Carl Weinschenk spoke with Bill Bartow, vice president of product management, Tizor Systems.

Weinschenk: You say there are four types of breaches. What are they?
Bartow: There are four ways in which data can be exposed outside a company. Number one is through e-mail, which generally is someone e-mailing confidential or secure information outside a company against policy. It could be credit cards, employee Social Security numbers, that sort of thing. The next form is backup tapes that hold confidential or sensitive information. Those tapes simply get lost in transit. The third way is laptop loss. An employee takes a laptop home and leaves it on the train or in an Internet hotspot. The fourth is where some person or people figure out a way to compromise the security infrastructure and get critical or confidential information directly from the databases.

Weinschenk: Which is the biggest problem?
Bartow: Based on our research — and we studied over 300 data breach incidences — what we found is [that database] breaches are the problem in which the most valuable information is taken and that data being exposed would have the most far-reaching business implications for the company.

Weinschenk: What should companies do to combat this and the other three vulnerabilities?
Bartow: It starts with good policy implementation. People need to understand data has different [levels]. Some is classified, some is sensitive and some is public. It's fine to send out product brochures, but it's not fine to have employees share a confidential plan outside the company. Companies must make sure employees understand the classifications of the data. Then the next step is to put automated solutions in place to address the problems.

Weinschenk: You suggest a new approach is necessary. Please elaborate.
Bartow: Companies need to rethink the way they protect data. They think they have a strong perimeter. An analogy is to a bank. They have a lot of guards, and if someone does something, you can stop them. They've built up a strong perimeter. I think companies historically have taken the same approach. They've focused on IDSs, firewalls, VPNs. The whole goal is to keep the bad guys out. What we've learned in the last few years is that a good portion [of the theft] is happening from people within the company who are valid users with credentials to access the data.

Weinschenk: So it's not people breaking in. It's people who are entitled to be in the system doing improper or illegal things.
Bartow: A great example is the DuPont case. The employee had access to various [databases] and took data with him. The employee had valid credentials, but clearly not the entitlement to leave the company with that data. There are lots of privileged users in the company. They pose just as significant a threat as some hacker who hacks through perimeter defense.

Weinschenk: So how does this translate to how companies approach security?
Bartow: My point is that you need to protect data in the core, in the data center itself. You need to [have safeguards] where the data is in the company. Data is scattered around the enterprise. You need to discover where all the data is. The next step is to put in place policies that will monitor all that sensitive data. You need to watch who is accessing it. You want to be that video camera in that bank vault. Once you monitor it and know who is accessing it, the last step is risk mitigation. You need technology that will help you identify who is exhibiting unusual behavior, such as downloading lots and lots of credit card data. In the case of DuPont, the person was taking documents off file servers they don't usually [access]. There should be technology that identifies sensitive or unusual behavior and alerts the appropriate person in the enterprise this is taking place so that they can stop it.

Weinschenk: So the approach is granular, and starts inside the company.
Bartow: The framework is to discover, automate and protect. My main point is the place to start is at the database.

Weinschenk: How does encryption fit into this?
Bartow: We don't recommend encrypting everything. It should be done selectively and should be combined with technologies providing risk mitigation. Encryption is ensuring that the confidentiality of the data is intact. As long as the appropriate people have the key, they can get the data. A privileged user has the key; that why he's privileged. What it doesn't say is that it won't identify suspicious or unusual behavior. And encryption is hard to deploy and manage.

Weinschenk: The idea here seems to be that companies are approaching security in the wrong manner. Is that so?
Bartow: I think some [companies] are focused on solving problems at the wrong point. They are adding more guards to the gate. They should be focused on putting more intelligent cameras in the bank vault. I think what's happening is that companies are focused on solving the problem at the wrong point right now. They will eventually realize they have to turn security inside out. I think the market at this point is starting to recognize that. Data auditing and protection are becoming more popular.

Weinschenk: Why now?
Bartow: One reason is that more people are educated on the options available to them. The second is that there are a couple of really good examples in the marketplace in the TJX and DuPont cases. They show that people need to rethink the ways in which we are protecting data. Now you are seeing more university data breaches, and I think universities are studying and understanding new ways of protecting data and looking at data auditing and protection approaches. The industry is understanding the approaches necessary and is starting to look for solutions.