www.canadiansecuritymag.com

News Data Security
Prepare for future threats

These days, the average medium-to-large enterprise experiences data growth rates of 50 per cent per year. This means that every two years, the amount of information that companies need to secure and manage doubles, says John W. Thompson, chairman and CEO of Symantec.


June 24, 2008
By Lynn Greiner

Topics

During his keynote at Symantec Vision, the company’s annual user conference, held June 10-12 in Las Vegas, Thompson spoke about the security implications of the evolving — and increasingly mobile — data landscape.

"One (IDC) analyst went so far as to predict that the number of bytes of data generated by computers and other devices will soon rival the grains of sand on all of the beaches of the world," he says. "In addition to the structured data that is so important to typical business decision-making, you also need to worry about data that lives in hard-to-protect unstructured formats — e-mail, spreadsheets and instant messages."

Add on the growth of software-as-a-service, where as often as not, sensitive data doesn’t reside safely on the corporate network, and the challenges become even more immense.

"It’s not enough to put out today’s fires," he pointed out. "You also have to prepare for the future."

That future, he believes, includes four key trends that are shaping the way companies cope with the ever-growing volumes of data.

The first is the migration from tape to disk for data backup. Disk-based backup is faster and more flexible than tape, and makes recovery easier and quicker because you can directly access required files rather than having to sequentially search a tape. Thompson sees this trend accelerating as solid-state devices increase performance for mission-critical applications.

He also predicts blurring between backup, archiving, and disaster recovery, which will all be handled by a single piece of software instead of by several products as they are today. The result, he said, would help companies manage their data more effectively.

During the last half of 2007, nearly 70 per cent of the malicious threats analyzed in Symantec’s labs were designed to steal confidential information, rather than attempting to disrupt operations or destroy data. These labs have been collecting and publishing data on malware since 2002, when the company acquired the report’s originators, Riptech. Symantec published its first Internet Security Threat Report in mid-2002; the most recent volume was released April, 2008.

Over the years, there has been a steady change in the type and visibility of attacks has been observed as malware authors migrated from being grandstanders looking for attention to criminals looking for money or saleable information.

To defend new attack targets, companies need to move to an information-centric security model that takes a risk-based approach to protecting information.

"In this model, classifying data will become critical," he said. "That way, you’ll have insight into what sensitive information you have, where it’s stored, and how it’s being used, both on the network and at the endpoint."

The third trend he discussed was in IT governance. Because of today’s regulatory and security climate, organizations are being forced to take an enterprise-wide view of security and compliance, and Thompson expects that IT will be asked to take on a leadership role in fulfilling requirements.

There’s a bonus in this for the business as a whole, he noted: research by the IT Policy Compliance Group shows that organizations with mature IT management practices also generate stronger business results.

"Through automation and standardization, organizations not only can become more compliant, but also reduce compliance costs by as much as 40 per cent," he says, citing Baptist Health of South Florida, which lowered its labour costs for compliance management by half a million dollars over two years using Symantec’s offerings, and reduced its security audit preparation time from 12 hours to 15 minutes.

The fourth trend Thompson described was the consumerization of IT. Increasingly, he said, employees want to connect their personal devices, from laptops to mobile devices, to corporate networks. And they expect to participate in activities like social networking in the office.

"You’ll need to find a way to secure and manage all of those connections, and ensure they aren’t introducing threats onto your network," he said, adding that forbidding the behavior is not usually effective.

"Our biggest challenge is anticipating the rapidly evolving needs of customers to secure and manage the explosive amount of digital content," he says. "I don’t think there is a way to separate management from data."