SlideShare a Scribd company logo

The Business Case for Data Security

Imperva, profile picture
Imperva

This white paper presents the business case for data security, highlighting the financial and operational impact of data breaches and compliance costs that necessitate a strategic approach to data protection. It compares various approaches to data security, advocating for Imperva's holistic solution, Securesphere, which offers significant savings and superior protection against threats while ensuring compliance. The paper emphasizes that proactive data security must be a priority for executives to mitigate risks and control compliance costs.

TechnologyBusiness
Related topics:
Database Security Overview Data SecurityData Breach Insights Cyber Crime Cyber AttackApplication Security Cyber-Security
1 of 13
Downloaded 69 times
1
2
3
4
5
6
7
8
9
10
11
12
13
White Paper The Business Case for Data Security Business Case The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions. “ ” With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory.
The Business Case for Data Security Executive Summary DatabaseFileWeb Large-scale application attacks, targeted insider threats, and a swelling raft of regulations are compelling organizations to adopt a new defense: data security. In this paper, we will address three key business questions: 1) What are the risks and regulatory drivers for data security? We take a close look at today’s security and compliance landscape, current data security challenges, and the auditing and reporting requirements in leading data privacy and data governance regulations. We conclude that data security should be an executive focus, when businesses consider the devastating impact of data breaches and the rising costs of regulatory compliance. 2) What are the alternative approaches to achieving data security? We contrast Imperva’s holistic data security approach with other approaches, including “do it yourself” projects, use of data security features within event management and application delivery products, and loosely integrated data governance solutions. It is our contention that only a comprehensive and intelligent platform can deliver the right level of security and control that is essential for effective data security. 3) What are the financial benefits of deploying a holistic data security solution like Imperva SecureSphere? Based on the analysis offered above, we determined that Imperva SecureSphere offers a cost reduction and cost avoidance benefit of 274% compared to alternative approaches. Calculating the total costs over a five year period, a typical large enterprise would spend $5,487,500 in data breach expenses, manual monitoring, auditing, and reporting costs versus $1,467,850 with Imperva SecureSphere appliances, licenses, maintenance, and operations costs. The cost savings are compelling, demonstrating why data security has moved to the forefront of most organizations security strategy. Imperva White Paper < 2 >
The Business Case for Data Security I. Data Security and Compliance: An Evolving Landscape DatabaseFileWeb Security and compliance are two of the most critical concerns for any organization. Between 2005 and 2010, data breaches have cost organizations billions of dollars and exposed over 500 million sensitive records,1 leaving a litany of lawsuits, sanctions, fines, and lost revenue, in their wake. In addition, organizations are subject to increasingly stringent regulatory compliance requirements. A growing number of regulations mandate monitoring and auditing of user activity, application safeguards, and internal controls. To develop a cohesive strategy for security and compliance, organizations must analyze their security risks and compliance needs. Financial Impact of Security Incidents Data breaches are financially devastating, averaging $6.75 million per incident and $204 per compromised record.2 Data breaches not only impact organizations, but also affect the tens of millions of individuals who fall victim to identity theft and fraud. Due to external attack or insider abuse, data breaches are perhaps the single most damaging security event that an organization can endure. In addition to breaches, organizations must fortify their valuable resources against denial of service, data loss, and data manipulation. Hacking and External Threats Hacking and external threats are the leading cause of data breaches, accounting for approximately 94%3 of all compromised records in 2009, according to an in-depth investigation of data breaches. And 92%3 of compromised records from hacking-related attacks were attributed to Web application attacks. Based on this forensic evidence, if organizations had fortified their Web applications against attack, they could have reduced the total number of known compromised records from over 140 million to roughly 20 million. Web Application (92%) Network File Shares (1%) Remote Access and Control (2%) Physical Access (1%) Backdoor or Control Channel (5%) Wireless (1%) Unknown (1%) Figure 1 Proportion of Breached Records Due to Hacking by Attack Method3 The rise in Web-related data breaches is due in part to more sophisticated attack techniques. Hackers have become more organized, pooling resources, and delegating responsibilities based on skill set. They are also creating automated capabilities to improve efficiency and scale building armies of bots – remotely controlled computers – to unleash large-scale, automated attacks.4 These new methods have made Web application attacks very effective and, unfortunately, very destructive, as is borne out in data breach investigations. 1 Privacy Rights Clearinghouse, www.privacyrights.org/500-million-records-breached 2 Ponemon Institute, “Cost of a Data Breach,” January 2010 3 Verizon Business, “2010 Data Breach Investigations Report 4 Imperva, “Industrialization of Hacking,” 2010 Imperva White Paper < 3 >
