10 Tips For Protecting Sensitive Enterprise Data

Pending legislation holds companies responsible for data system compromises. How prepared is your organization? (courtesy: Systems Management Pipeline)

January 17, 2006

5 Min Read
Network Computing logo

As legislation to provide a national law to protect identity and data moves forward in the U.S. legislature, systems managers will find that they are increasingly being held responsible if a company’s data systems are compromised, according to security experts following legal and technology developments.

“Legislation is creating a new model; people are being held more accountable,” says Toby Weiss, senior vice president and general manager of CA’s security management business

Weiss and other security experts recommend these top 10 data/identity protection factors for systems managers:

1. Strong controls: Systems managers must have strong security controls. Everyone in the IT department has to be involved. Companies need to protect their financial data and the identities of their customers and their business partners. The role of the systems manager is to protect against any identity theft.

The first step in doing this, several experts agree, is to have company policies and procedures in place. While this will likely come from management above systems managers, they should still have input in the policies and procedures to recommend additional precautions that may not be in the initial rules, according to Scott Laliberte, a director specializing in information security systems for Protiviti, Menlo Park, Calif.“Systems managers are the custodians of the data within their systems,” Laliberte explains. “They should help business owners translate business policy into controls that will help protect that data.”

2. Define sensitive data: The enterprise policy should also include guidelines for what is and isn’t sensitive information, says Doug Graham, senior consultant for BusinessEdge Solutions, Inc., East Brunswick, N.J. If these guidelines aren’t in the policy or are too vague, the systems administrator should ask for additional definitions.

3. Plan for outages: Another element of best practices is knowing what to do if part of the security system (i.e., a firewall) goes down, Graham adds. “Any data that needs to be protected needs to have a robust method of protecting it. You need be able to detect [breaches] monitor access and have a response if something goes wrong.”

4. Monitor internal, external developments: Systems managers should take an active role in monitoring trends internally and across different industries for changes in identity/data theft threats, according to several experts. Such knowledge helps systems managers have better recognition of any potential security attacks the protections that systems should include.

5. Manage access: The actual protection of systems comes down to simple entitlement management, Weiss adds. “The systems manager can easily run a report on who has access to what.”People within and outside the organization, including systems managers should only have access to those systems and the information in those systems that they need in order to do their jobs, Weiss says.

While the systems manager may need access to more parts of more systems than most, there should also be a policy of checks and balances so that protection is built in. So two systems managers should check each other or there should be some other type of auditing mechanism, according to Weiss.

6. Use replicated data: Joe Cupano, technical director for Solsoft, Inc. Mountain View, Calif., recommends that beyond rights access, systems managers should also work with the owners of applications to ensure that they use replicated data rather than the data sitting on back-end systems. By using replicated data, the user can use only the information he’s entitled to, he doesn’t have the chance to use the access to “approved” data as a back door to get to data for which he doesn’t have authorization.

“Systems managers need to be involved with application owners so they only replicate the information that is necessary to run the applications,” Cupano says.

Cupano also recommends that systems managers work with application owners to ensure that they are following identity/data protection best practices, including using hardened databases and hardened operating platforms.7. Understand system linkages: In today’s distributed computing environment, the system administrator also needs to know how different systems work and what happens to data as it moves from one system to another, says Matthew Curtin, founder of Interhack Corp., Columbus, Ohio. The data may be secure on the back end, but different front-end systems may be unsecure. The front-end systems may not need to be secure if they have no way to reach sensitive information. If a link is possible, then the front-end systems need to secure the data as well.

8. Monitor content: Part of the method of protecting data includes content monitoring and filtering of any information that leaves the company via e-mail, says Keith Crosley, director of market development for Proofpoint, Cupertino, Calif. Such protection often comes under the role of the systems manager because they often have jurisdiction over a company’s messaging systems.

So systems managers should employ scanning systems that look for and block potential sensitive information (i.e., a nine-digit number, which could be a Social Security Number).

9. Use automation: Any scanning systems, downloads and implementation of security patches and any other procedures that can be automated should be, including automatic downloads and installations, says Mark Beadles, chief architect for ENDFORCE, Dublin, Ohio.

“You need to make the implementation of security almost brain dead, ” Beadles said.10. Use encryption: Automatically encrypting sensitive data is another best practice that many security experts say systems administrators should make sure is deployed.

“Systems administrators also need to know where to employ encryption,” Crosley says, recommending that any encryption be applied automatically. He expects an encryption element in any national legislation that eventually becomes law.

Not only do following these procedures protect the company, its clients and customers, it also will help the systems managers keep their jobs, according to Weiss and others. As the legislation moves forward, several experts expect company executives to be held more accountable for protecting identities and customer information. While any final legislation might not cite systems administrators for any responsibility, the reality is that inside the company, the “trickle down effect” will result in systems managers being responsible from a corporate standpoint, according to Beadles.

“It will become a thing that will affect systems administrators themselves,” Beadles says, adding this is already occurring, even before any national legislation becomes law. “Executives won’t bear all of the responsibility [for identity/data protection] by themselves. It’s turns into a system administrator’s implied responsibility to make sure that systems are configured to protect users from themselves and bad behavior.”

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights