Data Exploitation and Protection
Many IT and BI Professionals are dissatisfied with Interoperability and efforts of vendors and storage providers. The vendors have made it clear that they are interested in Encryption standards as opposed to cost and integration challenges. Encryption expansion is good but it isn’t the lone or ultimate solution. A critical application, at one point or another will need access to encrypted data. If an attacker can view unencrypted data in an application, more than likely, so can everyone else. In an enterprise-wide architecture, as well as a single personal node – unauthorized access is unacceptable – protection is sorely needed.
A reputable news and information media conducted a survey. Information Technicians and Business Intelligence Professionals were polled. 28% of the participants said they want to expand encryption use far beyond the minimum standard(s).
The creation of public interoperability standards would give open sourced communities a level playing field. Benchmarked with commercial product technologies, “Open Source” (free sharing of technological information; describes practices in production and development that promote access to the end products source materials; the Internet; communication paths, and interactive communities) is not known as having the best managerial capabilities. Competition has proven to keep everyone on his or her toes. The resulting survey analytics and conversations with CISO’s (Michael Goetzman), an emphasis on encryption and compliance aren’t being used correctly and/or to its full extent. Organizations that utilize top applications are encrypting or planning to…right along side several firewall protection software applications. With the inclusion of VPNs (Virtual Private Networks), email, file and data systems, a breach can be devastating. These practices don’t really solve the protection problem. Albeit a risk reduction is evident.
A Chief Information Security Officer (CISO) is the senior-level executive within an organization. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and Information Technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures. Typically the CISO’s influence reaches the whole organization. Michael A. Davis reports top-level stats on encryption use by 86% of 499 business technology professionals say they feel pretty secure. His data is based upon an Information Week Magazine analytics state of encryption survey. Davis also states 14% of the respondents say encryption is pervasive on their organization(s). Ranging from integration challenges and cost, the lack of leadership is the reason for the dismal state of encryption fairs. “38% encrypt data on mobile devices while 31% characterise their use as just enough to meet regulatory requirements.” The compliance focus on encryption relieves companies from having to notify customers of a breach in the security of their devices. The Davis report continues to state, “entrenched resistance” isn’t a new phenomenon. A Phenomenon Institute survey in 2007 found 16% of U.S. companies incorporate encryption enterprise-wide networks, starting with tape backups. “Doing the bare minimum isn’t security,” cited Davis. “IT and BI pros face stiff resistance when they attempt to do more for technology users.”
Many company IT and BI personnel work to increase the use of encryption. Quick and easy access to data interests users more than their attention to security. Even with the use of flash drive(s), laptops, and other portable media, from the CEO (Chief Executive Officer) down to the front line user(s), encryption never enters their mind.
Interoperability (a property referring to the ability of diverse systems and organizations to work together; inter-operate; to work with other products or systems, present or future, without any restricted access or implementation) would make encryption management less expensive and easier to utilize. Statements by IT and BI pros endorse the use of encryption for files and folders (something that Microsoft is currently working on) eases performance and use while lowering cost is the key to better management. Many pros continue to wish for more regulation(s). A breach would require customer notification…this action would allow funding and management interaction, bringing more attention to regulatory intervention. “An enterprise-wide initiative as complex as encryption mainly to comply with regulations will generally result in a project that’s poorly planned and would probably end up costing more than a mapped out comprehension program,” according to the Davis report.
Tokenization (the process of breaking a stream of text up into meaningful elements called tokens) uses a service where a system is accessed to sensitive information, i.e., a credit card number. The system receives a “one-time token ID number.” An example of such is a 64-digit number used in applications whenever the credit card number is called by the system. The action includes database numbers as well. This change was implemented in 2007. Should the data be compromised (attacked or hacked) in any way, the manipulative tech-acoster would then have no way to reverse the 64-digit numbers back to the card…making a read verification virtually impossible. Several systems are designed to destroy the key (number) in emergencies. The action makes it impossible to recover the stored data on the system…inaccessible to all. This is a Chief Information Officers’ nightmare. Many companies are interested in single, specialized, and standardized encryption products. The product operates on a “single encryption platform,’ whereas, a single or central application will manage multiple forms of encryption code-keys. This platform promises to increase efficiency and lower cost while providing security. The caveat for using this model is the use of a simple platform to handle email encryption and a backup function can be detrimental if ill planned and/or mis-managed. A company (and/or private-single user) would need multiple support as opposed to having “all your eggs in one basket.” The way to go is the use of “Native Key Management” (provisions made in a cryptography system design that are related to generation, exchange, storage,and safeguarding – access control, the management of physical keys and access) on a given system. Consolidation in the encryption industry is a continuing development. It is an environment created where vendors of encryption sell multiple products as “uniformed platforms.” The unified – multiplatform approach is the future for encryption products as believed by some IT and BI professionals.
Another security issue is vendors of encryption experience difficulty managing code-keys from separate providers. They appear to trip over one another by way of competition and jockeying from last to first in line. Vendors experience difficulty getting their separate standards on the same page. They continually fight over the details of operation and compliance and if “Free and low-cost products will move them out” – and take over the industry.