If you really think about it, technically all of “information security” is “data security”, but the reality is that most of our industry is focused on protecting networks and hosts, and very little is dedicated to protecting the information assets themselves. We here at Securosis prefer the term “Information-Centric Security”, since information is data with value (as opposed to just a bunch of 0’s and 1’s), but we know “data security” is more commonly used, and we’re not about to fight the industry.
Since data security encompasses a wide range of tools, technologies, and processes we will highlight top-level management issues on this page, and encourage you to explore the subtopics for more details on database security, DLP, encryption, and other specific areas.
We keep all of our Research Library pages updated with our latest research. Content is added where it fits best, not in chronological order, so we mark new material with the month/year it’s added to help you find changes more easily.
Papers and Posts
If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments).
The most important piece of work we’ve published on data security is the following: The Business Justification for Data Security. We recommend you download the white paper as it provides a condensed (and professionally edited) review, and here are the links to the individual blog posts to add additional color and commentary: Part 1, part 2, part 3, part 4, part 5, and part 6. (03/09).
Tokenization vs. Encryption: Options for compliance. This paper outlines the business uses for tokenization, and examines the tradeoffs between tokenization and traditional encryption.
Next, you should read our series of posts on the Data Security Lifecycle which shows how all the various bits and pieces plug in together. Keep in mind that some of these technologies aren’t completely available yet, but the series should give you a good overview of how to take a big picture approach to data security. Start with the Lifecycle, then read the details on the technologies, organized by phase: Part 1, Part 2, Part 3.
The general principles of Information-centric/Data Security.
Defensive Security Stack; showing where data security fits in with network, host, and application security (I mention CMF, which is the same as DLP): Data Protection - it’s More than A + B + C.
We believe that two existing technologies are evolving into the “core” of data security-Data Loss Prevention and Database Activity Monitoring. The are evolving into what we call Content Monitoring and Protection (DLP, for protecting productivity applications and communications), and Application and Database Monitoring and Protection (DAM, for protecting applications and the data center). We define both technologies in Definitions: Content Monitoring and Protection And Application and Database Monitoring and Protection.
Continuation of Content Monitoring and Protection: How Data Loss Prevention and Database Activity Monitoring Will Connect.
Data classification comes up all the time when discussing data security. Here’s an overview that starts to introduce the idea of practical data classification: The Five Problems With Data Classification, an Introduction To Practical Data Classification. We followed it with a post: Practical Data Classification: Type 1, The Hasty Classification. But the truth is, classification is usually quite problematic,and we don’t recommend manual classification to most enterprise users, as we wrote in: Data Classification is Dead. (We haven’t finished our data classification series yet).
Related to data classification, here is a post on Information Governance.
Before you start digging in too deep on data security, we recommend you prepare by understanding your users and infrastructure, as we wrote in: Information-Centric Security Tip: Know Your Users and Infrastructure.
File Activity Monitoring is an exciting new technology that finally gives us insight into not only how are files are used, but who the heck is accessing them, should be accessing them, and when they violate security policies. We can finally do things like generate alerts when a sales guy starts sucking down all the customer files before moving to a competitor.
These PDF versions of presentations may also be useful, although they don’t include any audio (for any audio/video, please see the next section).
This is the Business Justification for Data Security Presentation that Rich and Adrian provided in February 2009.
This presentation is on Mobile Data Security for the Enterprise.
Our presentation on Information Centric Data Security and the Data Centric Security Lifecycle.
Here’s the current version of Pragmatic Data Security which provides a good, practical process overview with specific implementation details.
Presentation on Data Protection in the Enterprise. Kind of a corporate overview.
Presentation on XML Security.
Podcasts, Webcasts and Multimedia
We do not currently have any multimedia for this topic.
The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). It does not imply endorsement, and is meant to assist you should you start looking for tools. Please email email@example.com if you have any additions or corrections.
Since data security is such a broad issue, please see the sub-categories for vendors and tools.
If much of this material seems somewhat generic, that’s because data /information-centric security is a fairly high-level topic. We really encourage you to learn about the specifics in the sub-categories in the navigation menu.