Is MDM one-stop shopping for enterprise cyber thieves? Most corporations have “locks” but no “keys”.

Voltage Data Breach IndexA couple of months ago I wrote a post titled “Who’s that looking at my Master data?”. That post focused specifically on the different user profiles, fine grained security and management of roles who would be given access to the master data consolidated inside an MDM Hub. The premise was that the information, gathered from multiple sources and applications had a specific set of users authorized to view certain attributes of the data. When combined into a “single view” those levels of authorization still needed to be preserved and most likely upgraded given new regulatory compliance and corporate data governance.

MDM platforms like Siperian  (disclosure my former company) provide robust data authentication and authorization that satisfy these requirements, as well as providing encryption while data is being accessed or written to the Hub. What is disturbing however is data “at rest”  in many MDM Hubs is stored in standard RDBMS like Oracle or IBM DB2, unencrypted and subject to mass data breach. Some corporations do turn on native RDBMS encryption, but that only protects the data while stored in the RDBMS, not when the information is extracted for viewing and/or distributed around the corporation. As if data breach from siloed applications weren’t concern enough for corporations, aggregating data into a single, accurate, clean, matched and merged Hub, is the equivalent of moving all of your valuable possessions into a single safe in your house for easy removal by unscrupulous thieves. Sure it affords an extra level of protection, like a secure “lock”, but once it is cracked open, everything is up for grabs. Add to the fact that much of corporate data theft comes from insiders who have access to the “locks”, makes a safe-like system hardly impenetrable.

Voltage Security, one of the leaders in the security space (my good friend Wasim Ahmad is the VP of Marketing) today highlighted the risks corporations run by leaving their data unencrypted either “at rest” or while “on the move” . They published an eye opening worldwide data breach index which visually shows the data breaches that have occurred over time periods, by geography. Every other day we hear stories in the press about how certain financial institutions, who have your personal data, have had a breach. There are thousands of internal breaches from corporations who don’t make the headlines but are just as damaging. Voltage has unique, patented technology including IBE (Identity-Based Encryption) and FPE (Format-Preserving Encryption) and their full range of products  have been adopted by major corporations such as Wells Fargo and Kodak. These products provide the necessary encryption “keys” that obfuscate the data, whether at rest or on the move, to complement the “locks” for securing the MDM Hub when it is being accessed. This makes valuable master data unreadable to cyber thieves even if they managed to get a hold of it from the Hub or when it is on the move.

It’s clear that having authentication and authorization to your master data is important. But encryption is the added “key” which you need to ensure your overall protection. If you are a corporation who has deployed MDM or is thinking of purchasing MDM, you should consider your overall encryption strategy by taking a look at Voltage and other similar security providers. If you don’t, you might come home one day to find those valuables in your safe compromised, with a note from the burglars saying, “thanks for making our job so easy.”

Leave a Reply