The security frameworks implemented in most organizations aren’t cutting it today—and their shortcomings are only going to be exacerbated over time. This paper outlines why a new approach is needed, outlining the trends that are increasingly exposing the limitations of traditional security approaches. The paper then reveals how SafeNet’s comprehensive data protection solutions offer an effective, cohesive framework for protecting information throughout its lifecycle.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Securing Information Throughout Its Lifecycle with SafeNet Data Protection
1. Securing Information Throughout
Its Lifecycle with SafeNet Data
Protection
WHITE PAPER
Whether today, tomorrow, or in the Executive Summary
The security frameworks implemented in most organizations aren’t cutting it today—and
coming months, leaders at many
their shortcomings are only going to be exacerbated over time. This paper outlines why a
organizations are going to come
new approach is needed, outlining the trends that are increasingly exposing the limitations
to a single, tough, yet unassailable of traditional security approaches. The paper then reveals how SafeNet’s comprehensive
truth: The proliferation and data protection solutions offer an effective, cohesive framework for protecting information
mobility of their data has outpaced throughout its lifecycle.
their businesses’ ability to protect
it. Introduction
Whether today, tomorrow, or in the coming months, leaders at many organizations are going to
come to a single, tough, yet unassailable truth: The proliferation and mobility of their data has
outpaced their businesses’ ability to protect it.
Sensitive assets are constantly at risk. Internal and external threats are persistent, pernicious,
and pervasive. Critical assets are increasingly vulnerable—whether it is a company’s
intellectual property, sensitive customer data, or core communications that underpin business
processes.
The current security framework has been built using security controls that guard specific
systems against specific threats. Quite simply, this framework isn’t sustainable. Furthermore,
the very nature of this fractured, knitted framework is failing to deliver the integrated,
comprehensive approach needed to protect information across its lifecycle.
To combat the threats of the future and guarantee the protection of data as it is actually used,
organizations must move to a framework that is centered on the data itself. With a data-centric
approach built around an information lifecycle model, organizations can build systems to
better protect data, gain enhanced visibility and control, and realize significant improvements
in efficiency and economies of scale.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 1
2. THE FOUR CATEGORIES OF
TR A The Information Lifecycle
S NS
T IE
I
AC
In order to discuss information lifecycle protection, we have to start with a framework for
NT
TIO
IDE
understanding how data flows through an organization and how entities create, operate,
NS
INFORMATION and consume this data. From a high level perspective, we can break the use of data into four
LIFECYCLE categories. Viewing information in this way is useful in both understanding the use of data as
COM
well as the threats to that data in different scenarios. Following is an overview of these four
categories:
MU
TA
IC
N
AT DA • Identities. Information feeds into the organization from both individuals and applications. In
ION
S addition, many organizations’ business applications create sensitive data. This could include
a card issuer application automatically generating a credit card PIN or a healthcare provider
generating patient identifiers.
• Transactions. Next, the business transforms and utilizes this data. Fundamentally, business
systems and processes take discrete data elements (sometimes called structured data) and
conduct transactions with this information, potentially involving multiple subsystems, in ways
that add value to the organization. This information is ultimately transmitted into the form
factors and consumption points needed by the rest of the business.
• Data. As data progresses throughout its lifecycle, information ends up being created, shared,
and stored in a number of locations: Individual PCs, application and database servers, file
shares, storage area networks, tape drives, etc.
• Communication. To make use of data, disparate systems need to communicate with each other.
This can include the transmission of information across a complex mix of private, public, and
semi-private networks. For years, this has been an area of clear security focus, as it was the one
area that crossed perimeter and trust boundaries.
Under Pressure: The Evolving, Increasing Demands on Data Protection
Now that we’ve established a framework for viewing information across its lifecycle,
we’ll turn to the issues organizations are confronting today. Following are a few of
the most pressing:
• Ever-expanding data volumes. The explosive growth in data volumes in itself puts pressure
on businesses. Whether a user is trying to find a file on a laptop or a server administrator is
trying to figure out how to enforce mailbox quotas, increasingly expansive amounts of digitized
information put an ongoing strain on businesses. While physical and virtualized storage costs
may drop, the costs and effort associated with deployment, maintenance, and protection of this
expanding infrastructure does not.
