TDWI Upside - Where Data Means Business

Q&A: Data-Centric Security Wraps Data in Layers of Protection

A security expert explains why wrapping layers of security around your data is a must in today's world of constant data breaches -- and is seldom done properly.

As evidenced by the steady stream of reports of security breaches at large companies, very few large companies are securing critical data adequately. Rather than relying almost exclusively on user-centric authorization, organizations need to implement layers of data-centric security -- meaning security that operates on the data or very close to it.

In this interview, the first of two parts, we discuss data-centric security with security evangelist Jay Irwin of Teradata -- what it is, how various layers of security work together, and why so many large many companies have such poor data security. Irwin, who directs the Teradata InfoSec Center of Expertise, speaks and writes often on cyber security, security architecture, international privacy, and information assurance. He has BA and JD degrees, both with honors, from Drake University and Drake Law School.

Upside: Let's start by defining data-centric security controls. What does the term mean as opposed to overall enterprise-wide security?

Jay Irwin: Enterprise security controls refer to the entire set of security controls an organization can have, for any reason, in all environments, physical, logical, administrative, and so forth.

Data-centric security controls are a subset of that. The term can apply to any ecosystem that has a database or data warehouse at its core. Specifically, data-centric means that the controls we're looking at are designed to protect data in the data warehouse or database from any type of harm or misuse. Controls include such things as intrusion detection, synchronization, masking, monitoring user activity, network segmentation, and very strong access control. The data itself comprises the core of data-centric security controls.

In a recent TDWI webinar at which you spoke, Fern Halper, TDWI's director of advanced analytics, pointed out that companies often focus on certain types of user-centric security -- perimeter control, access control -- at the expense of true data security. You've probably seen that also in your role at Teradata. Given the huge, very public security breaches that we continue to see, why is that?

It may be that people in general don't see threat vectors the way security experts do. ... I think users have a broader view of security in general and don't really drill down into any one area -- until something happens.

Another reason is this -- when the data warehouse first came into vogue, it was looked at as something of a play area -- we can play with the data and build sandboxes and we can give everyone access. There wasn't much concern about data security -- and the same thing happened with Hadoop when it came into the marketplace.

However, as people realized the importance of the analytical value of their data and began to put it in one place and organize it, things changed. That one place is still the data warehouse and as soon as they started to put regulated data in there -- as they bought companies and added things like HR data -- they vaguely realized they needed to protect that data. It's not until they get that twinge though, when they are made to realize that they have sensitive data in there, that they start to think seriously about protecting it.

That speaks to the importance of education on security issues. Is that part of your job as director of the Teradata InfoSec Center of Expertise -- educating people about the importance of security?

Absolutely. Every time I go to a customer meeting in my role as a security evangelist, I talk about applying a layered defense strategy. I talk about how important it is for various blocks of the organization to have very specific levels of awareness, as well as security training.

Within databases, too, DBAS and BI tool application administrators have to be specially trained to understand the consequences of their need for data and their need to do analytics. People also need to be trained on how to observe the security controls that have been applied -- and to make sure they work -- and how to keep the governance in place, and so forth. They also need to understand what's high-value data and the fact that it has to have a higher level of protection.

How important is the role of data governance when we talk about data security? Is governance often overlooked by companies?

You'd be surprised how often it is overlooked and yes, it is important. It's so important that I would be willing to say that if you took on an IT security project of any size regarding access rights or data protection and it was ungoverned, it would fail.

Governance in this context means that executive management has to be committed to solving the problem and mitigating the risk, but also to paying for the allocation of resources to process it and make it work -- and to have the stamina to enforce it.

Governance just won't work otherwise. We've met with many customers who try to tell us in the first meeting what their security problems are. They may not know, but we are almost always able to tell in those situations whether governance is an issue. When we sense that they are not well-governed, we start to focus our questions around governance. In those cases, we typically find that there is none -- no data owners, no data stewards, no gatekeepers, no inventories of sensitive versus non-sensitive data, no data classification. Those are all symptoms of security problems.

So not only is their governance not focused on security -- they don't have governance in place at all?

Right. You usually find those together. No governance, period, and no governance around security.

Does that seem to occur regardless of company size?

It's shocking, really. I tend to deal mostly in the large-company world, so I can't speak as much to smaller companies, but in larger companies it is shocking how many organizations need much better governance.

In those cases, if they listen to what we have to say about governance and security, we're able to add a lot of value to keep a project from failing.

How do you convince companies to spend money on security? Do you bring up frightening examples or do companies already realize that they need to beef up security?

We get approached from two different levels, usually. One level is data warehouse management -- people who own the data warehouse in their company. The other level is the CISO's organization -- the Chief Information Security Officer.

