Enterprise security isn't working. As companies install ever more advanced firewalls and anti-virus software, the outpouring of sensitive data goes on and on.
Last year, 446 companies suffered data breaches, up from 312 the year before, losing a total of 127 million individuals' records, according to the Identity Theft Resource Center. This year may outpace even those grim numbers, in quantity of breaches if not in volume of records lost: 224 companies lost consumer or employee data in the first four months of this year, a total of 11 million records by the ITRC's count.
- Slideshow: Gadgets for stopping identity theft
- Video: Who's reading your mail?
That means the old protection strategy of trying to harden the outside of companies' networks to protect against hacker threats--what security researcher Bill Cheswick once called the "crunchy outside with a soft, chewy center" approach--is giving way to a new strategy: safeguarding the data itself. Instead of trying to fortify the perimeter of the company's network, some security technologies are aiming to evaluate the sensitivity of individual pieces of information and then apply security directly to movable chunks of information.
"Information-centric security is about taking a risk-based approach to protecting confidential information," Symantec chief executive John Thompson said in his keynote address at the RSA conference in April. "With the amount of stored data growing 50 per cent a year, trying to protect it all is both inefficient and costly. Instead, it's about securing the most critical information, from source code to customer records to employee data."
Thompson went on to dredge up an unpopular term in the world of information technology: digital rights management. DRM, long associated with much-loathed restrictions on music and video, is regaining momentum in enterprise security by playing a similar role: putting metatags on files to determine how they can be used. Placing a DRM tag on a personal file in a company, for instance, might allow those in human resources to open it, but not someone in sales.
Slideshows:
Companies that profit from your data
Eight ways to hack the web
Another metatag might allow the sales group to edit and e-mail a document, but the engineers can only print it. DRM software is built by such companies as Microsoft and Waltham, Mass.-based software firm Liquid Machines.
Those systems may sound like snarls of red tape. But to one start-up still in stealth mode, Jerusalem-based Secure Islands, they suggested a new solution: embedding security directly in data. Secure Islands, funded partly by Israeli security guru Shlomo Kramer, builds software designed to classify sensitive information automatically based on policies outlined by a company, and then to wrap it in the appropriate level of DRM.
Any file that contains a credit card number, for instance, can be automatically tagged with restrictions that encrypt it when it's put on a USB drive. Or, if that same information is shared within a company, the applicable rules might prevent those who see it from cutting and pasting any of the names and addresses.
The goal, says Unisys chief security architect and blogger Chris Hoff, is to make the security go where the data goes, rather than keeping data tied to secure locations. "Instead of putting a security guard at the door, it's like putting a bodyguard on every piece of information," he says.
Slideshows:
How to keep data safe on the web
Cyber attack hot spots
Secure Islands leaves the actual encryption to industry leaders such as PGP or Microsoft. The company using the technology sets the rules that restrict how the data can be used. Secure Islands categorizes the data and then applies the appropriate doses of encryption and DRM.
"Those companies provide the engine," says Yuval Eldar, one of the two brothers who founded the company in late 2006. "We provide the steering and the wheels. We try to make encryption or DRM go wherever you want it to."
Another host of companies aim to monitor data as it flows in and out of networks--including through USB ports, e-mail, file transfer protocol and Web browsers. This trend, called "data loss prevention" (DLP), similarly classifies data. It also monitors data leaving a company's network, blocking the movement of sensitive data or encrypting it.
Over the past year, practically every major security vendor has acquired one of the small companies selling DLP software. In the space of two months, beginning last August, Trend Micro acquired a small DLP vendor called Provilla, McAfee bought a similar company called SafeBoot, and Symantec paid $350 million for DLP firm Vontu.
A lesser-known but equally data-centric segment of the security industry involves monitoring the activity that happens around databases and major applications. For instance, Waltham, Mass.-based Guardium and Tel Aviv, Israel-based Imperva offer software that classifies data by modeling their movement and watching for anomalies that might be signs of penetrations or insider misbehavior.
That kind of monitoring, contends Imperva spokesman Mark Kraynak, could have prevented Société Générale's Jerome Kerviel from hiding his secret trades, or Enron's accountants from sneaking adjustments into their financial numbers in the company's database. But the first step, says Kraynak, is sifting through your company's information to determine what needs monitoring or protection.
"Find your sensitive data," says Kraynak. "Many organizations don't know where it is. Companies tell me they have three systems with credit card data. We go in and find that there are 50."
The security industry's growing effort to automatically categorize sensitive data won't be easy, says Forrester Research analyst Jonathan Penn. While information that can identify individuals--such as credit card and Social Security numbers--can be spotted by software, data such as a company's source code or business plans aren't as easily sifted out.
Nonetheless, Penn says that information-centric security is a better plan than focusing on an entire network. "The boil-the-ocean approach isn't going to work," he says.
Information-centric security won't stop all data leaks, says Rich Mogull, an independent security consultant and founder of Securosis. But the overall movement toward protecting information rather than building walls around networks is a major step in reducing risk, he says.
"In a 7-Eleven, there's never more than a few hundred dollars in the register. The rest is in the safe, and even that's guarded by cameras," Mogull says. "Companies are applying risk-reduction controls to our sensitive information based on the information itself. That's why this is so different."