• Digitization of intellectual property. The amount of intellectual property held within IT systems
has increased, as well, as more business and operational models have gone digital and online.
For example, an architecture firm that 20 years ago was having blueprints couriered between
offices now shares proprietary CAD files with business partners and customers via secured
Internet connections. Media and entertainment firms that once used film now rely increasingly
on the digital capture, editing, and distribution of content.
• Build-up of compliance mandates. For most companies, the challenge of ensuring compliance
with external policies and standards is nothing new. As you can see in the graphic below, many
mandates have been in effect for years. However, the challenges of maintaining compliance and
adapting to changing threats and rules, continue to place a strain on businesses.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 2
3. EC Data Privacy Directive
CLERP 9
Computer Security Act of 1987 GLBA
NERC 1200 (2003)
The challenges of maintaining
Privacy Act of 1974 EU Data Protection COPPA
compliance and adapting to
changing threats and rules,
continue to place a strain on FISMA 2002
1970 1980 1990 HIPAA 2000
businesses. Sarbanes-Oxley
Foreign Corrupt Practice Act of 1977 FDA 21CFR Part11
Basel II
C6 - Canada
CIPA 2002
CAN-SPAM Act
USA Patriot Act 2001
• Increased visibility and scrutiny of security. Thanks in no small part to the increased visibility
and severity of breaches, executives, governing boards, and the general public have gained
an increased understanding of the importance of, and issues relating to, data—the growing
amount and need for it, the critical role it plays in business performance, and the risks to which
it is exposed. For better or worse, and sometimes both, awareness of the importance of data
protection has reached the C-level suite and the boardroom.
The Cloud as Tipping Point
The challenges above are daunting in and of themselves, but the emerging cloud paradigm
threatens to throw a new and very big monkey wrench into the fundamental underpinnings
of information protection. Most assumptions about trust, ownership, and risk to information
were based on an understanding of a physical world with distinct (albeit continually fracturing)
perimeters. Now, virtualization and cloud-based computing throw these basic assumptions into
question.
Organizations have been utilizing software as a service (SaaS) or platform as a service (PaaS)
as the ultimate way to enjoy unparalleled resource elasticity while significantly minimizing cost
structures, as resources are shared in cloud-based architectures with other tenants. However,
the externally hosted, shared nature of these external cloud services raises a host of security
questions.
Current trends, including the Virtualization of applications and platforms has created an unprecedented level of data
emerging cloud paradigm, are portability. Sensitive data and application processing can be migrated across server farms with
placing increased demands and dozens of physical machines and hundreds of virtualized servers. Consequently, risks that were
pressures on each of the four once associated with someone walking off with an entire server are now potentially realized
categories of the data lifecycle. through a hijacked password or a stolen flash drive.
As enterprise executives continue to chart their cloud strategies, security considerations will
need to weigh heavily in the criteria, along with the potential benefits in flexibility, cost savings,
and scalability.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 3
4. The Implications
How do these challenges really impact your business? What problems are being presented as
a result of these trends? Following is an overview of some of the specific implications IT and
business leaders are now confronted with.
Security Islands
The task of ensuring the security of data has grown significantly more difficult. The overall
footprint of data that must be secured has grown tremendously. Practically speaking, the
complicating factor of this growth is not its sheer size (which is daunting enough), but how it
has grown. Rather than an expanding set of core data around which security requirements have
grown, IT and security teams find themselves managing islands of data and silos of data security.
These security silos grew out of specific needs: The particular nature of certain types of data,
the policies of a specific business unit, the localized efforts to comply with a specific regulatory
mandate, and so on. An organization’s history of mergers, acquisitions, geographic expansion,
and technology deployments can also further isolate the reach of a given security deployment.
Weak Links
This disparate and silo-ed nature of the data protection structure poses threats.
In the security field, it’s well known that it’s easier to attack the links between systems than to
attack specific security systems directly, which are typically secure as a stand-alone entity. The
mythical Trojan Horse that used a type of social engineering to breach
the perimeter defenses of Troy and the breaking of the German Enigma code in WWII as a result
of its insecure use by field soldiers are both well-known examples of this truism: It’s not the
strength of the gate or the code that’s vulnerable, but rather weakness in associated processes.
