Attacks/Breaches
4/25/2014
07:00 AM
Jeff Rubin
Jeff Rubin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Data Security: Think Outside The Box

What the public and private sector can learn from each other's data security priorities is an exercise in nuance that is well worth the effort. Here's why.

The public and private sector approaches to data security are fundamentally different. Politics drive the public sector (it is the government, after all) just as profits steer decision making in the private. These different priorities, understandably, result in different security tactics.

The public sector needs to protect data at all costs, which leads to conservative security policies, while the private sector uses more aggressive policies because its primary aim is to maximize profitability. However, just because the two sectors do security differently doesn't mean they can't learn from each other. Organizations in each sector should be careful not to pigeonhole themselves into one strategy solely based on the guiding philosophies of their larger sectors.

When these motivations are applied in each sector generally to all matters -- not just to data security -- they can quickly become guiding philosophies that structure all decisions, rather than just priorities to keep in mind. Governments try to protect against any negative possibility, and businesses pursue profits to the expense of all else. It can be easy for these leanings to become automatic choices. When that happens, they get applied without nuance or consideration for how those policies will (or won't) further the intentions of the policy.

What each sector can learn from the other's priorities-turned-philosophical-tenet is an exercise in remembering nuance. Keeping differing priorities in mind forces public and private to jolt themselves out of automated routines. Through this exercise, they may find that other strategies -- strategies that might more closely align with the other sector -- better suits their objectives.

For instance, the public sector can re-imagine some of its policies with business practices in mind, thinking beyond the usual, more conservative strategies it employs. Instead of attempting to appease all constituencies all the time, they should attempt to increase efficiency and reduce waste to maximize value -- and maybe end up with more resources for more projects in the process. In terms of technology adoption, this shift may come in the form of initiatives similar to the attempts to consolidate government data centers.

Government agencies would be better served not just thinking of businesses as profit-driven entities. Businesses are also the masters of cost savings. These cost-cutting motivations could be applied to all agencies. For example, reducing waste and increasing efficiency on the HealthCare.gov website saves money (not to mention minimizes constituent ire) for the Department of Health and Human Services. These measures not only improve the experience for users, but they also save the agency time and money. Fewer resources being directed at managing the fallout of a frustrating user experience means those resources can be directed towards other projects such as data security.

For the private sector, this exercise would task companies to imagine what completely foolproof data security would look like without considering costs. Removing the specter of cost might spur new ideas or strategies. Of course, those ideas may not be cost-effective once they're evaluated after the fact, but the exercise does not require that all the ideas be implemented, only to find potential ideas that may not have been considered previously.

The premium invested into security pales in comparison to the cost of a breach. The Ponemon Institute calculates that the average cost of a US data breach in 2013 is at $5.4M. Not every company will suffer a breach, so probabilities and risks must be factored into the equation, but even then, most businesses are suffering losses due to lapses in security. To get a better sense of this scale, imagining perfect security allows a business to tally up all their losses due to breaches to consider exactly what their security is worth to them. Or, taking time to research additional security measures and tallying the costs to compare to losses may be a valuable perspective-granting exercise.

Finally, just because an organization falls into a particular sector, that doesn't mean its policies fit best with the policies of its sector. Not all public sector agencies look alike just as not all private sector entities look alike, and the line between public and private may not be completely clear. Some public agencies don't handle highly sensitive data and could apply security practices that are more closely associated with profitability. Alternatively, some private sector firms are in fields where data is highly regulated. For these firms, like those in the medical industry, their practices may need to align more closely with public sector protocols.

Data security is an issue every sector contends with, but regardless of sector, when it comes to security, the data should be at the center of the conversation on security. Instead of just applying cookie cutter solutions or being bound by the traditional mindsets of their sectors, each firm should consider an expansive, and possibly amalgamated, approach to their policies. 

Jeff Rubin is co-founder and Vice President of Product Strategy at Beachhead Solutions, a company that designs cloud-managed mobile device security tools. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeffrub1
50%
50%
Jeffrub1,
User Rank: Apprentice
4/29/2014 | 12:31:16 AM
Re: More about consolidation
As with many government initiatives, it could be further along than it is! I think we can all agree that data center consolidation is, point blank, a good idea (not just with cost cutting, but for environmental impact) and certainly a strategy that seems more private sector-esque (versus the usually more conservative, agency-specific IT policies of the government). The initial goals of the data center consolidation program were lofty: save $3 billion and shutter 40% of government data centers by 2015. It appears that won't happen. But I would say enough progress has been made to call it a modest success given the far-reaching goals.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:51:53 PM
Re: More about consolidation
Thanks, Jeff. Another question: How far along is the federal government datacenter consolidation effort at this juncture? I've read several blogs and news articles, such as this one from Bob Otto, former CIO & CTO for the United States Postal Service. in InformationWeek, that the experience has been mixed? 
Jeffrub1
100%
0%
Jeffrub1,
User Rank: Apprentice
4/25/2014 | 1:21:10 PM
Re: More about consolidation
The prevailing security wisdom in the private sector - that all sensitive data should be kept within company-owned and operated data centers - is now changing along the lines of the federal government's data center consolidation initiative.  Specifically, it is often unnecessary and inefficient, particularly from an economies of scale perspective, to maintain separate physical data centers just to ensure data security.  Increasingly, companies are accepting cloud-managed applications and facilities to handle these once unthinkably risky data transactions.  The rationale goes beyond simple cost advantages; because these third parties are expert at data handling and security, they can actually improve the quality of the security.  Scale advantages include a deeper and broader experience with threat vectors and security breach possibilities, so security can be enhanced in ways that most smaller enterprises couldn't possibly be able to predict and react.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/25/2014 | 11:02:59 AM
More about consolidation
Jeff, you make an interesting point about what the private sector can learn from the public sector with respect to consolidation of government datacenters. Can you give an example? 

 

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.