Technology: Securing corporate data in an Internet-based world
Since security perimeters have been pushed to the very edge of the Internet, traditional security techniques no longer apply.
February 07, 2014 at 03:00 AM
6 minute read
The original version of this story was published on Law.com
As all who work in a professional setting know, data security and integrity are important obligations. In order to protect corporate data, we must secure devices and documents with passwords and store data in approved locations. While following corporate security guidelines is often an inconvenience, the necessity is clear. Much of the data we create and store on corporate networks contains trade secrets, personally identifiable information, or potentially privileged communications and we have an obligation to protect that data on behalf of corporate interests. We also want to avoid any potential bad press as a result of a security breach. Stories of corporate security lapses lead to breaches in trust with our customers, which no corporation wants to face. For these reasons and more, it is clear that corporate security is of critical concern.
Security has traditionally been about defining and securing a perimeter. Whether homesteaders circling their wagons to protect against outside threats or records managers putting corporate documents in a warehouse behind a lock and key, we have always needed to understand what is on the “inside” and where the “outside” begins. From a security perspective, the inside and the outside should never intermingle. In corporate computing security, the concept of defining the perimeter has been relatively straightforward. Computers inside the office and behind the corporate firewall need to be secure, and anything outside of the corporate firewall is considered unsecured. There has traditionally been a clear concept of what is on the inside and what is on the outside. In an Internet-based world, however, identifying the perimeter is becoming a more difficult, if not Sisyphean, task.
In our “always on” society, we now have innumerable ways to connect into the corporate data environment. Whether through smartphones, laptops, bring-your-own-device (BYOD) initiatives or working from home, defining the corporate security perimeter is no longer a simple concept. The definitions of “inside” and “outside” are no longer so clear. This change in data access has flipped the corporate security model on its head and has forced us to create new paradigms in fulfilling our security obligations. What follows are four broad considerations in modern data security and what you can do to make necessary changes.
Securing the data center
Data center security is a necessary foundation in today's computing environment. Wherever we have data at rest, we need rock solid security and physical access controls. For most corporate environments, this is the easiest element in the data security process, since it is most akin to the traditional perimeter-based security models. Many corporate data centers already adhere to SAS 70 Type II or SSAE 16 security standards, which provide good platforms upon which to build the rest of our security initiatives. It is more difficult to define what constitutes our data centers. For example, our corporate servers may live in a secure building with all essential security precautions taken, but what if our colleagues use data storage services such as Dropbox or Sharefile? It is necessary to identify all data centers — those officially authorized and also those not formally condoned — and ensure best practices are being followed.
Transportation encryption
In the past, it was assumed that all corporate data would be accessed over secure channels of communication, such as an Ethernet cable which connected an office wall outlet to a data center on an adjacent floor. In today's world, however, we must assume that all data transfers are being made over unsecured channels, such as a home network, coffee shop Wi-Fi or through shared cellular connections. As such, all data that is transmitted from our data centers must be encrypted with no less than 128-bit encryption using PKI (public-key infrastructure) cryptography, such as SSL (secure sockets layer) or TLS (transportation layer security). This encryption will allow us to know that data sent from our data centers to our data endpoints (smartphones, laptops, etc.) will be protected from anyone “snooping on the line.”
Endpoint protection – encryption
Our always-on world and need for responsiveness requires that we use any and all means to access corporate data. As long as we are properly securing our data centers and data transportation, we next need to make sure that our data endpoints are also secure. Endpoints such as iPads, Android phones and laptops are difficult to secure, especially if an organization is deploying a BYOD initiative, in which employees are able to use their personal mobile devices to connect to corporate data. Device encryption and enhanced user identification/authentication are two steps which will immensely help improve endpoint security.
Many modern mobile devices provide the ability to encrypt device contents. Even if the device is lost or forgotten, if the device's contents are encrypted, it will be impossible for third parties to read the encrypted data. Using common techniques, such device encryption, can be enforced even on BYOD devices.
Endpoint protection – user identification and authentication
It is also important to abide by enhanced user identification and authentication strategies. User identification refers to knowing each person who is accessing corporate data and have the ability to remove access based on identity. This is easier said than done, as corporate networks are often rife with individuals who have access to the system even though they are no longer affiliated with the organization.
Multifactor authentication is also highly recommended for all data access. Multifactor authentication requires the use of some proof of identify beyond passwords. You may be familiar with numeric key fobs which change numbers every minute in a unique way per user account. By typing in the unique number along with your password, the authentication process is orders of magnitude more robust and secure.
Conclusion
In today's Internet-based world, securing corporate data is increasingly complicated. Since security perimeters have been pushed to the very edge of the Internet, traditional security techniques no longer apply. We can make significant steps toward proper corporate security by securing our data centers in accordance with modern standards, encrypting data which leaves our data centers, securing data endpoints such as smartphones and laptops, and verifying every user who connects to our corporate systems. By enforcing these four broad areas of corporate security, we can continue to leverage the benefits of our Internet-based world while living up to our obligations to corporate interests.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
SEC Puts Beat Down on Ex-Wrestling CEO Vince McMahon for Not Reporting Settlements
3 minute readTrending Stories
- 1'It's Not Going to Be Pretty': PayPal, Capital One Face Novel Class Actions Over 'Poaching' Commissions Owed Influencers
- 211th Circuit Rejects Trump's Emergency Request as DOJ Prepares to Release Special Counsel's Final Report
- 3Supreme Court Takes Up Challenge to ACA Task Force
- 4'Tragedy of Unspeakable Proportions:' Could Edison, DWP, Face Lawsuits Over LA Wildfires?
- 5Meta Pulls Plug on DEI Programs
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