The Business Case for Data Security The Enemy Inside DatabaseFileWeb Risks associated with insider threats, ranging from sabotage and fraud to sensitive data theft, have also increased, along with the opportunities for insiders to profit from their illicit activity. Many organizations have overlooked insiders who may access sensitive networks, applications, and data on a daily basis. Privileged users must have access to sensitive data in order to perform their job. Therefore, they can abuse these privileges and gain control of such data more easily and more covertly than external users. It is not surprising, then, that insiders accounted for 48% of all breaches and 3% of all compromised records in 2009.5 Rising Cost of Achieving and Maintaining Regulatory Compliance Organizations of all sizes must comply with a raft of regulations designed to bolster security, reduce fraud, and ensure privacy. These regulations were enacted for a variety of reasons: as the result of an extraordinary event, as with the implosions of Enron and Worldcom that led to Sarbanes Oxley (SOX), or as the evolution of disparate security standards that morphed into the industry-wide and influential Payment Card Industry Data Security Standard (PCI DSS). Addressing Multiple Compliance Mandates In addition to SOX and PCI, organizations must adhere to a range of other industry and government regulations. Healthcare companies must comply with HIPAA, the HITECH Act, and MAR. Federal institutions must fulfill FISMA, ITAR, EAR, and DISA STIGs requirements. Energy companies must comply with NERC and FERC. Organizations in Europe are governed by Basel II and EU data breach notification laws. The list goes on, as does the amount of auditing and security requirements that organizations must address. On top of these regulations, new regulations are introduced every year, and existing laws change. While each regulation defines unique auditing and security requirements, it is possible to distinguish consistent themes across most compliance mandates. Achieving compliance becomes much easier when organizations develop well-defined and repeatable processes that track all user activities, maintain separation of duties, and establish user accountability. Demonstrating Compliance All regulations require organizations to demonstrate compliance to external auditors and governmental agencies. Organizations must prove that compliance processes are in place. They also have to collect pertinent audit and security data and present it in a clear, understandable format. With these operationally taxing manual processes, it is not surprising that U.S. businesses spend over $2.5 billion on SOX compliance each year.6 5 Verizon Business, “2010 Data Breach Investigations Report 6 AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?” Imperva White Paper < 4 >
The Business Case for Data Security II. Data Security: Requirements and Alternative Approaches DatabaseFileWeb Organizations’ data security strategy should focus on the core business drivers of preventing external attacks, mitigating insider abuse, and automating compliance processes. Some of the resulting operational requirements include: » Accurate Protection for Business-Critical Applications and Data A data security solution should provide comprehensive protection of all critical data assets including Web applications, databases, and files from external attack and insider threats. Because of the complex nature of data-layer threats, a security solution should be able to detect known attack methods, malicious users, deviations from expected user behavior, and correlate multiple event attributes together for pinpoint accuracy. » Full Auditing with Separation of Duties Since audit trails of user activity have become an essential aspect of compliance, a complete data security solution must be able to audit all access and changes to databases and files. It should ensure audit data integrity and user accountability and identify material variances in user activity. Demonstrating compliance must be achieved through automated reports and analytical tools – the basis for forensic investigations. » Low Impact Deployment Any solution designed to improve security should not impact application uptime or impose management burden. The solution should meet availability and performance requirements while not introducing operational risks. In addition, it should support centralized management, monitoring, auditing, and reporting to streamline administration for large, distributed deployments. Data Security: The Future of Security and Compliance To address the full scope of today’s security and compliance requirements, Imperva has created a new technology category, Data Security. With Data Security, organizations can mitigate data breach risks and directly satisfy auditing and compliance mandates by implementing one, integrated, best-of-breed security solution. Data Security protects business-sensitive data where it lives, in database and file servers and how it is accessed, through applications. With data-layer protection, data security solutions can block the attacks that lead to costly data compromises more accurately than any existing technology. It can also monitor users to prevent insider abuse, and audit all activity with unmatched visibility for compliance. The Imperva SecureSphere Data Security Suite Imperva SecureSphere Data Security Suite encompasses the market-leading SecureSphere Web Application Firewall, and the award-winning SecureSphere Database Security and File Security Solutions. Either deployed alone, or together as one integrated, centrally managed solution, SecureSphere Data Security Solutions offer a powerful defense against hackers and malicious insiders, streamline and automate regulatory compliance, and prioritize and mitigate data risks. Imperva White Paper < 5 >
The Business Case for Data Security DatabaseFileWeb SecureSphere Data Security Solutions offer organizations several unique capabilities: » Complete, End-to-End Data Protection - SecureSphere protects data where it is stored – in databases and files – and how it is accessed – through applications – and addresses the full Data Security and compliance life cycle. » Automated Security – Imperva’s patented Dynamic Profiling automatically learns application and database usage without manual intervention. The unique ThreatRadar service further streamlines security by automatically stopping attacks from known, malicious sources. » Full Visibility with Separation of Duties – SecureSphere monitors and audits all database and file activity, including privileged user access, without relying on native auditing capabilities. Interactive audit analytics enable users to analyze, correlate and view activity from any angle. » Streamlined User Rights Management – SecureSphere simplifies the process of reviewing and managing user rights across distributed file servers and databases. SecureSphere aggregates access rights, identifies dormant accounts and highlights excessive privileges. » Zero-Impact Deployment – SecureSphere offers multiple, transparent deployment options for easy integration into any environment with no impact on existing applications, databases or files. Imperva White Paper < 6 >
