21 Pages Posted: 27 Mar 2007
Date Written: January 11, 2007
Sending sensitive information over the Internet or within your corporate network as clear text, defeats the point of encrypting the text in the database to provide data privacy. The sooner the encryption of data occurs, the more secure the environment. An Enterprise level Data Security Management solution can provide the needed key management for a solution to this problem. A combination of application firewalls, plus the use of data access monitoring and logging may, if effectively applied, can not provide reasonable equivalency for the use of data encryption across the enterprise since such a combination of controls does have multiple weak spots, when it comes to preventing damage from careless behavior of employees or weak procedures in development and separation of duties. Some regulations requires that Web-facing applications should be guarded against attacks that can have serious consequences. There are no guarantees that any one approach will be able to deal with new and innovative intrusions in increasingly complex technical and business environments. However, implementation of an integrated security program which is continuously audited and monitored provides the multiple layers of protection needed to maximize protection as well as historical information to support management decision-making and future policy decisions.
This solution will protect data at rest, and also while it's moving between the applications and the database and between different applications and data stores. Stronger database security policies and procedures must be in place to accommodate the new environment. Centralized database management security must be considered to reduce cost. Implementing point or manual solutions are hard to manage as the environment continues to grow and become more complex. Centralized data security management environment must be considered as a solution to increase efficiency, reduce implementation complexity, and in turn to reduce cost.
Keywords: Encryption, Data Security, Compliance, PCI, GLBA
JEL Classification: C88
Suggested Citation: Suggested Citation
Mattsson, Ulf T., Data Security Beyond Regulatory Compliance - Protecting Sensitive Data in a Distributed Environment (January 11, 2007). Available at SSRN: https://ssrn.com/abstract=960623 or http://dx.doi.org/10.2139/ssrn.960623