Eric Lundquist, in a February 5 eWeek article, tells a story that is near to my heart–it’s about the data, stupid. For years security has been focused on system or device protection. This must change.
Our goal as security professionals is to protect the confidentiality, availability, and integrity of the data. This means protecting it at rest and in motion. Protecting your HR servers doesn’t do much good if your employees’ PII (personally identifiable information) is compromised through storage or LAN/WAN access control weaknesses. Carrying this a bit further, IM and email transfer of sensitive information completely bypasses any device or perimeter security that isn’t specifically designed to filter and block/alert on sensitive information moving into insecure areas, like the Internet or internal systems at lower trust levels.
