Data breaches are as likely to happen through internal malice as external hacking. Yet too many data security initiatives stop at the firewall. David Reed finds out what new research by Informatica tells organisations about where they should focus their security efforts.
Advertising has a famous dictum about its effectiveness - that half of any ad budget is wasted, but it is not possible to know which half. Now data seems to have its own version - that sensitive personal data held by half of all organisations has been compromised or stolen by an insider.
That is the disturbing finding from a new research report by Ponemon Institute, “Safeguarding Data in Production and Development”, commissioned by Informatica. It found that 48% of the 532 senior IT and security executives surveyed believed they had suffered an insider data breach of this sort.
“The biggest take-out for a lot of CISOs ought to be that their focus on data breaches should be on internal threats, rather than giving their attention to breaches from outside and putting in place firewalls,” says Adam Wilson, general manager, information lifecycle manager, at Informatica. “Hackers are what tend to get the media’s attention, but then you find out a very high percentage of actual breaches are occurring because of internal malice.”
Information security has tended to take a technology-based view of the threat which seeks to mitigate the issue through the use of firewalls and access controls. This has left something of a blind spot in the realm of application production and development. Every time a new system is being created, copies of databases will be used to test it before going live. Often it is in these stages that sensitive information can become exposed.
Worryingly, 59 per cent of IT professionals are not confident that they would be able to detect a data breach in these environments, with 71% experiencing difficulties in restricting access to sensitive information. Normal access controls that exist in operating systems are not always appropriate or available when a system is still being built.
“Insider threat is directly correlated to the availability of data,” says Wilson. “For every copy on a live production unit, you may get eight to 12 copies being used for testing, training, user experience, performance management and so on across large groups of individuals.”
He reports talking to one organisation where there were 38 copies of a single database as a result of various development activities.
Put simply, “if you multiply data by the number of places where it is present, it increases your risk,” he says. In the survey, just 25% of companies have assigned a specific budget to the reduction of insider threats.
One reason for this failure to protect data during development is the fear that controls will inhibit that process or give a false indication of how an application will perform when it goes live. It is an issue that Informatica has been tackling through its Dynamic Data Masking solution.
“We take a different approach to data being used in a non-production environment, so you can physically transform data using data masking techniques, like scrambling, rewriting or substituting,” says Wilson. The extent of data masking can be set according to the type of data which a developer needs to be using, so for example all of the postcodes may get scrambled if these are not specifically required. The way this is done can ensure that routines within the application still perform as if the postcodes were real.
“Clients are starting to ask for the same thing in production environments to drive down the risk of exposing sensitive information,” says Wilson. With the masking happening between the database and application layers, it is a new way to reduce risk without reducing performance. For companies worried about internal breaches, it could halve that threat.