| Subcribe via RSS

Data Security & Identity Management: Essential 1st Cousins in IT Security

5 Tools for Improved Identity Management As a senior architect, sales engineer, and consultant out in the field working closely with senior IT security leaders and CISOs, I sometimes run into questions surrounding the Vormetric product line related to Identity Management. Having implemented identity management solutions for Fortune 500 companies around the world for a number of years, I truly appreciate when these questions arise, as it demonstrates some understanding that Data Security and Identity Management are essential first cousins in IT Security.

How are they first cousins within IT Security and why are they both so essential, vital and important, you ask? At some point here, I’ll throw out at least a one-line history statement to show how and why they are related so we can subsequently understand their vitality and importance within enterprises in today’s world.

Data Security & Identity Management Go Hand In Hand

But first, when you think about it, at base and stripped all the way down, digital information is about digitized data on a storage medium of some sort. That’s it. Whether it’s raw data or data that is executed (ie. a program, a script, etc.), to the storage device and the operating system that manages both, it’s all just “data.” The data itself then is at the heart of what every computing system is about. And data security is all about securing that data wherever it lives for the enterprise.

Digitized data just sitting on a storage device however is meaningless. Access to that data and a frame of reference – “this data is a ‘program,’ this data is ‘system data,’ this data is ‘user data,’” etc. – is what gives data meaning and life. [1] For someone who sells and/or implements in either the Data Security or Identity Management space, it can be very easy to don horse blinders and insist to customers that their solution is the essential piece:

“No! It’s all about protecting the data and having data protect itself!”

“Au contraire! It’s all about identities and governing access to the data!”

Actually, Data Security and Identity Management are symbiont to one another and synergistically linked – chicken and egg, needle and thread, wall and head (for all us cybersecurity professionals, I had to throw that one in there!), Batman and Robin, Oscar and Felix, Wallace and Gromit. (You get the picture… :-)) Ya gotta have both. Both are right and either by themselves aren’t the entire answer or solution to the problem of securing data.  Data without access is dead. But access governance that doesn’t drive protection and controls all the way down to the data level is insufficient. Both are needed, necessary and essential and must be combined together to provide an effective and efficient solution to data security and identity and access management and governance. They go hand in hand.

In terms of implementation…, [Identity Management and Data Security] should be implemented top down and bottom up, and somewhat simultaneously, designed to meet in the middle.

More »

Tags: , , , , , , , ,

Considerations Around Application Encryption

December 22nd, 2015 | No Comments | Posted in Data Security, IT Industry, Security, Tools

person-encryption-623x420For years, the use of encryption to protect data-at-rest on computers within the enterprise was solely the responsibility of developers who coded the applications that used or generated the data. Early on, developers had little choice but to “roll their own” encryption implementations. Some of these early implementations were mathematically sound and somewhat secure. Other implementations, while perhaps not mathematically sound, were adequate for the risk developers were attempting to mitigate.

As technology progressed, choices for encryption matured and solidified across development stacks. Callable libraries were born. Algorithms were perfected, significantly strengthened and pushed into the public domain. And beyond application encryption, encryption itself began to offer benefits to the enterprise at an operational level – within turnkey, off-the-shelf solutions that could be aimed at specific enterprise use cases such as end-point data loss prevention (DLP), encrypted backups, and full-disk encryption (FDE) among others.

Today however, when CISOs and senior security, software and enterprise architects think of protecting data-at-rest, their conceptions can sometimes harken back to days of old and they will stipulate encryption solutions as necessarily needing to be implemented at the application layer.

And while it turns out there is actually no extreme fallacy in this thinking and some benefits at this layer remain, there are some considerations and tradeoffs surrounding application encryption that aren’t overtly obvious. These considerations and tradeoffs can get lost when not weighed along with more recent turnkey, transparent solutions that get implemented at a different architectural layer with nearly the same benefit yet with much less risk and cost association.

Let’s look at and consider some of the ins and outs of application encryption. Hopefully the following thoughts and considerations will help those who are deep in the throes of needing to make a decision around encryption of data-at-rest.
More »

Tags: , , , , ,