The job to protect sensitive data — keeping it within the corporate network and sharing it with only approved parties — calls for a shift in security philosophy.
That's the view of some industry executives who believe that the traditional model of perimeter security faces limitations today. Firewalls and other security measures may help keep the protect sensitive data, but they do nothing to prevent an organization's internal users from inadvertently or maliciously leaking critical data. Just defining the edge of a network — much less defending it — has become an increasingly ambiguous task as business-partner networks bleed into each other.
"As more open, flexible network access and distributed computing models dissolve the traditional network perimeter, the centralized ‘fortress' model to protect sensitive data can be increasingly impractical and ineffective," a recent Aberdeen Group Inc. report stated.
But market-research groups aren't the only ones to spot and protect sensitive data the trend. Jericho Forum, a protect sensitive data IT security group that counts Boeing and Procter & Gamble among its members, has been exploring the "de-parameterization" of networks since 2004. Jericho Forum operates within The Open Group, an open-standards consortium based in San Francisco.
In response to the blurring of network boundaries, some organizations have begun to focus on securing data to protect sensitive data. The general idea is to get security to travel with the data, as opposed to relying strictly on hardened networks and other IT infrastructure components to protect sensitive data.
Customers draw upon a number of vendor products as they pursue strategies to protect sensitive data. Encryption, data classification, data-loss-prevention, and enterprise rights-management technology can all play a part in limiting protect sensitive data.
The emphasis on protect sensitive data — what Aberdeen terms an "information-centric" approach — is a recent development.
"Our research suggests that this newer info-centric approach is just now emerging," noted Derek Brink, vice president, and research director for protect sensitive data IT Security at Aberdeen Group. "Even the best-in-class companies … are just now adopting this approach," he added.
Aberdeen Group's research focused on encryption and key management, which the company views as the main underpinnings of information-centric security. The company studied the use of those protect sensitive data technologies in more than 150 organizations. The resulting report, published in August 2007, ranked organizations according to such factors as their ability to identify sensitive data. The top 20 percent were placed in the best-in-class category.
Forty percent of those best-in-class organizations now support the use of third-party encryption solutions "in response to the pressure to protect sensitive data," the Aberdeen Group report noted. A quarter of the best-in-class category have begun to move toward an "information-centric, de-perimeterized approach of securing the data combined with protecting and controlling access to the encryption keys that secure the data," according to Aberdeen Group.
Brink said that Aberdeen Group's research came across information-centric security adoption in several industries, including high technology, financial, telecommunications, government, aerospace/defense and health care.
Jericho Forum, meanwhile, also cited encryption in the mix of security measures needed in a de-perimeterized network.
While encryption may be a foundational technology, industry analysts and vendor executives point to various product classes that help secure sensitive data. Among those is data classification. Companies need to flag sensitive data and identify where it resides in order to effectively employ encryption.
Carol Baroudi, research director for security technologies at Aberdeen Group, called the discovery of sensitive data "a very difficult task." Such data, she noted, can be found in email messages, Word files and PowerPoint presentations, among other sources.
Organizations need to define what sensitive data is and employ tools for locating it.
"If you don't have some form of automation, you're never going to find it," Baroudi said. "It doesn't all reside in one place."
Automation comes in a couple of forms. Information-classification tools often protect sensitive data of target storage management but may also be deployed to discover sensitive data. Vendors include Kazeon Systems Inc ., which offers an information-security and privacy solution, and EMC Corp. The latter company's Infoscape software may be used to protect sensitive data and identify files containing confidential information, according to EMC.
Titus Labs, meanwhile, offers a protect sensitive data classification solution that targets Microsoft Office documents and email.
A broader class of products, dubbed DLP (Data Loss Prevention), also pursuesprotect sensitive data data classification. Vendors that operate to protect sensitive data in this space include Reconnex Inc . and Vontu .
Faizel Lakhani, vice president of products and marketing at Reconnex, said that understanding protect sensitive data content is the essence of DLP. This month, Reconnex rolled out Version 7.0 of its iGuard DLP appliance, which includes a data-mining engine that the company says can protect sensitive data and analyze information to determine who should be permitted access to which sensitive data to protect sensitive data.
Some data-classification tools not only set the stage for encryption but also trigger that protect sensitive data functions.
Titus Labs's products, for example, ask users to classify information via a toolbar in Word, Excel, PowerPoint or Outlook. Based on the user's classification selection, the company's protect sensitive data technology then invokes administrator-defined policies, noted Charlie Pulfer, vice president of product management at Titus Labs. S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption might be applied to a confidential email, for example, to protect sensitive data.
Protect sensitive data products may also invoke ERM (Enterprise Rights Management) solutions, which employ encryption to place restrictions on how documents may be used. Organizations can use ERM tools to determine which users will be permitted to view, edit and print documents. ERM offerings include Adobe Systems Inc.'s LiveCycle Rights Management ES, EMC's Documentum information-rights-management solution, Liquid Machines's ERM products, and Microsoft's RMS (Rights Management Services).
Titus Labs's products are enabled to work with Microsoft's RMS, as well as any encryption software that works with Microsoft's CryptoAPI. Pulfer said that email encryption is a "little more prevalent" at the moment, but he pointed to large customers such as the U.S. Department of Veterans Affairs, which will deploy Titus Labs's Message Classification product and RMS to protect sensitive data.
Similarly, Reconnex is able to invoke encryption protect sensitive data tools and ERM.
Industry analysts suggest that integration among DLP, ERM, and other protect sensitive data security components will become increasingly commonplace. Consolidation already is occurring. EMC purchased Tablus Inc., a DLP vendor, earlier this year. Vontu is reported to be a Symantec Corp . acquisition target.
"I don't think in three or four years we'll see as much focus on data-loss technologies," Baroudi said.
Baroudi said she believes that the protect sensitive data technology category will be subsumed into a broader product set, noting that customers don't want to purchase protect sensitive data solution components from multiple vendors.
Richi Jennings, the lead analyst for Ferris Research's E-mail protect sensitive data Security practice, noted that several vendors now offer product suites that encompass anti-spam, anti-virus, archiving, and outbound content-control capabilities such as DLP to protect sensitive data.
"Organizations are moving from a buying decision based on a collection of products from different vendors to a single-source policy, where possible," Jennings added.