The Business Case for Data Security Contrasting Imperva’s Data Security with Alternative Approaches DatabaseFileWeb To meet security and compliance requirements, organizations may rely on a combination of native logging tools, manual reporting processes, and manual application vulnerability fix and test procedures. The following section investigates various approaches to prevent data breaches and address compliance mandates. Security Information and Event Management To manage the massive amounts of data collected, some organizations have turned to Security Information and Event Management (SIEM) solutions. SIEMs aggregate log data across multiple servers and devices, correlate events to identify anomalies, and streamline compliance reporting. However, SIEMs that rely on native logging for audit data present the following challenges: » Complex configuration of native database and file server logging utilities by DBAs and IT Administrators » No separation of duties as logging policies and audit trails can be manipulated by the users that should be audited » Significant degradation database and file server performance In addition, SIEMs, as cross-product security event aggregators, do not provide in-depth analysis or purpose built reports for database and file activity, and cannot prevent unauthorized access or monitor activity in real-time. Data Governance and Information Management Information Management vendors offer a broad spectrum of solutions for data management and governance. This breadth enables organizations to use one supplier to address multiple data security and data management requirements. However, such an approach often increases the cost, complexity, and duration of data security and compliance projects. Broad-scale, non-specialized information management vendors may turn relatively simple auditing projects into multi-year, company-wide consulting engagements. In addition, while broadening project scope, information management vendors often fall short in terms of addressing all necessary auditing and compliance requirements. For example, an information management vendor may be able to secure database data, but not files nor applications. Organizations should assess their current and future security requirements and determine if such a solution is aligned with project goals and will address monitoring and security objectives within a desired timeframe and budget. Integrated Application Delivery and Security One approach to achieve Web application attack protection is to combine a Web Application Firewall with a load balancer for combined application delivery and security. Such an approach can consolidate multiple functions onto a single hardware platform. However, adding Web application security to existing application delivery controllers (ADCs) can have a number of unexpected consequences, including drastically degrading ADC performance and impacting the stability of mission-critical networking equipment. Most importantly, ADCs only tackle one aspect of data security: application protection. They cannot monitor or protect application data stored in databases, nor can they secure unstructured data in files. Manual Vulnerability Management Most organizations invest considerable effort to ensure that Web applications, databases, and file servers do not contain vulnerabilities. Web developers must allocate time and resources to ensure that applications are written according to secure coding best practices. IT administrators and DBAs must deploy vendor-supplied patches into key applications and databases. Security personnel must test applications and servers for weaknesses and then fix any discovered vulnerabilities. Imperva White Paper < 7 >
The Business Case for Data Security However, while an essential aspect of any data security strategy, manual vulnerability patch processes: DatabaseFileWeb » Burden developers and administrators with disruptive fix and test cycles (“fire drills”) » Can expose organizations to attack for weeks or months while vulnerabilities are being fixed Based on extensive research, fixing a single Web application vulnerability takes on average between two to four months.7 With 83% of Websites having had serious vulnerabilities, relying on manual fix and test processes is not sufficient. The length of time to apply database security patches is even longer, often exceeding three months after a patch is released.8 Unfortunately, attackers will not wait for weeks or months to unleash online attacks. Organizations should evaluate solutions that can virtually patch vulnerabilities to eliminate this window of exposure and reduce the costs associated with emergency fix and test cycles. Approaches to Data Security SecureSphere Native Data Governance Application Manual Function Capability Data Security Logging and Information Delivery and Vulnerability Suite and SIEM Management Security Management Security Purpose-Built Platform    End-to-End coverage of all     data assets Proactive Policy Enforcement    Instant Vulnerability    Mitigation Compliance Compliance Automation     Separation of Duties    User Accountability     Deployment Rapid Time-to-Value    No impact on systems and   business processes Imperva White Paper < 8 >
