Citations (4)



Data Security for PCI and Beyond

Ulf T. Mattsson

Protegrity Corp.

February 2, 2007

For many years external security threats received more attention than internal ones, but the focus has changed. Worms, viruses and the external hacker were once perceived as the biggest threats to computer systems. What is often overlooked is the potential for a trusted individual with special privileges or access to steal or modify data. While viruses and worms are serious, attacks perpetrated by people with trusted insider status—employees, ex-employees, contractors and business partners - pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. Well documented breaches have heightened the public's - and regulatory agencies' - concerns about how well companies are securing consumer-specific information captured at the point-of-acquisition. Extended partnerships lead to that more and more tasks will be performed outside the physical boundaries of company facilities which will add another level of due diligence we must take into account. The reason why insider attacks hurt disproportionately is that insiders can and will take advantage of trust and physical access. In general, users and computers accessing resources on the local area network of the company are deemed trusted. Practically, we do not firmly restrict their activities because an attempt to control these trusted users too closely will impede the free flow of business. And, obviously, once an attacker has physical control of an asset, that asset can no longer be protected from the attacker. While databases often are protected by perimeter security measures and built in RDBMS (Relational Database Management Systems) security functionality, they are exposed to legitimate internal users at some degree. Due to the fragmented distribution of database environments, real time patch management, granular auditing, vulnerability assessment, and intrusion detection become hard to achieve. With the growing percentage of internal intrusion incidents in the industry and tougher regulatory and compliance requirements, companies are facing tough challenges to both protect their sensitive data against internal threats and meet regulatory and compliance requirements.

Number of Pages in PDF File: 20


JEL Classification: C88

Open PDF in Browser Download This Paper

Date posted: March 27, 2007  

Suggested Citation

Mattsson, Ulf T., Data Security for PCI and Beyond (February 2, 2007). Available at SSRN: http://ssrn.com/abstract=974957 or http://dx.doi.org/10.2139/ssrn.974957

Contact Information

Ulf T. Mattsson (Contact Author)
Protegrity Corp. ( email )
One Cantebury Green
Stamford, CT 06901
United States
HOME PAGE: http://www.ulfmattsson.com
Feedback to SSRN

Paper statistics
Abstract Views: 1,550
Downloads: 282
Download Rank: 76,722
Citations:  4

© 2016 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollobot1 in 0.187 seconds