Attacks/Breaches
4/25/2014
07:00 AM
Jeff Rubin
Jeff Rubin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Data Security: Think Outside The Box

What the public and private sector can learn from each other's data security priorities is an exercise in nuance that is well worth the effort. Here's why.

The public and private sector approaches to data security are fundamentally different. Politics drive the public sector (it is the government, after all) just as profits steer decision making in the private. These different priorities, understandably, result in different security tactics.

The public sector needs to protect data at all costs, which leads to conservative security policies, while the private sector uses more aggressive policies because its primary aim is to maximize profitability. However, just because the two sectors do security differently doesn't mean they can't learn from each other. Organizations in each sector should be careful not to pigeonhole themselves into one strategy solely based on the guiding philosophies of their larger sectors.

When these motivations are applied in each sector generally to all matters -- not just to data security -- they can quickly become guiding philosophies that structure all decisions, rather than just priorities to keep in mind. Governments try to protect against any negative possibility, and businesses pursue profits to the expense of all else. It can be easy for these leanings to become automatic choices. When that happens, they get applied without nuance or consideration for how those policies will (or won't) further the intentions of the policy.

What each sector can learn from the other's priorities-turned-philosophical-tenet is an exercise in remembering nuance. Keeping differing priorities in mind forces public and private to jolt themselves out of automated routines. Through this exercise, they may find that other strategies -- strategies that might more closely align with the other sector -- better suits their objectives.

For instance, the public sector can re-imagine some of its policies with business practices in mind, thinking beyond the usual, more conservative strategies it employs. Instead of attempting to appease all constituencies all the time, they should attempt to increase efficiency and reduce waste to maximize value -- and maybe end up with more resources for more projects in the process. In terms of technology adoption, this shift may come in the form of initiatives similar to the attempts to consolidate government data centers.

Government agencies would be better served not just thinking of businesses as profit-driven entities. Businesses are also the masters of cost savings. These cost-cutting motivations could be applied to all agencies. For example, reducing waste and increasing efficiency on the HealthCare.gov website saves money (not to mention minimizes constituent ire) for the Department of Health and Human Services. These measures not only improve the experience for users, but they also save the agency time and money. Fewer resources being directed at managing the fallout of a frustrating user experience means those resources can be directed towards other projects such as data security.

For the private sector, this exercise would task companies to imagine what completely foolproof data security would look like without considering costs. Removing the specter of cost might spur new ideas or strategies. Of course, those ideas may not be cost-effective once they're evaluated after the fact, but the exercise does not require that all the ideas be implemented, only to find potential ideas that may not have been considered previously.

The premium invested into security pales in comparison to the cost of a breach. The Ponemon Institute calculates that the average cost of a US data breach in 2013 is at $5.4M. Not every company will suffer a breach, so probabilities and risks must be factored into the equation, but even then, most businesses are suffering losses due to lapses in security. To get a better sense of this scale, imagining perfect security allows a business to tally up all their losses due to breaches to consider exactly what their security is worth to them. Or, taking time to research additional security measures and tallying the costs to compare to losses may be a valuable perspective-granting exercise.

Finally, just because an organization falls into a particular sector, that doesn't mean its policies fit best with the policies of its sector. Not all public sector agencies look alike just as not all private sector entities look alike, and the line between public and private may not be completely clear. Some public agencies don't handle highly sensitive data and could apply security practices that are more closely associated with profitability. Alternatively, some private sector firms are in fields where data is highly regulated. For these firms, like those in the medical industry, their practices may need to align more closely with public sector protocols.

Data security is an issue every sector contends with, but regardless of sector, when it comes to security, the data should be at the center of the conversation on security. Instead of just applying cookie cutter solutions or being bound by the traditional mindsets of their sectors, each firm should consider an expansive, and possibly amalgamated, approach to their policies. 

Jeff Rubin is co-founder and Vice President of Product Strategy at Beachhead Solutions, a company that designs cloud-managed mobile device security tools. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeffrub1
50%
50%
Jeffrub1,
User Rank: Apprentice
4/29/2014 | 12:31:16 AM
Re: More about consolidation
As with many government initiatives, it could be further along than it is! I think we can all agree that data center consolidation is, point blank, a good idea (not just with cost cutting, but for environmental impact) and certainly a strategy that seems more private sector-esque (versus the usually more conservative, agency-specific IT policies of the government). The initial goals of the data center consolidation program were lofty: save $3 billion and shutter 40% of government data centers by 2015. It appears that won't happen. But I would say enough progress has been made to call it a modest success given the far-reaching goals.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:51:53 PM
Re: More about consolidation
Thanks, Jeff. Another question: How far along is the federal government datacenter consolidation effort at this juncture? I've read several blogs and news articles, such as this one from Bob Otto, former CIO & CTO for the United States Postal Service. in InformationWeek, that the experience has been mixed? 
Jeffrub1
100%
0%
Jeffrub1,
User Rank: Apprentice
4/25/2014 | 1:21:10 PM
Re: More about consolidation
The prevailing security wisdom in the private sector - that all sensitive data should be kept within company-owned and operated data centers - is now changing along the lines of the federal government's data center consolidation initiative.  Specifically, it is often unnecessary and inefficient, particularly from an economies of scale perspective, to maintain separate physical data centers just to ensure data security.  Increasingly, companies are accepting cloud-managed applications and facilities to handle these once unthinkably risky data transactions.  The rationale goes beyond simple cost advantages; because these third parties are expert at data handling and security, they can actually improve the quality of the security.  Scale advantages include a deeper and broader experience with threat vectors and security breach possibilities, so security can be enhanced in ways that most smaller enterprises couldn't possibly be able to predict and react.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/25/2014 | 11:02:59 AM
More about consolidation
Jeff, you make an interesting point about what the private sector can learn from the public sector with respect to consolidation of government datacenters. Can you give an example? 

 

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.