The Business Case for Data Security III. Return on Security Investment (ROSI) with Imperva SecureSphere9 DatabaseFileWeb The SecureSphere Data Security Suite is designed from the ground up to meet all aspects of security and compliance for business-critical applications and data. SecureSphere provides conclusive cost-savings by offloading operationally-expensive logging from database and file servers and by driving down manual compliance reporting costs. More importantly, SecureSphere offers return on security investment (ROSI) by drastically reducing the risk and impact of a devastating data breach. In order to quantify the cost savings provided by Imperva, we compared the cost of implementing SecureSphere versus the cost of “doing nothing” and the subsequent expenses created by a data breach or manual auditing and reporting processes. The following table shows our assumptions. The number of protected records is an estimate for a medium size company, but this number will vary widely and should be adjusted according to the individual business profile. The average number of records lost in a data breach is extrapolated from results of the Ponemon Institute “2009 Cost of a Data Breach” report. The probability of a data breach is estimated at 5%. Basic Assumptions Value10 Number of Protected Records 100,000 Average Number of Records Lost in a Data Breach 33,088 Probability of a Data Breach 5% Annual Cost of a Full Time DBA or IT Security Administrator (in USD) $110,000 Reducing the Financial Impact of a Data Breach Data breaches are costly, averaging $6.75 million per incident.11 The expenses mount as organizations are forced to investigate breaches to assess affected records, notify customers, and pay legal fees and fines. However, the single highest cost is lost business, accounting for nearly half of the total financial impact of a breach. Statistics show 98% of compromised records originated from servers,12 predominantly Web application, database, and file servers. A dedicated data security solution could lower the cost of a data breach by accurately identifying the scope of the breach or preventing the breach from ever occurring. SecureSphere Database Activity Monitoring and File Activity Monitoring can audit every access to sensitive data and quickly identify the individual records that were compromised. Without this independent and tamper-proof audit trail, organizations often have to assume the worse and notify all potential victims – even if only a fraction of that data was accessed by a perpetrator. An Activity Monitoring solution can drastically reduce the extent of a data breach, by an estimated two thirds. A proactive defense such as a Web Application Firewall, Database Firewall and File Firewall can block attacks, avoiding the breach altogether for almost all application-related breaches. The following table shows the costs of a data breach with and without a data security solution. 9 In our opinion, the only viable alternative approach that fully addresses data security requirements is manual compliance and vulnerability mitigation. The ROSI calculation therefore compares Imperva to a manual approach. 10 These numbers vary between organizations. They represent a typical number for a medium-to-large enterprise. 11 Ponemon Institute, “Cost of a Data Breach,” January 2010 12 Verizon Business, “2010 Data Breach Investigations Report” Imperva White Paper < 9 >
The Business Case for Data Security Impact of a Data Breach Due to Web, Database and File Security Threats DatabaseFileWeb SecureSphere SecureSphere Without Database and File Web, Database, SecureSphere Activity Monitoring13 File Firewall14 Number of Suspected Compromised Records 33,088 33,088 0 Number of Confirmed Compromised Records Not available 11,029 0 Consulting Services and Investigation Costs $1,350,000 $225,000 0 Notification Costs $742,000 $247,000 0 Legal Costs $1,147,000 $382,000 0 Identity Protection and Other Services $202,000 $67,000 0 Lost Business and Related Costs $3,307,000 $1,102,000 0 Cost of a Data Breach $6,750,000 $2,023,000 0 Vulnerability Remediation Efforts In addition to reducing the likelihood of an expensive data breach, a dedicated data security solution can also cut vulnerability remediation costs. First, Imperva SecureSphere can virtually patch application and database vulnerabilities, thereby eliminating disruptive emergency fix and test cycles. Vulnerabilities can be fixed as part of regular development schedules, which is significantly less expensive than fixing vulnerabilities in production. Second, SecureSphere typically allows organizations to delay minor patch updates until a cumulative patch is available or a new software version is released. This provides organizations considerable cost savings compared to the expense of developing, testing, staging, and implementing software patches. The following table compares the labor costs of remediating Web application and server vulnerabilities for an organization with 10 online applications, 15 Web servers, and 5 database servers. Annual Vulnerability Remediation Labor Costs Without SecureSphere With SecureSphere Emergency Fix and Test of Custom Vulnerabilities $120,000 $0 Custom Vulnerability Fixes in Scheduled Releases $0 $19,200 Operating System Patches $25,000 $12,500 Web Server Patches $25,000 $12,500 Database Server Patches $12,500 $6,250 Total $182,500 $50,450 13 SecureSphere Database and File Activity Monitoring offer auditing but no access control; 14 When SecureSphere is implemented in “Firewall” mode, the risk of a Web, Database or File data breach is immeasurable. While auditing can reduce the impact of a breach by identifying actual compromised records, when SecureSphere is deployed inline, it can proactively prevent attacks from occurring. Imperva White Paper < 10 >
The Business Case for Data Security Labor Costs of Auditing and Reporting DatabaseFileWeb While both databases and file servers offer native logging capabilities, managing and maintaining audit log files can be an expensive proposition. Database or IT administrators must determine what activity to audit, create log rules, and then sort through reams of log messages to find materially relevant information for reports. Raw data must be arranged into a presentable format for auditors. Organizations must also develop in-house tools to prevent unauthorized access or manipulation of log data for separation of duties. Native tools only address one aspect of the data security and compliance lifecycle. They cannot locate sensitive data on the network, test databases for vulnerabilities, or patch these vulnerabilities. Organizations that use native audit tools must also account for the costs of manually discovering and classifying sensitive data – two requirements either implied or explicitly spelled out in many compliance regulations. Furthermore, many regulations require that organizations limit