There’s Strength in Numbers When Devising a Data Security Strategy

Don Miller

I came across a Corporate Counsel article with a title of “How to Secure Data from Hackers.”  Data security is a topic near and dear to hearts of all bTraders and MFT Nation readers, so we decided to give it a read.  The gist of the article is that corporate counsel should consider “new” data security solutions such as “encrypting your data at the data level,” which according to the author would render perimeter and internal data security solutions “unnecessary.”  We discussed this among MFT Nation staffers and below are our thoughts.

Do Not Rely on a Single Security Device; Use a Layered Approach Consisting Of A Variety of Different Methods

MFT Nation staffers voiced unanimous disapproval of any approach that relies on just one security device, and we believe most IT professionals and regulators would agree.  In fact, most would recommend a layered approach for a data security strategy.  For example, the Federal Communications Commission (FCC) issued a Cyber Security Planning Guide which contains a section captioned “Create Layers of Security,” and in it the FCC says:

Protecting data, like any other security challenge, is about creating layers of protection.  The idea of layering security is simple: You cannot and should not rely on just one security mechanism – such as a password – to protect something sensitive.  If that security mechanism fails, you have nothing left to protect you.

Thus, the best data security strategy involves several different security methods deployed in a layered manner.  A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network.

Do Not Ignore Perimeter Defenses and Other Internal Security Methods, Because You Need to Monitor Your Data Flows As Well As Who’s Trying To Get In And Out of Your Network

MFT Nation staffers tried but could not think of any situation that would render “firewalls, DLPs and other perimeter and internal security solutions unnecessary,” as the Corporate Counsel article suggests.  Without such tools, an organization would be blind to vulnerabilities on its network and could not monitor its data flows or who’s trying to get into and out of the network.  In fact, regulators have sanctioned companies for failing to deploy and/or properly use network monitoring tools, reasoning that such tools could have eliminated or reduced the risk of a data compromise.

Thus, network monitoring tools are a necessary component of a layered approach to data security.  bTrade’s TDXchange has functionality that would help in that regard, including end-to-end message tracking, reporting, and real-time alerts.  It has fully operational monitoring features in the GUI and a set of dashboards that enable real-time monitoring of file transfers, both textually and graphically.  Also, dashboards permit users to track key data (messages, transactions, participants, mailboxes, certificates, services, connections, etc.).

Encryption is an Essential Security Tool, but Be Aware That Not All Encryption is Created Equal

In its Cyber Security Planning Guide, the FCC recommends use of encryption as an “essential data protection technology.”  MFT Nation staffers wholeheartedly agree with the FCC, but we disagree with the assertion in the Corporate Counsel article that encryption is a “new” solution.  As the FCC said in its Cyber Security Planning Guide: “Encryption has been used to protect sensitive data and communications for decades.”

MFT Nation staffers also want to warn readers that not all encryption is alike.  For example, companies have incurred the wrath of regulators for “using only an insecure form of alphabetic substitution that is not consistent with, and less protective than, industry-standard encryption.”  Even strong methods of encryption won’t protect your data if it isn’t configured properly, as one company learned when regulators challenged its encryption methods.

We should also point out the following warning noted in boldface in the FCC’s Cyber Security Planning Guide:  “Because not all levels of encryption are created equal, businesses should consider using a data encryption method that is FIPS-certified (Federal Information Processing Standard), which means it has been certified for compliance with federal government security protocols.”  bTrade customers have the comfort of knowing that the encryption modules used in bTrade’s software solutions are FIPS-certified.

Data Security is a Journey, Not a Destination

That is the title of an earlier MFT Nation piece.  We repeat it here to emphasize that achieving a secure IT environment is not a “one and done” proposition.  Data security is a dynamic process which requires strategies that must evolve in the face of changing risks.  As such, the best approach for detecting and preventing unauthorized access to sensitive information is by deploying multiple data security mechanisms in a layered manner.