More recently, an attack known as Operation Aurora afflicted more than 30 companies. The
attacks exploited a zero-day vulnerability in Internet Explorer to compromise internal systems.
In spite of the “gates” that were in place, users were lured to click a link to a malicious server,
which initiated the attacks. This further illustrates the concept that weaknesses in associated
processes can undo even the best security.
Sophisticated Attacks
At a high level, it’s important to understand that the specific model of a modern attack is
one consideration, but it’s even more important to consder the sophistication and amount of
automation that can be employed in generating these attacks. Gone are the days when all you
had to worry about were simple ping sweeps and port scans. Now, your security team has to
explore all the intricacies across the entire network stack to look for a weakness. Powerful
tools like Google hacking make anonymous profiling easy, fingerprinting tools make it easy to
customize attacks, and automated scripts and tools enable the plundering of mass amounts of
data once an exploit is found.
Exposure to Internal Threats
Compounding matters is the fact that internal staff may pose a risk, whether due to not following
policies or through their susceptibility to social engineering. Here again, it can be the weak links
between systems that prove vulnerable. For example a user can save sensitive customer data
to their laptop in order to complete a project at home, in spite of the fact that this act may run
counter to corporate policies. If that laptop were subsequently stolen, the organization would
then be subject to disclosure laws and the negative publicity that follow.
Further, malicious insiders continue to pose a very serious threat to organizations. Whether
motivated by revenge or money, inside users can exploit authorized access to conduct a broad
range of attacks, including theft and sales of corporate intellectual property, deletion of assets,
and sabotage of existing business processes.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 4
5. Expensive and Inefficient
Furthermore, security is becoming more expensive—and not just from the top line perspective
(such as capital equipment cost), but also from the standpoint of architectural inefficiencies.
An organization may have overlapping identity and authentication schemes as a result of
uncoordinated projects. When it comes to cryptography, even if a common set of algorithms
(AES, RSA, etc.) is employed, an enterprise may have dozens if not hundreds of different systems
in place. There may be a distinct set of key handling systems for laptops, servers, databases,
mainframes, and storage systems—and one department or business unit may have a completely
different set of systems than another. Beyond the upfront costs, each of these systems exacts
the costs of the associated manpower required for set up, and ongoing maintenance, training,
and troubleshooting.
Cloudy Future
And lastly, the cloud adds more complexity and even more unknowns. With current systems,
even when security administrators are managing an increasing number of trust models and
deployments, at least there is a common understanding of the architecture and the means to
secure it. The cloud paradigm, the pace of innovation, the lack of common architectures, the
relative lack of visibility and oversight, all conspire to make it difficult to understand, let alone
mitigate threats. Ultimately, security teams and management need to evaluate, deploy, and
manage each cloud architecture individually, which is neither sustainable, nor likely to create a
solid security foundation.
Time for a Change
Whether it comes to regulatory mandates, security cost and complexity, the implications of the
cloud, or explosive data volumes, these distinct issues share a common, fundamental reality:
The challenges they present will only be growing, not shrinking, in the days and months ahead.
These myriad challenges and trends point to a single, fundamental truth: The old way of doing
information protection isn’t sustainable. It’s time to change the model, from one concerned with
the trust of the systems that handle the data to the fundamental security of that data, regardless
of the system on which it happens to reside.
Today’s Requirements: Strategic, Comprehensive Data Protection
To address the challenges outlined above, organizations need to take a fundamentally different
approach to information protection across its lifecycle. To do so, they need to employ security
approaches that meet the following characteristics:
• Persistence. Data must be protected from its creation through its modification, distribution,
and deletion. Organizations must move beyond traditional perimeter and device security,
employing constant and intelligent protection to the data itself. Security policies should
accompany protected data, allowing it to move freely and be accessed as needed so
information can be shared and used to ensure optimal user productivity.
• Trust. For digital processes to function, trust needs to be an integral, unassailable attribute
throughout the workflow. This means ensuring users are who they claim to be and having
consistently enforced policies based on users and groups, so users can get the information they
need, while prohibiting access to the resources they’re not authorized to see.
• Transparency. In today’s competitive environment, organizations can’t afford not to implement
robust security measures, but they also can’t afford to have these measures hamper end user
productivity. Toward that end, security mechanisms such as encryption must be employed in a
manner that is automated and seamless, essentially invisible to the end user as they go about
their daily work.
