Compliance and Protection are NOT Synonymous

Much of the focus in the Data Loss Prevention market is on questions such as  "How do I pass a PCI audit?" or any kind of data security/privacy audit for that matter. While not passing an audit can be costly in the form of  penalties and upgrades it can also lead to a myopic view of data security. 


Beyond compliance lies much more.  Passing an audit with flying colors can still mean an organization's data is vulnerable to a variety of evolving attack vectors such as the much publicized "zero-day attack." In a zero-day attack a hacker exploits computer application vulnerabilities that are unknown to others or the software developer. These vulnerabilities are shared with other hackers and used as a way to gain entry to an organizations network. 


How should an organization protect themselves from zero-day attacks and other attack vectors? One way to do this is by taking a data-centric approach to protecting corporate information assets. Voltage Security President and CEO Sathvik Krishnamurthy recently discussed his idea of what a data-centric approach entails:

"From the very first point of entry, the data, structured or unstructured, is encrypted. As it is used across data centers, public and private clouds and mobile devices—in use, in transit, or at rest—it remains encrypted. That’s important because in the event of a breach, the theft of data is minimized."

The idea of encrypting all data across an organization gives many IT managers a headache. The thought of managing the encryption keys with the use of a key database that stores copies of every key ever issued and and having to make changes to existing structure according to how the database behaves can be costly and create undue pressure on IT management and create oppressive overhead. These operational barriers have made encryption an impractical and expensive option for large scale deployments.


Fortunately, there is a solution that makes key management less cumbersome and more practical. Voltage Security has released a Stateless Key Management system that securely and mathematically derives any key, as required by an application, once that application and its users have been properly authenticated and authorized against a centrally managed
policy. Voltage Stateless Key Management reduces IT costs and eases the IT administrative burden by:

• Eliminating the need for a key database, as well as the corresponding hardware, software and IT processes required to protect the database continuously or the need to replicate or back-up keys from site to site.
• Easily recovering archived data because keys can always be recovered.
• Automating supervisory or legal e-discovery requirements through simple application APIs, both native and via web services.
• Maximizing the re-use of access policy infrastructure by integrating easily with identity and access management frameworks and dynamically enforcing data-level access to data fields or partial fields, by policy, as roles change.