user access rights to business need-to-know and remove dormant accounts. For large enterprises, managing database and file access rights for thousands of users can be an overwhelming task, leading many administrators to grant excessive privileges. A dedicated data security solution such as SecureSphere can eliminate manual administrative tasks, automate auditing and compliance reporting, and dramatically improve the overall security posture of the organization. The following table compares the number of full time employees required to meet database and file security compliance requirements, with and without a data security solution. Without SecureSphere With SecureSphere Labor costs for Labor costs for Labor costs for Labor costs for Task initial setup ongoing maintenance initial setup ongoing maintenance Discovery $55,000 $55,000 $11,000 $11,000 Classification and Assessment $55,000 $55,000 $11,000 $11,000 Managing User Rights to $110,000 $110,000 $55,000 $11,000 Databases and Files Enablement of Auditing $27,500 $27,500 $11,000 $1,100 Writing and Maintaining $165,000 $55,000 $11,000 $11,000 Custom Scripts Creating Custom Reports $110,000 $55,000 $27,500 $11,000 Implementation of Workflow $110,000 $55,000 $11,000 $11,000 and Business Processes Total $687,500 $412,500 $137,500 $67,100 Software and Hardware Investment for SecureSphere Versus Native Auditing In addition to comparing the labor expenses of security and compliance, businesses must also analyze the hardware and software investment. With SecureSphere, the costs are relatively straight forward: the price of the SecureSphere Data Security Suite, which includes the price of the Web Application Firewall, Database Firewall and File Firewall, plus the MX Management Server. If organizations opt for native logging, then they will need to purchase additional hardware and software licenses to maintain previous performance levels. This is because full logging of all activity can degrade server performance by approximately 30 - 50%. The table below compares the infrastructure costs incurred by using native logging tools versus deploying the SecureSphere Data Security Suite. Imperva White Paper < 11 >
The Business Case for Data Security DatabaseFileWeb Without SecureSphere With SecureSphere Additional Database and File Server Hardware $50,000.00 $0.00 Additional Database and File Server Software $200,000.00 $0.00 SecureSphere Data Security Suite and $0.00 $73,600.00 MX Management Server Annual Support and Maintenance Fees $40,000.00 $14,720.00 Hardware and Software Administration Costs $20,000.00 $20,000.00 Total $310,000.00 $108,320.00 Total Return on Security Investment Because security and compliance must be addressed holistically, the following table compares the total hardware, software, and management costs of the SecureSphere Data Security Suite to native logging and manual compliance processes. In addition, a Return on Security Investment (ROSI) calculation must factor in the cost and risk of a data security breach. The following table combines the data from the above tables to provide the return on investment of the SecureSphere Data Security Suite versus no dedicated Web application, database, or file security. Without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $182,500 $182,500 $182,500 $182,500 $182,500 Auditing and Compliance Costs $687,500 $412,500 $412,500 $412,500 $412,500 Hardware and Software Costs $310,000 $60,000 $60,000 $60,000 $60,000 Data Breach Cost = Probability x Impact $337,500 $337,500 $337,500 $337,500 $337,500 Total Cost without SecureSphere $1,517,500 $992,500 $992,500 $992,500 $992,500 SecureSphere Costs and Risk Posture Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $50,450 $50,450 $50,450 $50,450 $50,450 Auditing and Compliance Costs $137,500 $67,100 $67,100 $67,100 $67,100 Hardware and Software Costs $108,320 $34,720 $34,720 $34,720 $34,720 Data Breach Cost = Probability x Impact $112,500 $112,500 $112,500 $112,500 $112,500 Total Costs with SecureSphere $408,770 $264,770 $264,770 $264,770 $264,770 Cost Savings with SecureSphere $4,019,650 ROSI with SecureSphere 274% Investment Based Discount Rate 10% NPV (Net Present Value) $3,654,227 The total infrastructure, labor, and data breach costs of the SecureSphere Data Security Suite over five years totaled $1.47 million, compared to $5.49 million for native logging, manual compliance processes and no proactive Web, database or file security protection. Note that the projected data breach cost savings for SecureSphere were conservative, assuming only the cost savings associated with monitoring traffic and pinpointing individual breached records. With 98% of breached records originating from servers, the SecureSphere Data Security Suite, with an integrated Web Application Firewall, should be able to prevent most data breaches from ever occurring. Imperva White Paper < 12 >
White Paper Summary With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory. Besides protecting critical assets, a host of regulations have spurred the need to audit activity and streamline compliance processes. Unfortunately existing security solutions cannot effectively stop data security attacks or address security and compliance concerns holistically. A dedicated Data Security solution like Imperva SecureSphere not only satisfies today’s security and compliance requirements, it also offers a return on investment of 274% compared to not using a data security solution at all. When compared to alternative solutions, Imperva SecureSphere is the only sensible and effective choice to secure sensitive applications and data. With SecureSphere, organizations can: » Protect applications, databases, and files from internal and external threats » Lower the cost of auditing while implementing separation of duties » Automate compliance reporting » Virtually patch application and database vulnerabilities With its indisputable value, it is not surprising that Imperva has become the market leader for Web, database, and file monitoring and protection. Trusted by thousands of leading organizations around the world, Imperva SecureSphere is the practical, cost-effective solution for Data Security. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com. Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-BC-DATA-SECURITY-1010rev1

