SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Don't become Ashley Madison, secure your data
Tue, 29th Sep 2015
FYI, this story is more than a year old

Data classification is the first step in securing intellectual property, according to Fortinet, the network security vendor.

Fortinet says, every organisation that holds data (otherwise known as every company on the planet) should look very seriously at their data holdings.

The moment that someone's details into the organisation's database, the company is responsible for ensuring that those details remain private and confidential.

Not only is this a responsible business practice but, in most countries, it is the law, says Fortinet.

“So if you get hacked and your data is compromised, you could be liable for prosecution, not to mention your company's name in the papers for all the wrong reasons,” says Gary Gardiner, Fortinet ANZ director of engineering and services.

“Most tightly-regulated enterprises such as finance, healthcare and central governments have a pretty good handle on the types of data they hold and how sensitive they are, but many other companies don't really have an understanding of what their obligations are to secure their databases.

“For instance, a retail shop might hold personal details from a loyalty programme or a mail order house might have thousands of credit card numbers. These databases have to be secured,” he says.

“And it's not just personal information,” he continues. “Any confidential or proprietary intellectual property, such as proposals, customer relationship management reports, strategic plans and the such, while not necessarily covered by privacy laws, should be kept away from prying eyes.

“And to complicate things, once you start storing data in the cloud or in third-party data centres, you start to lose control of your data stewardship authority. It can be unclear where your responsibilities start and stop.

Metadata: The unsung hero of responsible data protection

According to Fortinet, one of the most important steps companies can take when securing their databases is to classify them.

Gardiner says, “Not all data carries the same levels of value to your organisation. Some data, such as financial, client and personnel records, needs to be highly-protected. Other files, such as internal communications, marketing materials, etc, isn't nearly as sensitive.

“So there is no sense in treating all of your data the same. This data hierarchy can impact storage as well. Some data needs to be stored for fast access ‘in memory' while other data can be held in tape archives.

The key to all of this is metadata, Gardiner explains.

“Metadata is information about information. Well-designed and maintained metadata descriptors can have a huge positive impact on your data security strategy.

“Metadata can contain fields for privacy and sensitivity (ie public, private, classified, highly-sensitive), date of capture, data lineage (ie what processing has been done to the data), levels of access (which company roles can access and/or modify the data) and, importantly, when the data can be safely deleted,” he says.

Match the cost of data security and storage to their value

Data audits are becoming increasingly important as organisations struggle to secure and store order-of-magnitude database growth.

“The advent of business intelligence, data marts and big data means that organisations capture data once and then propagate them throughout the system.

“Storing and securing data is expensive. Best practices suggest matching your security/storage expenditures to the value of the data to your organisation.

“Metadata is an enabler for cost-effective and thorough data audits,” says Gardiner.

While the costs of storing and securing data are decreasing with new technologies, such as deduplication and security-as-a-service, they are still a major outlay, Fortinet says.

“Anything you can do to drive down your data protection overheads while ensuring highly-secure access for authorised staff is a smart move,” concludes Gardiner.

“The tools are out there. It's just a case of knowing what to do and then making it happen. These issues will not go away… indeed they are becoming more critical. So don't become an Ashley Madison. Secure your data to secure your future,” he says.