Threats to enterprise data have grown in both volume and sophistication during the past several years. And with each new incident that makes headlines and captures the attention of the nation, it becomes more evident that new policies and strategies for protecting confidential information are needed now more than ever.
SC Magazine U.K. contributor Terry Greer-King referred to the need for "next-generation" policies because the old ones simply aren't cutting it anymore.
"The move to web 2.0 and mobile computing, not to mention virtualization and cloud deployments, have forced businesses to handle more network events and a greater variety of traffic," thus increasing the burden of protecting it all through data security programs, he wrote.
Among the most disruptive trends has been the increase in the number of devices now used by employees to connected to the enterprise network. Between smartphones, tablets, laptops and the like, professionals have never enjoyed such easy access to data and applications. Never before have companies faced so many threats either.
But upholding data security principles is still possible, Greer-King said, as long as companies change their focus and embrace new practices. Here are a few he highlighted.
1. Prioritize data
Keeping up with the number of devices that access corporate data is nearly impossible, especially in consumerized environments. These days, Greer-King stated, companies should make it a priority to implement security measures at the data level.
"The core element of security policy is the ability to analyze the data that is being accessed, sent and manipulated to ensure users are not sharing or leaking sensitive information," he wrote. "This requires assessing not only what applications employees can use, but what data these applications are allowed to use, and, in turn, taking steps to protect sensitive data from inappropriate or non-compliant usage."
With such a tight focus on data, protection measures will travel with the information no matter where it goes – whether outside or inside an organization's walls.
2. Manage users
Also in place of managing individual devices, companies should now turn their focus to governing the users themselves. Since each user may have as many as three or more devices, it's much easier to oversee the people.
"Defining policy based on user access and type of device is the only logical choice, as it gives a smarter means for managing access from fast-growing consumerized estates, where the device may not always be known," Greer-King wrote.
Under this approach, he added, companies should know each IP address in use among their employees.
3. Watch the apps
So now that data and the people are covered, companies should then turn their attention to applications, Greer-King said.
"By allowing users to interact with the security system, both to remind them of corporate policy on acceptable use of applications and to take feedback in real time on why the user needs access and the intended purpose of their usage, organizations can add a further layer of security reinforcement and protection," he wrote.
That's important given that applications come in many forms for companies today, from traditional on-premise legacy software to those delivered through cloud computing and accessed on mobile devices.
In November, an InformationWeek report discussed a similar need for new approaches given the rise of bring-your-own-device models at many companies. With companies allowing employees to access enterprise systems on personally owned smartphones and tablets, InformationWeek said, they should also take a data-centric approach to security.
Data Security News from SimplySecurity.com by Trend Micro