Top Five Data Security Trends for 2010

Over the past year, the suite of open source software in use by the black hats of the world has become much more sophisticated, and in 2010 more hackers will begin using these tools. Driven by more widespread use, the tools will get even more powerful – with updated attacks and new functionality – allowing hackers of all skill levels to penetrate databases using sophisticated attacks.  The result will be an increase of entirely automated random attacks that no longer target a specific company, but instead look for specific vulnerabilities wherever they may be. Every quarterly CPU from Oracle, as well as many of Microsoft’s patch Tuesday releases, announce new vulnerabilities that will be quickly rolled out into these toolkits, enabling immediate attacks that exploit published vulnerabilities. 

 

A significant obstacle for many organizations to move to Cloud Computing for applications holding sensitive information has been security. Compliance requirements demand auditable proof that credit card data and other PII is being handled according to policy and regulations, yet that data is now harder to track. How do you protect data when you don’t even know what server it is on? It frequently moves and can be replicated without  notification, and the applications that access this data are also highly transient, creating the opportunity for a possible breach.  New solutions are becoming available that will solve issues of securing data in the cloud. Using methods that attach data controls to the underlying database, and centrally manage the policies and logging, data can be secured even in a highly dynamic environment.

 

Organizations know they must be compliant with the regulations for their industry, yet the ongoing economic conditions dictate that every cost must be scrutinized.  For most, the answer will be to continue to invest in solutions only to the point they achieve the bare minimum level of compliance. Decisions on which technology to use will focus on those that provide adequate protection at the lowest total-cost-of-ownership. Ease of implementation and time-to-compliance are going to be key factors, as IT resources are also kept to a minimum.

 

We tend to think of attacks as either coming from outside the network perimeter, or from internal users abusing privileges. However, this line will blur significantly in 2010, as a number of attack vectors gain in popularity:

·         Just visiting a website can now result in downloading new types of malware, which then can attack autonomously from within the network, not requiring a breach of perimeter defenses;

·         Organized crime targeting specific companies by inserting “sleepers” to infiltrate the organization as employees or contractors, solely for the purpose of gaining access to sensitive data;

·         Along similar lines, the use of financial means to leverage insiders to assist outsiders via bribes, or the use of extortion to coerce an insider, will become more common.

Defending against these insiders will require solutions that protect data, regardless of the source of the attack. Therefore, going beyond perimeter defenses or network monitoring should be an important part of every organization’s data security strategy.

 

Just as the wave of email retention policies limited exposure in eDiscovery, companies will begin aggressively removing sensitive data as soon as possible after it is used.  Do you really need to keep a student’s tuition payment history, tax returns used for financial aid, and bank account information after they have graduated?  Or, once a credit card transaction has passed the dispute window, how long do you still need to store the cardholder data? Every situation is different, and must be supported by a complete review of the underlying business process, but in cases where older sensitive data can simply be deleted, that leaves less data that must be protected.

 

Slavik Markovich is the chief technology officer at Sentrigo.