- Email: [email protected]
Get more for less
Column Ian Schenkel, EMEA VP, Protegrity
Risk-based analysis requires careful consideration of long-term costs and benefits, as well as immediate budgeting issues
46
APRIL 2009
Get more for less Ian Schenkel The appeal of improved data security at a reduced cost is an attractive proposition. Accomplishing this seemingly impossible feat requires adopting a risk-based approach that prioritises data security based on the risk it poses to the business if lost, stolen and infiltrated. Here’s how to develop a risk-driven, cost effective data security plan Data flows through a company via numerous applications and systems. A complete understanding of this data flow enables an enterprise to implement a cohesive data security strategy that will provide more comprehensive protections at a reduced cost. Data that is resalable for a profit is high risk data and requires the most rigorous protection; other data protection levels should be determined according to value to your organisation and the anticipated cost of its exposure. Classifying data according to risk levels enables you to develop a sensible plan to invest budget and efforts where they matter most. Keep an eye on security news sites to stay abreast of how criminals are attempting to steal data – currently the attack vectors of choice are web applications and data in transit. Focus initial efforts on hardening the areas that handle critical data and are a high-risk target for attacks. Continue to work your way down the list, securing less critical data and systems with appropriate levels of protection. Be aware though that the conventional ‘linked chain’ risk model used in IT security – the system as a chain of events, where the weakest link is found and made stronger – isn’t the complete answer to the problem. There will always be a weakest link. Layers of security are essential for a truly secure environment for sensitive data. A risk-based approach often reveals elegant solutions to complex problems. As an example, risk analysis may suggest that rather than re-architecting an entire enterprise environment and revising critical business processes across the board, it would be more effective from a cost and data security standpoint to move systems that collect, transmit and store PCI-protected data into their own environment and restrict these systems’ interactions with the rest of the enterprise network. This allows the enterprise to focus its compliance efforts on the most critical components of the network. Cost-cutting is typically accomplished in one of two ways; reducing quality, or getting the most out of a business investment. Look for multi-tasking solutions that protect data and complement critical business missions. As an example, web application firewalls keep hackers away from critical data while supporting a mission to expand online sales and services. Look also for efficiency gains. Centralised management of encryption keys reduces costs and complexity as well as potentially reducing system down-time. Centralised policy enforcement supports compliance efforts and simplifies management chores, whilst reducing risk and the costs of producing reporting for auditors. Although it’s always admirable to get more for less, it’s important to keep the return on data security investments in perspective. Industry estimates indicate that a Level 1 merchant could spend between £2.5m to £13m on PCI DSS compliance. The cost of a data breach however, is estimated at 20 times more than the cost of compliance efforts (TJX claims costs of more than £150 million from the data breach in which more than 45 million customer credit and debit card numbers were stolen). Gartner analysts estimate that the cost of a sensitive data breach will increase 20% by the end of 2009. Risk-based analysis requires careful consideration of long-term costs and benefits, as well as immediate budgeting issues.
Risk-based analysis requires careful consideration of long-term costs and benefits, as well as immediate budgeting issues
46
APRIL 2009
Get more for less Ian Schenkel The appeal of improved data security at a reduced cost is an attractive proposition. Accomplishing this seemingly impossible feat requires adopting a risk-based approach that prioritises data security based on the risk it poses to the business if lost, stolen and infiltrated. Here’s how to develop a risk-driven, cost effective data security plan Data flows through a company via numerous applications and systems. A complete understanding of this data flow enables an enterprise to implement a cohesive data security strategy that will provide more comprehensive protections at a reduced cost. Data that is resalable for a profit is high risk data and requires the most rigorous protection; other data protection levels should be determined according to value to your organisation and the anticipated cost of its exposure. Classifying data according to risk levels enables you to develop a sensible plan to invest budget and efforts where they matter most. Keep an eye on security news sites to stay abreast of how criminals are attempting to steal data – currently the attack vectors of choice are web applications and data in transit. Focus initial efforts on hardening the areas that handle critical data and are a high-risk target for attacks. Continue to work your way down the list, securing less critical data and systems with appropriate levels of protection. Be aware though that the conventional ‘linked chain’ risk model used in IT security – the system as a chain of events, where the weakest link is found and made stronger – isn’t the complete answer to the problem. There will always be a weakest link. Layers of security are essential for a truly secure environment for sensitive data. A risk-based approach often reveals elegant solutions to complex problems. As an example, risk analysis may suggest that rather than re-architecting an entire enterprise environment and revising critical business processes across the board, it would be more effective from a cost and data security standpoint to move systems that collect, transmit and store PCI-protected data into their own environment and restrict these systems’ interactions with the rest of the enterprise network. This allows the enterprise to focus its compliance efforts on the most critical components of the network. Cost-cutting is typically accomplished in one of two ways; reducing quality, or getting the most out of a business investment. Look for multi-tasking solutions that protect data and complement critical business missions. As an example, web application firewalls keep hackers away from critical data while supporting a mission to expand online sales and services. Look also for efficiency gains. Centralised management of encryption keys reduces costs and complexity as well as potentially reducing system down-time. Centralised policy enforcement supports compliance efforts and simplifies management chores, whilst reducing risk and the costs of producing reporting for auditors. Although it’s always admirable to get more for less, it’s important to keep the return on data security investments in perspective. Industry estimates indicate that a Level 1 merchant could spend between £2.5m to £13m on PCI DSS compliance. The cost of a data breach however, is estimated at 20 times more than the cost of compliance efforts (TJX claims costs of more than £150 million from the data breach in which more than 45 million customer credit and debit card numbers were stolen). Gartner analysts estimate that the cost of a sensitive data breach will increase 20% by the end of 2009. Risk-based analysis requires careful consideration of long-term costs and benefits, as well as immediate budgeting issues.