Information security: It takes an ecosystem
Federal laws have multiple levels of compliance and states have their own laws, so tracking the requirements can be complex. Employees at the RADAR business unit of ID Experts keep track of existing and pending legislation and analyze it to determine how it affects what a company should do in the event of an incident. “We do not just put the information in a library,” Sher-Jan explains, “we incorporate it into a purpose-built workflow that provides specific guidance to the user.”
Agility through SaaS
Offered as a SaaS product, RADAR contains the current regulations that apply to each customer’s industry, and they are updated as the regulations change. “Incident response has to be built on an agile platform,” Sher-Jan says, “and that is why we deliver it as a SaaS product.” Each incident, whether a lost laptop, an attack or misplaced paper file, is profiled. A workflow is initiated that guides the user through a series of questions and determines whether the incident is characterized as a breach.
“Many incidents do not reach the threshold of a breach because they are remedied adequately as permitted by laws to reduce risk to those affected,” Sher-Jan adds. RADAR ensures that responses are consistent and documented, so that all the required information is available for reporting or in the event of an audit.
Despite the visibility and magnitude of outsider attacks, they constitute only a minority of incidents. “These attacks are very threatening and can be difficult to detect because they are complex or might involve code that remains dormant for a while and then becomes active,” says Sher-Jan. “However, the majority of incidents that need to be tracked are much more mundane. Organizations need an efficient way to manage these as well.”
He agrees with the idea that companies need multiple security solutions and that they each have critical roles to play. “What is encouraging now is that they often have Web-based interfaces that have APIs and are easy to integrate with other solutions,” he says. That quality facilitates the development of a full ecosystem of information security solutions.
Ounce of prevention
Being able to detect intrusions or breaches and respond to them are important components of managing information security, but how can their impact be minimized if perimeter defenses fail? Most computer users are aware of anti-virus software and firewalls, which allow only defined types of traffic into a network. Encryption is an option for any type of data, particularly for sensitive or high-value data. Technology from Gemalto enables companies to encrypt any type of data and provides strong authentication technology.
“Encryption secures data anywhere,” says Chad Couser, director of communications at Gemalto, “and we also support multifactor identification, which provides another layer of security to authenticate users when they access that data or any applications.” Gemalto’s enterprise security products include data encryption, identity management and other tools. The company also offers security solutions for the Internet of Things, as well as for a number of verticals.
The ability of employees in different departments to buy cloud resources easily has undermined security, according to Couser. “The cloud can be as secure as other environments or more so,” Couser says, “but that is not always the case.” In addition, the presence of numerous repositories can interfere with security, as data moves from one to another or organizations lose track of how many there are. Finally, mobility in the form of smartphones, tablets and other devices has introduced another point of vulnerability. “Security needs to be placed closer to the data and to the users accessing it,” Couser adds.
Although encryption historically has been blamed for decreased performance in applications, that issue has become less of a concern as processor speeds have improved. Some organizations worry about the additional costs. However, cost should to be seen in an overall context of risk. “Encrypting sensitive personal information might add a bit of complexity,” says Beth Givens, executive director of Privacy Rights Clearinghouse, “but recovering from breaches is very expensive.” Considering the financial and reputational impacts of data breaches, organizations should be using every applicable tool from the ecosystem of information security solutions.