• Control. Organizations need comprehensive, centralized control over their security. That
starts with a centralized platform that can be integrated with a broad range of systems and
environments, including enterprise file servers, databases, applications, laptops, and mobile
devices. Policies and keys must be administered centrally, and then applied globally. Reporting
and auditing mechanisms likewise need to be centralized to offer the highest levels of security
and efficiency.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 5
6. New IT Security Realities
As Threats Change, Approaches Must Change.
As security threats evolve, so too Traditional Approaches Data Lifecycle Approaches
must the tactics and strategies
Perimeter focused security Persistent data-centric protection—intelligence
employed to guard against them. to protect the data itself throughout its lifecycle
All-or-nothing encryption Granular, selective protection over subset of
unstructured or structured data (files, fields
and columns)
Keep bad guys out, authorized users get full Granular privileges for authorized users, assure
access compartmentalization
Multiple products to meet business and Centrally managed solution that addresses
security needs business, compliance, data governance and
security
High level or very specific policy only Centralized policy and lifecycle key
No proper central policy management management for optimum visibility and
data control
The Solution: SafeNet Data Protection
To address today’s challenges, including explosive data volumes, disparate security silos,
evolving cloud initiatives, and more, organizations need a long-term solution that acts as a nexus
for data control and business innovation. This is exactly what SafeNet data protection solutions
deliver:
• Gain enterprise wide visibility and control. SafeNet delivers comprehensive, centrally managed
solutions that enable organizations to eliminate patchwork islands of defense and instead start
governing enterprise-wide security in a cohesive, centralized manner.
• Boost efficiency. With a more cohesive, comprehensive security framework in place,
organizations can eliminate the complexity, duplication of efforts, and high cost of employing
and maintaining overlapping, disparately managed systems.
• Eliminate weak links. SafeNet helps organizations eliminate security islands—so they can
eliminate the exposure presented by the links between disparate systems. In this way, they can
better guard against increasingly sophisticated external threats and minimize the exposure
posed by malicious insiders.
• Enhance agility. SafeNet’s efficient, comprehensive, and flexible framework equips
organizations with the capabilities they need to more quickly adapt to changing business,
technological, and security challenges and opportunities.
• Embrace the cloud. By offering capabilities for granular, persistent control of information,
SafeNet enables organizations to more fully leverage the business benefits of the cloud—while
simultaneously strengthening security. In this way, the cloud can become a more strategic
business asset rather than a security liability.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 6
7. COMPREHENSIVE INFORMATION PROTECTION
Across the Lifecycle
SafeNet solutions provide persistent protection of information at critical points in its lifecycle,
wherever and however that information gets used. SafeNet solutions give your business the
agility needed to adapt to change and act on opportunity, while securing information across all
four stages of its lifecycle:
• Identities. SafeNet offers strong authentication and identity management solutions that
protect identities for users and servers.
• Transactions. SafeNet delivers industry-validated, hardware-based encryption platforms that
protect transactions, ensure data integrity, and maintain an audit trail.
• Data. SafeNet’s data encryption and control solutions protect and maintain ownership of data
throughout its lifecycle, from the data center to the endpoint and into the cloud.
• Communications. SafeNet provides high-performance communication encryption solutions
that persistently protect information, ensure control beyond location or boundary, streamline
operations, and reduce compliance costs.
s pe
es TR A
r
fo
c
ES NS
ac
TI rm
I
AC
NT
TIO
IDE
NS
INFORMATION
LIFECYCLE
COM
PROTECTION
rol
MU
TA
nt
IC
N
AT DA
co
SafeNet offers a ION
sh
S
d
re n
a
comprehensive set of
c ta
offerings that enable te
pro
organizations to protect
information across its
lifecycle.
Learn more about SafeNet solutions for each stage of the information
lifecycle in the following pages.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 7
8. SafeNet for Identities:
TRUSTED USERS, SERVERS, AND SERVICES
SafeNet offers the broadest range of strong, multi-factor authentication solutions and hardware
security modules that ensure only authorized individuals can access your organization’s sensitive
information. In addition, it secures identities—enabling trust. With SafeNet, organizations gain
the access controls that enable business, lower IT costs, and boost user productivity.