More Related Content

PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPT
5.4 it security audit (mauritius)
Corporate Registers Forum
 
PPTX
Informatie Architectuur Fundamentals II
eeccoon
 
PPSX
陳冠仁(台灣世界展望會的資訊發展處處長):數位轉型分享
開拓文教基金會
 
PPTX
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
PPTX
Iso27001 Risk Assessment Approach
tschraider
 
PPTX
EDR vs SIEM - The fight is on
Justin Henderson
 
PPTX
Information classification
Jyothsna Sridhar
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
5.4 it security audit (mauritius)
Corporate Registers Forum
 
Informatie Architectuur Fundamentals II
eeccoon
 
陳冠仁(台灣世界展望會的資訊發展處處長):數位轉型分享
開拓文教基金會
 
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Iso27001 Risk Assessment Approach
tschraider
 
EDR vs SIEM - The fight is on
Justin Henderson
 
Information classification
Jyothsna Sridhar
 

What's hot (20)

PPT
Solution Architecture Concept Workshop
Alan McSweeney
 
PDF
Geek Sync | Data Architecture and Data Governance: A Powerful Data Management...
IDERA Software
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
PPSX
7 Software Development Security
Alfred Ouyang
 
PPTX
Define an IT Strategy and Roadmap
Andrew Byers
 
PDF
Incident Response
InnoTech
 
PPTX
What is iso 27001 isms
Craig Willetts ISO Expert
 
PPTX
Isms
penetration Tester
 
DOCX
ISO 27001 Training | ISMS Awareness Training
himalya sharma
 
PPTX
Extending your Information Architecture to Microsoft Teams
Christian Buckley
 
PDF
Gathering And Documenting Your Bi Business Requirements
Wynyard Group
 
PDF
Data Architecture Strategies: Data Architecture for Digital Transformation
DATAVERSITY
 
PPTX
ISMS Awareness Training (2) (1).pptx
vasidharta
 
PDF
Solution Architecture And (Robotic) Process Automation Solutions
Alan McSweeney
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
PDF
SAP PCOE Certified - Partner - ISYX Technologies LLC
Sandeep Mahindra
 
PPTX
Iso 27001 isms presentation
Midhun Nirmal
 
PPT
Understanding IT Governance and Risk Management
jiricejka
 
Solution Architecture Concept Workshop
Alan McSweeney
 
Geek Sync | Data Architecture and Data Governance: A Powerful Data Management...
IDERA Software
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
7 Software Development Security
Alfred Ouyang
 
Define an IT Strategy and Roadmap
Andrew Byers
 
Incident Response
InnoTech
 
What is iso 27001 isms
Craig Willetts ISO Expert
 
Isms
penetration Tester
 
ISO 27001 Training | ISMS Awareness Training
himalya sharma
 
Extending your Information Architecture to Microsoft Teams
Christian Buckley
 
Gathering And Documenting Your Bi Business Requirements
Wynyard Group
 
Data Architecture Strategies: Data Architecture for Digital Transformation
DATAVERSITY
 
ISMS Awareness Training (2) (1).pptx
vasidharta
 
Solution Architecture And (Robotic) Process Automation Solutions
Alan McSweeney
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
SAP PCOE Certified - Partner - ISYX Technologies LLC
Sandeep Mahindra
 
Iso 27001 isms presentation
Midhun Nirmal
 
Understanding IT Governance and Risk Management
jiricejka
 
Ad

Similar to The Business Case for Data Security (20)

PDF
Protective Intelligence
wbesse
 
PDF
3 guiding priciples to improve data security
Keith Braswell
 
PDF
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
PDF
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
PDF
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
IJNSA Journal
 
PDF
Cybersecurity Facts & Figures - What Every Business Needs to Know
CBIZ, Inc.
 
