Protecting Your Data Security and Data Privacy
The first step in protecting your enterprise’s data privacy and security is to identify the types of information you want to protect and where that information is exposed in your organization. Once you have completed your audit – identified your organization’s priority information and determined your level of risk of data loss – the next step is to assess your applications and understand what areas of your application portfolio are leaving you vulnerable to external attacks.
According to a recent Gartner report, the market for content-aware data loss prevention solutions continues to grow at more than 20 percent year over year. Yet the report also notes that many organizations are struggling to establish appropriate data protection policies and procedures for mobile devices as they interact with sensitive corporate data.
The threat model is different for mobile devices. There is much more risk of confidential data being stolen or leaked – this is called mobile data exfiltration. The additional risk is due to the portable nature of the devices, the types of applications and their usage models. Some of the significant differences between mobile devices and traditional computing environments include the following:
- Mobile devices are frequently shared temporarily. Even with PIN-protected devices, users can readily unblock their phones and hand them to other users.
- Mobile applications are highly connected to web services. This broadens the possible vectors for data exfiltration.
- Mobile devices are often consumer-owned devices that can access an organization’s internal network. Indeed, many enterprises are considering Bring Your Own Device (BYOD) programs as a cost-saving measure.
Because of these differences, traditional data protection and data security solutions are not readily applicable to mobile users. For example, the performance hit of an end-point agent on mobile devices would be unacceptable for most users. Similarly, forcing all mobile communications through the enterprise network for traffic analysis is not feasible. Datacenter-based solutions could identify confidential information resident on the device, but could do little to determine whether a personal application poses a genuine data loss threat to that confidential information.
Instead, what is needed is a solution that can scan mobile applications and determine if they represent a data loss risk to the organization. For example, a mobile-based data protection and data security solution should identify applications that enable surreptitious transmission of microphone, GPS or camera data or data exfiltration via sockets, email, HTTP, SMS, DNS, ICMP or IR.
Effectiveness of Traditional Data Security and Data Privacy Products
The effectiveness of data security, data privacy and data protection hinges on:
- Accuracy of data loss prevention content analysis engines. Content analysis methods range from keyword searching, regular expressions handling and document fingerprint matching. Like any other analysis engine, lowering the false-positive and false-negative rates are important to improve the solution’s accuracy.
- Scalability of data security solutions. As network traffic and employee use of multiple types of data grow, established data protection solutions must scale to keep up with organizational usage.
- Sophistication of the data security policy definition and process management capabilities. Organizations typically have multiple policies for different types of data and multiple processes to manage data and respond to data loss related events. The ability to automate policy enforcement in people- and process-centric situations is important.
Application Security and Your Data Security Strategy
Use this checklist as a reference tool when making data security buying decisions:
- Develop clear data security strategies with concrete requirements before evaluating products.
- Understand the limitations of traditional data privacy protection and data security. As an example, data loss prevention is a data-centric control and does not have any understanding of SQL.
- Applications protect your data. Test the security quality of your applications. Use application security testing as a way of protecting data.
- Create data protection policies and procedures for mobile devices as they interact with sensitive corporate data.
Veracode Helps Protect Your Data Security
The gateway to your data is through your applications. Attackers know applications are the weak link in today’s computer networks and they look for vulnerabilities in applications that provide access to sensitive data. Testing applications for data security vulnerabilities reduce the risk of a data breach. Using Veracode as part of your data security strategy allows you to understand the data security quality of your applications and provides a path to improving the overall data security quality of all the applications running on your network and mobile devices.