Continuous Protection of Enterprise Data - A
Comprehensive Approach
Ulf T. Mattsson
Protegrity Corp.
Abstract
Many consider the insider threat to represent the greatest vulnerability and
exposure to enterprise resources. Database attacks are on the rise even as the
risks of data breaches are increasing. Several industries must deal with
legislation and regulation on data privacy. This paper will review how to protect
sensitive data wherever the data resides: at application-level; within databases,
files and operating systems; and in storage. We will address the management of
associated encryption keys, access control and reporting -- helping organizations
mitigate risk and reduce costs, while protecting consumer, employee and partner
information. The approach safeguards information by cryptographic protection
from point-of-creation to point-of-deletion, to keep sensitive data locked down
across applications, databases, and files -- including ETL data loading tools, FTP
processes and EDI data transfers. This design principle optimizes placement of
functions for encryption and security enforcement among the modules of a
distributed computer system. The guiding concept, continuous protection of data,
suggests that encryption functions placed at low levels, and typically
implemented with native platform-based toolkits, may be redundant and of little
value when compared with the cost of supporting them at that low level. The
principle suggests that Enterprise levels of Data Protection and Key Management
may be cost effective in many configurations. We also include a set of best
practices that ensure not only a successful PCI audit, but a sustained
improvement in the security and protection of sensitive data, and the limiting of
theft and its costly aftermath. We introduce a system-solution example that
complies with these requirements and provides a cost-effective implementation.
Keywords: Performance, Database Security, Encryption, Privacy, VISA CISP,
GLBA, HIPAA.
1 The business pr