' Masthead Venture Partners

Market Overview: Data Security in the Early 21st Century

Data security is mission-critical in the business environment of the 21st century. Enterprises today face increasing strategic risk related to their key data assets. Unauthorized disclosure and integrity compromise can result in brand loss, multi-million dollar client liabilities or loss of competitive advantage.

Two potent challenges are moving security requirements into a new phase. These challenges - information/identity theft and compliance - require the monitoring of users, business activities and applications within data center servers. To meet these challenges, enterprises need new "Activity Auditing" solutions.

The Challenges: Compliance and Information Theft

Compliance Requirements
Today there is growing pressure on companies to comply with privacy and governance issues as to who is accessing sensitive corporate data. Regulations (such as HIPAA for healthcare, GLBA for financial services, 1386 for credit card use, the anti-money laundering requirements of the US Patriot Act, and Sarbannes-Oxley for internal controls) require that companies not only secure their data, but also that they are able to provide audit trails that specify who accessed what (and in some cases report on violations). These regulations and other internal audit requirements require sensitive information be disclosed according to a strict policy. This requires that companies monitor and record all access to sensitive information. To meet compliance regulations, this auditing - of data center applications, databases and file servers - is currently a massive job, requiring time-consuming, manual analysis that demands increasing investments.

Information/Identity Theft
Data center servers hold valuable and essential information assets from patient information, financial records and credit card information, to personal identity information. Despite continual perimeter and internal security investments, the largest theft breaches are compromising these servers via authorized insiders and outsiders. Data servers are not safe, and trust, as well as brand, equity are at stake for every major organization.

Gartner estimates that 95% of all major intrusions with significant financial losses are initiated by internal sources. Additionally, it is estimated that each internal disclosure/compromise incident results in an average liability of $2.7 million (as contrasted with $67,000 for each virus/worm incident).

Internal intrusions can generally result from a variety of insider and outsider security attacks:
  • Disgruntled employees and consultants
  • Terminated employees with active accounts
  • Secondary attacks launched by external virus/worms
  • Masqueraders
  • Accidental disclosures
Recent examples of data theft involving client data, patient data, identity information and intellectual property are results of such attacks. Such attacks need to be detected in real-time.

As enterprises become more distributed and open with remote access and mobile platforms, the boundary between internal and external is blurring. This trend will heighten the threat to key data assets. With growing penetration of worms and viruses, secondary attacks on data servers are on the rise. Any worm/virus that compromises perimeter security and obtains "authorized credentials" has the ability to mount an internal data attack on an internal server. Such attacks need to be detected. Unlike external attacks, such data attacks are "clean" and cannot be detected by perimeter products such as Intrusion Detection and/or Intrusion Prevention Systems (IDS/IPS) or by Antivirus systems.

Market Analysis: Conventional Tools are Not Enough
Data servers are a leading source of enterprise data risk. Most critical enterprise data usually resides within servers such as file servers, databases, application and document servers. To understand and mitigate document risk, sound security practices require that key accesses to data servers be audited across the enterprise.

The security and IT workforce today is hard pressed to keep up with the auditing, detection and investigation of data server accesses. Current auditing systems that monitor data access rely on "server logging," which is fraught with a number of critical problems - Server logging is expensive, requires significant involvement by operations personnel, may not log disclosures (many logging systems only track updates to a database, not reads/views), is after-the-fact (not real-time), and is hard to scale beyond specific data servers. Also, server logging creates voluminous data but lacks policy management required to pinpoint critical accesses and internal attacks. As a result, significant human security expertise is required to monitor millions of data accesses and to detect internal attacks. Most internal investigations are in fact done at the forensics stage, taking place long after the escalation of internal attacks - when the damage is already done.

Today, security and IT administrators, compliance officers, risk managers and privacy officers lack systematic products to implement comprehensive, real-time security measures. In their absence, the approach is to implement home-grown systems that are expensive to develop, manage, and scale beyond specific applications. Furthermore, such systems are rarely real-time, require significant operational overhead of deployment (usually a tough sell internally), and lack protection and integration within the larger security ecosystem.

Until recently, IT security professionals were focused on products such as firewalls and intrusion detection systems to prevent malicious hackers from outside from getting into their systems. These systems are typically deployed at the perimeter of corporate networks. Today, however, companies are increasingly recognizing that an even greater problem is that of employees inside the enterprise gaining access to information to which they are not authorized.

Emerging Market: Activity Auditing Solutions
Traditional content and application security technologies monitor peripheral user and content access. They do not provide the visibility needed to address today's data security challenges. What is needed is the ability to know what authorized users are doing to critical assets once they log into applications. This need for data center "Activity Auditing" translates into three key requirements:

1. Monitoring data center servers for key information access, both insider and outsider, within database, file server, and application server transactions

2. Audit policy-based activity extraction - to track content, operations and authorized individual user's business and information activity

3. Analytics to determine information theft or malicious activity by authorized users

Enterprises need to address these key data risks with cost-effective "Activity Auditing" security products. Such products need to go beyond traditional firewalls/remote access, external intrusion detection, and internal access control and authentication to:

  • Monitor and audit access to key data assets stored within critical data servers (such as Databases, File Servers, and Application Servers)
  • Create audit trail relevant to specific business or regulatory compliance policies
  • Detect potential non-compliance or violation of privacy policies, as well as theft and integrity compromise of data assets.
  • Protect data assets against serious noncompliance or violation
The Activity Auditing market opportunity is large. The market is being driven not only by the need for companies to protect their own and their customers' data but also compliance - i.e. they need to demonstrate that they are taking appropriate steps to do so, and can provide audit trail data if and when needed. The overall multi-billion market for security products in general is expected to grow at least double the rate of the overall IT market, according to Computerworld magazine. Within that segment, "inside the firewall" solutions represent a very small share today. This is, however, expected to grow very rapidly, as attention increases to these areas of vulnerability.

About Masthead Venture Partners
Headquartered in Cambridge, Mass, Masthead Venture Partners is a venture capital firm dedicated to providing early stage information technology, internet infrastructure and services, communications, and IT-intensive life sciences companies with the capital and hands-on operational support they need to develop into industry leaders. The firm has the advanced technical expertise, proven operating experience and deep industry knowledge and relationships to help entrepreneurs build companies with category defining potential. For more information please visit www.mvpartners.com.

Back to top

© 2003 Masthead Venture Partners. All rights reserved.