable within a single-console view — no devices escape scrutiny outside of this framework.

The basic tenets of this approach are:

  • Make policies, password requirements, and encryption manageable from a single point of control across the entire IT infrastructure
  • Control user access to resources in a consistent, verifiable way to comply with regulatory mandates
  • Ensure that data and resources accessible by user-owned devices accessing the network (for example VDI instances) are protected by the same security policies that apply throughout the organisation.

Centralised data security administration

Modern IT environments commonly include a diverse array of computing devices and operating systems, commonly featuring macOS, Windows, and Linux machines.  The need to accommodate diverse computing devices running on multiple operating systems creates a security challenge that can tax administrator capabilities and, if not handled correctly, can lead to cumbersome, fragmented security fixes.  Piecemeal solutions (with a separate security approach for each platform) are generally inefficient and often fraught with risks because they are so difficult to administer and lack a central vantage point to monitor and assess real-time security status.  Fragmented approaches also make it difficult to demonstrate compliance with data privacy regulations or to perform consistent audits.

Controlled user access

One means of simplifying the authentication of users accessing corporate resources in the cloud is to integrate the authentication process into the directory server in use within the corporation.  Linking authentication to directory services lets the real-time validation process be governed by user information stored (and modified) within the directory server listings.

Wide-ranging device support

A data security solution designed to handle a diverse range of device types reduces the complexity of secure device management and encryption.  The type of device then becomes a transparent issue to the administrator because all devices can be effectively managed within the secure network. 

Luke Brown, VP EMEA at WinMagic 

Image Credit: Wright Studio / Shutterstock