Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.
No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.
Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.
The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.
Tags: data protection, encryption, personal information, server security, Zserver Storage
Most companies enjoy “security” as a matter of luck. I’d be curious to know if anyone else here is reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).
[...] This post was mentioned on Twitter by Tony Bradley, zecurion and zecurion, Essential Security. Essential Security said: RT @zecurion: New blog post: A Server Breach Does Not Have to be a Data Breach http://bit.ly/4mPClg [...]
Social comments and analytics for this post…
This post was mentioned on Twitter by zecurion: New blog post: A Server Breach Does Not Have to be a Data Breach http://bit.ly/4mPClg…
[...] or breached even if the server it resides on is compromised. With the proper tools in place, a server breach does not have to be a data breach and you can stop losing sleep over whether you are a step ahead–or two steps behind–the [...]
Encryption is absolutely necessary and is one of the last lines of defense against data theft. It comes into effect when thieves have the data in their possession. Recovery of stolen equipment by tracking methods is considered as an “after the data breach” solution. It does not prevent the theft. So end point solutions designed to prevent the theft of equipment should be component of the overall data protection strategy.
Brian C.
Barracuda Security Device International inc.
Of course I’ll say, like everyone else, that Encryption is necessary… Now, having said that.. I will also say that your security is only as good as it’s lowest common denominator. What do I mean? It’s simple really, many networks / corporations / organizations utilize crypto protection and many other security measures but fall grossly short where it counts in simple areas such as key management, personnel training etc etc…
[...] stolen. But, with the right policies and tools in place, a lost or stolen laptop does not have to result in compromising sensitive data. Tags: cyber fraud, data breach, identity theft, Social Security numbers, stolen [...]
In relation to security models, specifically for businesses, I have to agree with what you’ve said totally. You will discover so many possibilities on the market, it’s vital for any specialist to know what is bestfor their scenario as well as particular complex. The observations you’re presenting will be a terrific support to businesses and additionally security experts similarly. Thanks again!
[...] should keep the mindset that it is a matter of when, not if, a server will be hacked. But, as I have pointed out previously in this blog, a server breach does not have to be a data [...]