As information systems become increasingly complex and attacks on them ever more sophisticated, cyberthreats are more likely than ever to get by an agency’s defenses and compromise its security. Traditionally, the primary strategy for agency security has been to secure devices, such as servers, desktops, notebooks and smartphones. While device security is essential — for example, patching software and restricting access to devices through logical and physical controls — many experts now focus their efforts on data security as well.
Ultimately, what matters to an agency is that its data is protected — particularly, the assurance that sensitive, confidential information is not accessed by unauthorized parties. Device security helps to protect data, but by itself, it’s woefully inadequate. These current best practices for securing data make it less likely that sensitive information will fall into the wrong hands, regardless of whether devices are lost or stolen or attacks breach various security controls.
Find the Most Secure Architecture
A simple and effective strategy for securing data is to strictly limit where application data may reside. For example, instead of replicating an application’s data onto client devices, keep it on an application or database server. This provides much stronger security for the data, in large part because only one host houses the data instead of many, but also because a single server can have its security locked down and monitored much more tightly than can individual client devices.
Implementing this strategy is easiest with in-house applications, which can be written to meet these requirements, as well as with other applications that use the same data storage architecture. For commercial applications that store data on client devices, additional security controls are needed to safeguard data or remove it from the devices.
One popular solution is to implement a virtual desktop infrastructure through which applications are run. With VDI, the user sees the client application, but the application itself and its data actually reside on a remote server; only the graphic image of the running application is transmitted to the client device. Because the data is never stored on the client device, the loss, theft, or compromise of the client device does not expose the data.
Another popular solution for mobile devices (including notebooks) is mobile device management, which offers a suite of security controls for mobile devices that includes application security. MDM technologies typically support “application sandboxing,” which places an application inside a wrapper (or “sandbox”) to isolate it from other parts of the mobile device. This isolation provides additional protection for locally stored data. MDM also typically provides storage encryption.
Protect the Data
Data loss prevention technologies are designed to prevent an agency’s sensitive data from being transported to where it doesn’t belong via email, copy and paste, transfer to removable media, or screen capture and the like. DLP technologies have a variety of ways to detect sensitive personal data such as credit card numbers and Social Security numbers. Once the data has been detected, the DLP technology can ensure that it is not transported to an unsecured location, either accidentally or maliciously.
DLP technologies rely heavily on signature and anomaly detection methods, much like intrusion detection systems. Unfortunately, this means that they suffer from the same weaknesses as intrusion detection, such as generating false positives (misidentification of benign activity) and false negatives (failure to detect prohibited activity). While DLP is an important security component, it should not be the only data security technology in use. Rather, a combination of technologies is necessary to provide sufficient layers of defense to thwart today’s threats.
Encryption technologies protect data by applying a cryptographic algorithm to it, which prevents access to the underlying data unless the user holds the correct encryption key. The same cryptographic principles are used to protect stored data and data within network traffic, but the terminology differs a bit for storage and network encryption.
Several types of storage encryption provide data protection, and their names reflect subtle but important differences in the portion of media they encrypt. For example, disk encryption is complete encryption of all data on a piece of media, such as a disk drive. File encryption protects a single file instead of an entire piece of media. Virtual disk encryption is an intermediate solution between disk and file encryption; it encrypts a virtual disk, represented as a file that can hold other files. Regardless of the type of storage encryption used, this technology is essential to securing sensitive data stored on client devices.
A variety of solutions can be used for network traffic encryption, depending on the layer of the network stack where encryption is desired. At the network layer, virtual private networks can be used to encrypt all traffic between a client device and an agency VPN server, thus protecting transmitted data from eavesdropping and other threats. Alternatively, agencies can apply encryption at the application layer, protecting a single application’s network traffic instead of all application traffic; this is most often accomplished through the use of Transport Layer Security, which, when paired with HTTP, generates HTTPS.