Environment owners usually come to us with a mandate. CISOs, on the other hand, either come to us with a mandate or an "I can't sleep at night" feeling. They either have specific security objectives in mind, in which case they're easy to work with, or they come to us with fear in mind. "I don't know what I don't know and I'm scared." In those cases, we are usually able to sort out their problems using a security assessment. It's like the doctor diagnosing the patient -- I don't feel good and I don't know why. We look at a number of things and determine where we can help. After that, they have to get the financial commitment lined up.

We do get into situations -- and this happens quite a lot -- in which companies know they need a security control such as encryption and they also know that the enterprise solutions they're looking at can be expensive. Sometimes, in those cases, we have to deliver a fairly heavy dose of reality to them. You could call it fear-mongering, although I don't like to call it that because it sounds like a sales technique. What we're actually doing is telling the truth. We do it in a very real way. We tell them about real cases and real people and real organizations that have had things happen to them.

Do you cite examples of data breaches that have occurred at other companies?

Yes, as well as the consequences of those breaches, since that's really what everyone is worried about. For example, there are 50 state breach notification laws across the U.S. and a large organization with a lot of customers is going to have to spend a lot of money just to properly notify customers in each state of the breach.

Is that really the most expensive part of a data breach? Notifying customers?

Short of losing your reputation, yes. I'll give you a contrived example. Let's say you're a big company, you're breached, and 50 million records are lost. You can value those records however you want. The thief stole credit card numbers to put them on the black market, say, but they're actually not worth all that much money. There are credit card laws to protect consumers, so consumers don't necessarily lose economically. They certainly get nervous and perhaps angry and they know they've been compromised, but there are remedies for consumers.

There's fixing the problem that allowed the hacker in, but that's usually not a big expense either. Your security team finds the problem and locks down the network better. That costs money, but it usually doesn't cost millions of dollars.

However, back to those 50 million records. You have to notify 50 million people. How much is it going to cost to comply with 50 state laws to notify 50 million people if you're a national company that does business in every state? Of course, what you do is comply with the strictest notification laws in all cases. As a result you have to offer free credit monitoring to each individual. That's certainly not free for you, the company. You have to order freezes on credit reporting on certain accounts. You have to send notices out to all these customers. None of that is cheap. If you have 50 million records, and let's say you assume that the cost of breach notification is $10 a customer, that's half a billion dollars. It adds up quickly.

What about customer drop-off? Have studies documented loss of customers after a security breach?

We don't have a lot of good numbers on that yet but, unscientifically, what we have seen when breaches happen at large companies is that CEOs and CFOs may resign. We've seen departments re-organized, we've seen layoffs and things like that. We make the assumption that there's some sort of pecuniary loss to the company by virtue of sales dropping and reputation loss. What we haven't been able to quantify is how long that loss lasts, how deep it goes, whether or not it's restored, and how quickly -- if at all. There is always the possibility that it's going to break the company, just as there's always the possibility that a company is going to be resilient because of how it's structured and how it does business. There are huge variables there.

What mistaken practices do companies follow in thinking that they have good security in place when they actually don't?

My favorite one is this: "We have perimeter security so we can't be attacked. No one can get into our network, so we don't have to be all that concerned about what goes on inside. Everyone inside is an employee and they're authorized." You'd be surprised how much we hear that.

We say, OK, so you have perimeter security. What if someone gets in with a piece of malware? What if somebody steals a credential and gets in as a legitimate user? What if somebody on the inside does something bad? Worse, what if somebody on the inside works with somebody on the outside and allows them to use their credentials to hack in and steal data? Now you have someone inside an internal network with very few security controls -- no encryption, no tokenization, and no audit logging and monitoring -- so you don't know what's going on inside.

Then they start looking at us with huge eyes. They wake up to the risk or at least some of them do. There are still organizations out there that believe that the perimeter is a lot more solid than it really is. It's not. It's one control of many and it has a single point of failure.

If someone hacks the perimeter of the network and your security fails, they're in. You need other controls, such as encrypting your sensitive data or maintaining logs so that you know what your users are doing and you're alerted when something out of the ordinary happens. Those are two great internal data controls right there. One makes stolen data worthless and the other tips off the organization that something wrong is going on -- two great defenses against that single point of failure.

In addition, the more security controls that you have layered in place, the easier it is to get at the root cause of a breach. You can find the failure quicker if you have a layered set of security controls. You can isolate where the problem is coming from faster than if you just have, say, perimeter security, in which case the problem could be coming from anywhere.

[Editor's note: The discussion continues here.]

TDWI Membership

Accelerate Your Projects,
and Your Career

TDWI Members have access to exclusive research reports, publications, communities and training.

Individual, Student, & Team memberships available.