Ultimate Data Security Guide
Protecting Your Data Security and Data Privacy
The first step in protecting your enterprise's data privacy and security is to identify the types of information you want to protect and where that information is exposed in your organization. Once you have completed your audit - identified your organization's priority information and determined your level of risk of data loss - the next step is to assess your applications and understand what areas of your application portfolio are leaving you vulnerable to external attacks.
According to a recent Gartner report, the market for content-aware data loss prevention solutions continues to grow at more than 20 percent year over year. Yet the report also notes that many organizations are struggling to establish appropriate data protection policies and procedures for mobile devices as they interact with sensitive corporate data.
The threat model is different for mobile devices. There is much more risk of confidential data being stolen or leaked – this is called mobile data exfiltration. The additional risk is due to the portable nature of the devices, the types of applications and their usage models. Some of the significant differences between mobile devices and traditional computing environments include the following:
- Mobile devices are frequently shared temporarily. Even with PIN-protected devices, users can readily unblock their phones and hand them to other users.
- Mobile applications are highly connected to web services. This broadens the possible vectors for data exfiltration.
- Mobile devices are often consumer-owned devices that can access an organization’s internal network. Indeed, many enterprises are considering Bring Your Own Device (BYOD) programs as a cost-saving measure.
Because of these differences, traditional data protection and data security solutions are not readily applicable to mobile users. For example, the performance hit of an end-point agent on mobile devices would be unacceptable for most users. Similarly, forcing all mobile communications through the enterprise network for traffic analysis is not feasible. Datacenter-based solutions could identify confidential information resident on the device, but could do little to determine whether a personal application poses a genuine data loss threat to that confidential information.
Instead, what is needed is a solution that can scan mobile applications and determine if they represent a data loss risk to the organization. For example, a mobile-based data protection and data security solution should identify applications that enable surreptitious transmission of microphone, GPS or camera data or data exfiltration via sockets, email, HTTP, SMS, DNS, ICMP or IR.
Effectiveness of Traditional Data Security and Data Privacy Products
The effectiveness of data security, data privacy and data protection hinges on:
- Accuracy of data loss prevention content analysis engines. Content analysis methods range from keyword searching, regular expressions handling and document fingerprint matching. Like any other analysis engine, lowering the false-positive and false-negative rates are important to improve the solution's accuracy.
- Scalability of data security solutions. As network traffic and employee use of multiple types of data grow, established data protection solutions must scale to keep up with organizational usage.
- Sophistication of the data security policy definition and process management capabilities. Organizations typically have multiple policies for different types of data and multiple processes to manage data and respond to data loss related events. The ability to automate policy enforcement in people- and process-centric situations is important.
Application Security and Your Data Security Strategy
Use this checklist as a reference tool when making data security buying decisions:
- Develop clear data security strategies with concrete requirements before evaluating products.
- Understand the limitations of traditional data privacy protection and data security. As an example, data loss prevention is a data-centric control and does not have any understanding of SQL.
- Applications protect your data. Test the security quality of your applications. Use application security testing as a way of protecting data.
- Create data protection policies and procedures for mobile devices as they interact with sensitive corporate data.
Veracode Helps Protect Your Data Security
The gateway to your data is through your applications. Attackers know applications are the weak link in today's computer networks and they look for vulnerabilities in applications that provide access to sensitive data. Testing applications for data security vulnerabilities reduce the risk of a data breach. Using Veracode as part of your data security strategy allows you to understand the data security quality of your applications and provides a path to improving the overall data security quality of all the applications running on your network and mobile devices.
Application testing must be part of data security.
Data security is a mission-critical priority for IT teams in companies of all sizes. As organizations increasingly rely on IT to collect, share, analyze, communicate and store information,data security solutions are essential to ensure that information remains protected from theft, corruption and loss.
Traditional data security solutions include encryption, data loss prevention (DLP) technology, backup and recovery solutions, identity and access management technology, and more. But frequently overlooked when designing a data security framework is the role the application security can play in protecting data.
Applications have become the primary target for cyber criminals intent on stealing data. Yet many development teams organizations lack the tools to ensure their software is free of flaws and vulnerabilities that could lead to costly breaches and data security errors. That’s where Veracode can help – with a suite of on-demand services that make application testing easy and affordable.
Veracode solutions for data security.
Veracode is a leader in application security testing solutions that help protect an organization’s most important software assets. Built on a unified platform, our suite of services provide tools for testing software at any point in the development process from inception through production. From SQL injections and malware that could enable a DDoS attack to broken authentication and session management flaws, Veracode helps to remediate the most dangerous threats to data security. With Veracode, developers can submit code via an online platform and receive results quickly – within four hours for most applications. Results are prioritized by severity of the flaw and delivered with clear remediation advice that allows developers to find vulnerabilities and fix them quickly.
As a data security technology, Veracode’s software-as-a-service model enables organizations to implement security testing quickly and easily, without upfront capital expense. And because our technology integrates seamlessly with integrated development environments, developers don’t need to interrupt coding or open a new environment in order to submit code for review.
Comprehensive services for increasing data security.
Veracode services include:
- Veracode Greenlight, an application security service that runs in the background of the developer’s IDE to test code as it is being written. Greenlight alerts developers when flaws are introduced and provides immediate suggestions for ways to eradicate them.
- Veracode Static Analysis, a service that scans binaries to ensure the security of software that is built, bought or assembled.
- Veracode Software Composition Analysis, a service that identifies and inventories vulnerabilities in open source components and commercial software.
- Veracode Web Application Scanning, an Internet security test that discovers, scans and monitors websites and web applications to identify potential flaws.
Learn more about improving data security with Veracode’s application security testing services, or visit our AppSec knowledgebase to learn more about website SQL injections and get answers to questions like “What is BYOD?”