TORONTO – Canadian enterprises that worry about protecting their information need to develop a “security lifecycle management” model similar to the ones they create to govern the storage of data, experts told a symposium on Friday.
Despite the growing vulnerability companies face due to mass portable storage devices and the sophistication of Web-based attacks, many organizations adopt tools without developing a strategy to go along with them, said Predrag Zivic, chief operating officer at a Toronto-based security consulting firm called Scienton. Such a strategy should create “information owners” who can adhere to an asset classification system that puts greater or lesser security on a piece of data depending on where and how it is used, he said.
Zivic, who spoke at a breakfast seminar on mobile security hosted by Simple Technology, likened his approach to the information lifecycle management (ILM) model favoured by companies like EMC, which place information in near-term storage or in archives based on its use.
A security lifecycle management model might place a company’s market strategy in the “strictly confidential” category, for example, which would be the highest level of security. Once approved by a board of directors or senior management team, it might then move to a “confidential” category, which it can be accessed by mid-level managers who must execute the strategy. Other classifications could include “partner,” which would permit information to be published or shared with customers and suppliers. “Public” would mean the data could be shared with almost anyone.
Zivic said the security lifecycle management model should be paired with “flow logging” that tracked how information is handled as it passed through each stage. He also recommended companies work harder to learn and adopt “counterintelligence tactics” as they go about their business.
“I’m always surprised at people. They go to a conference room at a hotel like this to do a deal. How do you know that room is not bugged?” he asked. “We all know about sniffers on the network, but how many of us have anti-sniffing software on our laptops?”
The rise of data theft through schemes such as phishing and pharming and internal thefts through portable storage devices has affected more than 54.6 million people, Zivic said, based on totals of 169 incidents that have been reported since February 2005. Some experts calculate the impact of data loss as roughly 10 per cent of a firm’s annual revenue, he said.
“The problem is that in many cases, there is no real audit trial for that loss,” said Simple Technology vice-president Brian Muir. “They don’t know whose information it was, how long it had been missing, or how it was stolen.”
Security on a stick
Vendors at Simple Technology’s event included Memory Experts International (MXI), which was spun out of a Montreal-based maker of hard drive subsystems in printers and copiers. Mike Kieran, MXI’s vice-president of sales and marketing, promoted the company’s Stealth MXP product, a device about the size of of a Memory Stick which provides a portable security token service for WS-Trust.
Using two-factor security that includes fingerprint biometric identification as well as a password, Kieran said the device was designed in response to users who are hamstrung by traditional security tokens that require expensive middleware to interoperate with other hardware and software.
“If you’re using them, you’d better be prepared to use them forever,” he said. Such tokens also tend to require regular reprogramming.
An executive from another portable device manufacturer, Andover, Mass.-based MobileSecure, said the tendency for users to save data is not new.
Sean Wray, MobileSecure‘s chief technology officer, was helping the U.S. Navy install systems 20 years ago when senior officers decided to remove 360 KB disk drives to prevent sailors from saving classified data on to disk.
Now, he said, users are saving data on to devices ranging from CDs to iPods, and IT managers are rarely able to keep track of which files have been saved on to portable storage devices. What’s worse, he added, is not only can users lose the devices on buses, trains and in other public places, but they are transferring corporate files on to home computers as a means of backing up their work.
Wray said MobileSecure’s management products give IT administrators information on which external devices are connected to the network and information on files that were written to them – allowing managers to figure out who is copying which files from corporate storage devices.
— With files from Greg Meckbach