Turning the Lights On… Infrastructure Security vs. Data Security (Part I)

The only thing more challenging than seeing something in the dark is explaining what you can see to others. That’s how I characterize the often-difficult process of explaining the importance of data security to your executives and employees. Clearly communicating the challenges we face protecting our organizational “crown jewels” is one of the biggest obstacles security professionals face.

I’m often asked “How is infrastructure security different from data security?” The simplest answer: infrastructure security protects the availability of your IT systems, while data security protects the confidentiality and integrity of your information.

Most companies have solid infrastructure security programs. They have traditional defenses: distributed denial of service (DDoS) attack mitigations, firewalls and intrusion prevention systems (IPS). In most scenarios, these defenses are owned by both network and security teams. Most security professionals consider this appropriate protection at the network level, but not adequate.

Many are looking to implement the next breed of solutions to build out application layer protections and take a deeper dive into the TCP/IP protocols, which provide context surrounding an event. While the additional information available with this second stage of deployment is significant—it should NOT be considered a data security control.

Here’s why: data loss prevention (DLP) is an advanced control. It protects confidentiality and integrity of your data. The value that a DLP solution offers is the advanced context, or the, “who, what, where and how,” of data storage, access and transmission. This full context is something that perimeter infrastructure defenses do not offer.

In the next blog post, I’ll provide six steps to deploying data security controls to gain necessary visibility.