PDF
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Organization
 
PDF
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
PDF
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
PDF
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Microsoft
 
PDF
Data Leak Protection Using Text Mining and Social Network Analysis
IJERD Editor
 
PDF
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
PPTX
cyber attacks In-depth Report on five organizations affected by cyber attacks
pinterestjos
 
PPTX
cyber attacks analysis top five organization affected by cyber attacks
pinterestjos
 
PDF
br-security-connected-top-5-trends
Christopher Bennett
 
PDF
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
DMI
 
PDF
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
PDF
Cisco 2014 Midyear Security Report
Cisco Security
 
PDF
Top 3 security concerns for enterprises
Taranggg11
 
PDF
Jonathan raymond 2010 rotman telus - atlseccon2011
Atlantic Security Conference
 
Protective Intelligence
wbesse
 
3 guiding priciples to improve data security
Keith Braswell
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
IJNSA Journal
 
Cybersecurity Facts & Figures - What Every Business Needs to Know
CBIZ, Inc.
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Organization
 
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Microsoft
 
Data Leak Protection Using Text Mining and Social Network Analysis
IJERD Editor
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
cyber attacks In-depth Report on five organizations affected by cyber attacks
pinterestjos
 
cyber attacks analysis top five organization affected by cyber attacks
pinterestjos
 
br-security-connected-top-5-trends
Christopher Bennett
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
DMI
 
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Cisco 2014 Midyear Security Report
Cisco Security
 
Top 3 security concerns for enterprises
Taranggg11
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Atlantic Security Conference
 
Ad

More from Imperva (20)

PPTX
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
PPTX
API Security Survey
Imperva
 
PPTX
Imperva ppt
Imperva
 
PPTX
Beyond takeover: stories from a hacked account
Imperva
 
PPTX
Research: From zero to phishing in 60 seconds
Imperva
 
PDF
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
PDF
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
PPTX
Survey: Insider Threats and Cyber Security
Imperva
 
PPTX
Companies Aware, but Not Prepared for GDPR
Imperva
 
PPTX
Rise of Ransomware
Imperva
 
PDF
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
PDF
SEO Botnet Sophistication
Imperva
 
PDF
Phishing Made Easy
Imperva
 
PDF
Imperva 2017 Cyber Threat Defense Report
Imperva
 
PDF
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
PDF
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
PDF
Get Going With Your GDPR Plan
Imperva
 
PDF
Cyber Criminal's Path To Your Data
Imperva
 
PDF
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
Imperva
 
Imperva ppt
Imperva
 
Beyond takeover: stories from a hacked account
Imperva
 
Research: From zero to phishing in 60 seconds
Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
Survey: Insider Threats and Cyber Security
Imperva
 
Companies Aware, but Not Prepared for GDPR
Imperva
 
Rise of Ransomware
Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
SEO Botnet Sophistication
Imperva
 
Phishing Made Easy
Imperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
Get Going With Your GDPR Plan
Imperva
 
Cyber Criminal's Path To Your Data
Imperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 

Recently uploaded (20)

PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Teaching material agriculture food technology
LiaRayya
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

