According to the Better Business Bureau, 8.9 million Americans were victims of identity theft in 2005.
And, in a hearing before the House Committee on Government Reform, the Committee chair stated that the "Office of the U.S. Trade Representative (USTR) reported that U.S. companies lost between $200 and $250 billion in 2003 because of piracy and counterfeiting." Even by American standards, $200 billion is a lot of money, and the problem did not diminish last year.
The issue for us information security professionals is: Do we get it? Have we moved our strategies and efforts toward a more data-centric protection posture?
Focusing on network-level security alone is not realistic due to the challenges of multiple connections to the internet and numerous third-party connections. A network-level focus assumes that encryption of network traffic is not an issue, and it is implicitly an intra-enterprise solution only that is not capable of handling data that has some level of authorized sharing.
Also, focusing on host- and operating system-level security alone is not realistic due to the use of multiple operating systems, huge numbers of devices, and numerous form factors. A host-level focus assumes that all devices are known and good, and it assumes that a solution is available for all hosts (i.e., all operating systems).
While application security is certainly important, how often does data today remain in a single application? Data today is simply too transient to rely on anything less than the protection of the data itself – regardless of which network it is traversing. And, given the increasing value of that data to our information society, we have to focus on this particular protection challenge.
The reality of this situation is that digital rights management (DRM) will be a necessary component to a solution here. That DRM capability will have to expand significantly to cover numerous data formats, structured and unstructured – not simply audio and video.
While many companies are now entering the data protection segment of the market, none of them yet have a viable solution to this problem that meets the needs of enterprise operations today – let alone the challenges that the emerging utility computing paradigm will bring.
But, just because our enterprise needs for securing data cannot be adequately, or simply, addressed today, does not mean that we information security professionals should not be moving toward a more data-centric protection profile today. We should. Are we doing so?
Tim Mather is CISO of Symantec
30 SECONDS ON...
Network, which network?
Tim Mather, CISO, Symantec, says, "If a customer were to ask, 'How is the network today?,' my response would be, Which? Our internal network? One of our service providers' networks? One of your customers' service providers' networks?"
Connectivity is key
What customers care about is connectivity, adds Mather. "[They] expect the networks to be up and running. They care about getting to data. They want to access the data, manipulate the data and, increasingly, to sell the data."
Access or not
"There always will be an arms race between those who want to restrict access and those who want to set content free," Doug Lichtman, professor of law, University of Chicago, recently wrote on the university's website.
Not so confidential
Between January 1 and June 30, 2005, malicious code that exposed confidential information represented 74 percent of the top 50 malicious code samples reported to Symantec," according to Symantec's Internet Security Threat Report.