Data, not devices, vital to enterprise security

Companies need to change mindset of protecting physical endpoints, to access to corporate information as data is today's "cyber currency" and subject to increased attacks, Trend Micro CEO states.
Written by Jamie Yap, Contributor

TAIPEI--As cloud computing continues to mature and more companies incorporate it within their IT infrastructures, there is a need to focus on protecting access of corporate data over the hardware used to house the information. This would include beefing up one's monitoring and access management practices, says Trend Micro CEO Eva Chen.

She told ZDNet Asia at the sidelines of the company's CloudNext 2012 conference, which was held here on Thursday, that before the advent of cloud computing, securing both the hardware and data was part of the same conversation. "I own that device and the data that resides and gets processed on it. I secured and controlled them both."

With cloud, the hardware for computing resources is now owned by third-party vendors, so the enterprise will need to gain control over the data and not physical devices, she noted.

This need is further amplified with the ongoing bring-your-own-device (BYOD) trend that sees employees bringing their personal devices to use in office, the executive said.

"Because of cloud, companies realize they cannot control the devices [their employees bring to work]. Data can now be accessed by all these devices, so it is about controlling and securing access to the data rather than the device itself," she reiterated.

Chen said this doesn't mean companies need only improve the protection of data, but they should also look into how they monitor and secure access to the information via their networks. "It's not that I only secure the jewelry and forget about the door. You still create these doors or traps to make it harder to get to the core," she added.

Arun Chandrasekaran, research director at Gartner, shared similar sentiments. He said that one of the most pressing security issues enterprises have to grapple with today is implementing policies regarding data storage, access, and retirement, particularly since these aspects are "hazy" when considered within the context of cloud computing.

The analyst added that with BYOD, data governance issues and establishing an understanding of ownership rights to corporate and personal data must be clearly outlined.

"Cyber currency" in demand
So with data becoming today's "cyber currency"--and its value is worth billions--companies can expect that their information trove will increasingly be the target of hackers, the executive noted. This is why Trend Micro had embarked on its data-centric security approach since last year, she said.

To further build on this approach, the CEO said Trend Micro will be focusing on 3 'Cs' this year--cloud, consumerization, and control over risk.

Chen noted that with regard to cloud, the public cloud has yet gained full momentum among organizations, By contrast, virtualization as well as private and hybrid cloud environments are becoming more commonplace. This is why the security vendor will continue to provide cloud-based security offerings to address all levels--from physical, on-premise IT to virtualized and cloud environments, she explained.

It will also look to launch a hosted mobile device management product in the latter half of the year to help IT administrators address security risks that arise due to consumerization in the workplace, the executive stated.

Third, Chen pointed out that the concept of control over risk has to do with both enterprises and security vendors accepting that organizations can never be absolutely secure. "It's like between black and white [in security protection], there are 250 shades of gray."

As for the last 'C', the CEO pointed out that both enterprises and security vendors need to accept that they can never be fully secure and be in full control over all risks. With headlines of major security attacks on prominent companies occurring nearly every month, she said this is enough reason to "rethink" the concept of control over security risks.

"It is not to say that these companies don't know how to secure themselves. They have antivirus, firewalls, intrusion detection system (IDS), and an intrusion prevention system (IPS), yet they still got attacked. Total protection is impossible. It's about finding your risk level, controlling it and reducing your risk [instead]," she said.

Jamie Yap of ZDNet Asia reported from Trend Micro's CloudNext 2012 conference in Taipei, Taiwan.

Editorial standards