Summary

Well documented breaches have heightened the public’s and regulatory agencies’ concerns about how well companies are securing consumer-specific information. Despite some initial advances, sensitive information is still commonly stolen. Internal threat issues and the fact that extended partnerships lead to that, more and more tasks will be performed outside the physical boundaries of company facilities which will add another level of due diligence we must take into account. This article will present different practical methods that can help prevent advanced attacks from internal and external sources. Several of these methods go beyond the basic protection requirements for data at rest in PCI DSS defined by the major credit card companies. Several of these solutions are applicable to booth applications, files and databases.

Separation of duties is a cornerstone for true data protection. A data security policy separated from the database, file system or application environment can provide greater security across most enterprise legacy environments. This article will discuss different methods to enforce separation of duties, protection of data and controlling integrity of the security system to prevent leakage of sensitive information. Data Usage Control can complement the core protection by detecting and preventing data misuse through the direct monitoring and behavioral analysis of sensitive operations on databases and file systems.

Some well documented security breaches also highlighted one area of weakness when data is in transit and, particularly, in transit within a single entity or enterprise such as on an internal network. As legislation and public concern over well-publicized security breaches pushes organizations to better secure their data, it is no longer acceptable to encrypt data only when it is stored in a database. Rather, data fields and files should be continuously encrypted as they move throughout an enterprise and beyond.

Protection of the data flow can be supported by including the metadata with the protected sensitive data to provide the receiving system with required information for decryption of data. A high level of transparency can be achieved by compressing the protected data and including the metadata into the same amount of space as originally allocated. This approach can be used in most cases when protecting credit card data. The Continuously Protected Computing approach can be combined with partial encryption applied to some data fields to improve security by minimizing the need to access encryption keys and minimizing the number of platforms that require cryptographic services installed.