When asked where our corporate data resides, the answer seems simple … On disks if the data is current and on tape if it is archived. While this is true, it isn’t a complete picture, and might lead some to believe that their data is secure as long as their data center is secure. This first view is called “data at rest,” and the word “rest” means that at this point in time, no one is accessing it. It is secure because no one is touching it.
“Data in use” is the next way to view data from a security standpoint. Once someone can make a call to a database, the data is considered at use and thus, exposed to security breaches. Firewalls and access controls are essential parts of the security framework, but these may not be enough, particularly when you consider the potential for insiders to get a data. Stories have been circulating for years about employees who access customer data out of curiosity as well as those who want to misuse the information and/or cause the company harm. It’s a huge challenge; managing insider access issues can only really be addressed by robust reporting that shows how people are using data and gives the security team a heads-up when access patterns no long fall within the norms. Many companies have made it impossible for someone to plug in a thumb drive while others block sending attachments outside company email systems.
And then there’s “data in motion.” When many of us started out, you could only access databases and files if you were sitting at a dumb terminal on company property. Our version of “data in motion” were couriers who physically transported tapes by car. As companies grew, the need to share data across a network grew and files were frequently shared via ftp. With the dawn of the Internet, corporate data finds its way to other companies and to customers, displayed on non-secure devices like smartphones and tablets.
As data moves everywhere, the opportunity to damage a company and hack identities has grown. All this means that companies have a responsibility to take security management to the next level, anticipating and thwarting hackers at every turn. As such, companies have turned to encryption as a way of ensuring that only trusted parties can read their data. But encryption isn’t free. It costs CPU cycles as well as slowing down each interaction. While the impact may not seem like much on a per-transaction basis, during peak periods, with thousands of transactions hitting your systems, it could become a serious problem.
Another option is to store components of a customer record in different locations, making it hard to collate the information from the outside. But this option also comes with a lot of overhead.
In upcoming blogs, we’ll delve deeper into this problem, weighing the costs of dealing with the problem against the impact when a data breach happens and how you might be able to keep your data safer with a decreased impact on performance and resource management.