℅ 5b/3 Central Avenue
At a board level data security is about:
- Demanding continued vigilance in the protection of information;
- Setting appropriate policies to mitigate the risk of brand damage and financial losses resulting from a data breach; and
- Maximising the benefit to the organisation from its investment in appropriate data security controls.
Ultimately, it is about data and information. Who has the data, how much data does each person have access to, and is the data sensitive and financial in nature. Communications is the transport of information and encryption is imperative but so is managing the information in a secure way and this is what has not kept pace with the communications revolution.
The focus in data security over the last decade has been a concept called "role based" security. This involves managing a person's access via the roles that they have within various applications. These applications in turn read and write the data and are responsible for implementing the security regime. The problem is if you bypass the application you can still get to the data (read and write).
An additional layer of protection is required and it needs to be at the data level. Furthermore, this additional layer of protection needs to be implemented as a piece of infrastructure in precisely the same way that other security measures such as passwords and firewalls are.
Data security needs to be taken out of the hands of the application developers (programmers), it should be provided to them as a piece of infrastructure that is independent of any application.
As first tier consultants in data security we work with organisations from a board level and senior executive compliance level to provide a security model of people, process and platform. We provide a visual representation of how this new security model works in your organisation and an implementation path to introduce technologies, procedures and processes to permanently close back doors to the data.
There are some key issues with respect to why it has been so difficult to implement eff ective security across an organisation.
- The first issue is that of overall IT infrastructure, systems and databases. Many large organisations have over time merged with other entities or taken over competitors, resulting in numerous databases, links between systems, various hardware and often many old legacy systems. The provision of security in this type of environment is complex and usually provided by application developers building controls into the various programs. The result of this approach is unsatisfactory, as evidenced by the various statistics relating to data fraud.
- Security needs to be effected at an enterprise level across all databases and systems without any back doors or access points created by the various applications that consume the data. The only real way to implement at an enterprise level is to provide it as a piece of infrastructure. This is consistent with the provision of single sign on passwords, firewalls etc.
- Until now it has not been possible to implement an enterprise wide solution providing row level security across multiple systems, databases and hardware platforms. Designing IT Solutions has invented new technology known as Data Chamber. Data Chamber is a technology that is a general way of working with all relational database management systems to provide row level security and close any back door independent of the context of any applications. In other words what we have created is a database wrapper that works as a preventative control. This opens up a whole new way of implementing enterprise wide data security infrastructure.