Designed to adapt with your evolving business needs, SafeNet’s trusted authentication solutions
ss
pe
r secure remote access, enhance network access security, simplify password management, and
e TR A
fo
c
ES NS enable new online services with the industry’s broadest range of authenticators, management
ac
rm
TI
I
AC
NT
platforms, and security applications. SafeNet authentication and HSM solutions can be
TIO
IDE
NS
INFORMATION
LIFECYCLE combined to ensure the strongest levels of digital signature security. As a result, organizations
COM
PROTECTION can protect the identities connected to business transactions while allowing for faster time to
rol
MU
market and lower operational costs.
TA
nt
IC
N
AT DA
co
ION
sh
S
d
re an
a
ct
te
pro
HARDWARE MULTI-FACTOR AUTHORIZED
SECURITY MODULE AUTHENTICATION ACCESS
SafeNet offers both multi-factor
authentication solutions and
hardware security modules that
SafeNet for Transactions:
ASSURED PROTECTION OF HIGH-VALUE KEYS
ensure only authorized users can
access sensitive information. SafeNet HSMs provide reliable protection for transactions, identities, and applications by
securing cryptographic keys and provisioning encryption, decryption, authentication, and digital
signing services.
SafeNet HSMs provide the highest performing, most secure, and easiest to integrate application
and transaction security solutions. SafeNet HSMs are highly tamper resistant, featuring FIPS
and Common Criteria validation. With a broad range of HSM offerings and a full range of API
s pe support, SafeNet HSMs enable application developers to easily integrate security into custom
es TR A
r
fo
c
S NS applications. In partnership with leading application solution providers, SafeNet has produced
ac
rm
E
TI
I
AC
NT
HSMs that offer end-to-end protection for organizations, helping them achieve regulatory
TIO
IDE
NS
INFORMATION
compliance, streamline business processes, reduce legal liabilities, and improve profitability.
LIFECYCLE
COM
PROTECTION
rol
MU
TA
nt
IC
N
AT DA
co
ION
sh
S
d
re an
a
ct
te
pro
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 8
9. For example, SafeNet HSMs are used in a host of digital workflows where ensuring trust
throughout the process is critical, such as e-invoicing, electronic mortgage processing, online
credit card PIN issuance, and more. Digital signatures, powered by encryption and public key
infrastructure (PKI), represent the means for establishing trust in these digital processes.
SafeNet HSMs are dedicated systems that physically and logically secure the cryptographic keys
and cryptographic processing that are at the heart of digital signatures.
SafeNet HSMs secure the
cryptographic keys that protect
CRYPTO-
transactions, identities, and GRAPHIC
SECURES KEYS TRANSACTIONS IDENTITIES APPLICATIONS
applications.
s pe
SafeNet for Data:
es r
TR A DELIVERING PERSISTENT ENCRYPTION AND CONTROL
fo
c
ES NS
ac
rm
TI
I
AC
NT
TIO
IDE
SafeNet delivers comprehensive data encryption and control solutions that enable you to
NS
INFORMATION
LIFECYCLE maintain ownership of your data throughout its lifecycle—as it is created, shared, stored, and
COM
PROTECTION
moved within and beyond your organization. With SafeNet, protection extends from the data
rol
MU
TA
nt
IC
N
AT DA center to the endpoint and into the cloud.
co
ION
sh
S
d
re an
a
ct
te SafeNet delivers secure and easy to manage key lifecycle and policy management capabilities,
pro
offering the following solution suites:
• The Data Center Suite secures customer information, cardholder data, and social security
numbers stored as structured data in databases, applications, and mainframes—as well as
unstructured data kept in file servers.
• The Endpoint Suite protects and controls documents, pictures, patents, and designs stored as
unstructured data on laptops and mobile devices, while also offering full-disk encryption and
content security for data loss prevention.
Data Center Suite Endpoint Suite
• DataSecure • Tokenization • ProtectFile
• ProtectDB Manager • ProtectDrive
• ProtectApp • eSafe SmartSuite
• ProtectZ • MDeX
• Protect File
Server
SafeNet delivers comprehensive solutions that offer granular, persistent controls
to ensure data is protected throughout its lifecycle—from the data center to the
endpoint and into the cloud.
Securing Information Throughout Its Lifecycle with SafeNet Data Protection White Paper 9