The Business Case for Data Security

  • 1. White Paper The Business Case for Data Security Business Case The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions. “ ” With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory.
  • 2. The Business Case for Data Security Executive Summary DatabaseFileWeb Large-scale application attacks, targeted insider threats, and a swelling raft of regulations are compelling organizations to adopt a new defense: data security. In this paper, we will address three key business questions: 1) What are the risks and regulatory drivers for data security? We take a close look at today’s security and compliance landscape, current data security challenges, and the auditing and reporting requirements in leading data privacy and data governance regulations. We conclude that data security should be an executive focus, when businesses consider the devastating impact of data breaches and the rising costs of regulatory compliance. 2) What are the alternative approaches to achieving data security? We contrast Imperva’s holistic data security approach with other approaches, including “do it yourself” projects, use of data security features within event management and application delivery products, and loosely integrated data governance solutions. It is our contention that only a comprehensive and intelligent platform can deliver the right level of security and control that is essential for effective data security. 3) What are the financial benefits of deploying a holistic data security solution like Imperva SecureSphere? Based on the analysis offered above, we determined that Imperva SecureSphere offers a cost reduction and cost avoidance benefit of 274% compared to alternative approaches. Calculating the total costs over a five year period, a typical large enterprise would spend $5,487,500 in data breach expenses, manual monitoring, auditing, and reporting costs versus $1,467,850 with Imperva SecureSphere appliances, licenses, maintenance, and operations costs. The cost savings are compelling, demonstrating why data security has moved to the forefront of most organizations security strategy. Imperva White Paper < 2 >
  • 3. The Business Case for Data Security I. Data Security and Compliance: An Evolving Landscape DatabaseFileWeb Security and compliance are two of the most critical concerns for any organization. Between 2005 and 2010, data breaches have cost organizations billions of dollars and exposed over 500 million sensitive records,1 leaving a litany of lawsuits, sanctions, fines, and lost revenue, in their wake. In addition, organizations are subject to increasingly stringent regulatory compliance requirements. A growing number of regulations mandate monitoring and auditing of user activity, application safeguards, and internal controls. To develop a cohesive strategy for security and compliance, organizations must analyze their security risks and compliance needs. Financial Impact of Security Incidents Data breaches are financially devastating, averaging $6.75 million per incident and $204 per compromised record.2 Data breaches not only impact organizations, but also affect the tens of millions of individuals who fall victim to identity theft and fraud. Due to external attack or insider abuse, data breaches are perhaps the single most damaging security event that an organization can endure. In addition to breaches, organizations must fortify their valuable resources against denial of service, data loss, and data manipulation. Hacking and External Threats Hacking and external threats are the leading cause of data breaches, accounting for approximately 94%3 of all compromised records in 2009, according to an in-depth investigation of data breaches. And 92%3 of compromised records from hacking-related attacks were attributed to Web application attacks. Based on this forensic evidence, if organizations had fortified their Web applications against attack, they could have reduced the total number of known compromised records from over 140 million to roughly 20 million. Web Application (92%) Network File Shares (1%) Remote Access and Control (2%) Physical Access (1%) Backdoor or Control Channel (5%) Wireless (1%) Unknown (1%) Figure 1 Proportion of Breached Records Due to Hacking by Attack Method3 The rise in Web-related data breaches is due in part to more sophisticated attack techniques. Hackers have become more organized, pooling resources, and delegating responsibilities based on skill set. They are also creating automated capabilities to improve efficiency and scale building armies of bots – remotely controlled computers – to unleash large-scale, automated attacks.4 These new methods have made Web application attacks very effective and, unfortunately, very destructive, as is borne out in data breach investigations. 1 Privacy Rights Clearinghouse, www.privacyrights.org/500-million-records-breached 2 Ponemon Institute, “Cost of a Data Breach,” January 2010 3 Verizon Business, “2010 Data Breach Investigations Report 4 Imperva, “Industrialization of Hacking,” 2010 Imperva White Paper < 3 >
  • 4. The Business Case for Data Security The Enemy Inside DatabaseFileWeb Risks associated with insider threats, ranging from sabotage and fraud to sensitive data theft, have also increased, along with the opportunities for insiders to profit from their illicit activity. Many organizations have overlooked insiders who may access sensitive networks, applications, and data on a daily basis. Privileged users must have access to sensitive data in order to perform their job. Therefore, they can abuse these privileges and gain control of such data more easily and more covertly than external users. It is not surprising, then, that insiders accounted for 48% of all breaches and 3% of all compromised records in 2009.5 Rising Cost of Achieving and Maintaining Regulatory Compliance Organizations of all sizes must comply with a raft of regulations designed to bolster security, reduce fraud, and ensure privacy. These regulations were enacted for a variety of reasons: as the result of an extraordinary event, as with the implosions of Enron and Worldcom that led to Sarbanes Oxley (SOX), or as the evolution of disparate security standards that morphed into the industry-wide and influential Payment Card Industry Data Security Standard (PCI DSS). Addressing Multiple Compliance Mandates In addition to SOX and PCI, organizations must adhere to a range of other industry and government regulations. Healthcare companies must comply with HIPAA, the HITECH Act, and MAR. Federal institutions must fulfill FISMA, ITAR, EAR, and DISA STIGs requirements. Energy companies must comply with NERC and FERC. Organizations in Europe are governed by Basel II and EU data breach notification laws. The list goes on, as does the amount of auditing and security requirements that organizations must address. On top of these regulations, new regulations are introduced every year, and existing laws change. While each regulation defines unique auditing and security requirements, it is possible to distinguish consistent themes across most compliance mandates. Achieving compliance becomes much easier when organizations develop well-defined and repeatable processes that track all user activities, maintain separation of duties, and establish user accountability. Demonstrating Compliance All regulations require organizations to demonstrate compliance to external auditors and governmental agencies. Organizations must prove that compliance processes are in place. They also have to collect pertinent audit and security data and present it in a clear, understandable format. With these operationally taxing manual processes, it is not surprising that U.S. businesses spend over $2.5 billion on SOX compliance each year.6 5 Verizon Business, “2010 Data Breach Investigations Report 6 AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?” Imperva White Paper < 4 >
  • 5. The Business Case for Data Security II. Data Security: Requirements and Alternative Approaches DatabaseFileWeb Organizations’ data security strategy should focus on the core business drivers of preventing external attacks, mitigating insider abuse, and automating compliance processes. Some of the resulting operational requirements include: » Accurate Protection for Business-Critical Applications and Data A data security solution should provide comprehensive protection of all critical data assets including Web applications, databases, and files from external attack and insider threats. Because of the complex nature of data-layer threats, a security solution should be able to detect known attack methods, malicious users, deviations from expected user behavior, and correlate multiple event attributes together for pinpoint accuracy. » Full Auditing with Separation of Duties Since audit trails of user activity have become an essential aspect of compliance, a complete data security solution must be able to audit all access and changes to databases and files. It should ensure audit data integrity and user accountability and identify material variances in user activity. Demonstrating compliance must be achieved through automated reports and analytical tools – the basis for forensic investigations. » Low Impact Deployment Any solution designed to improve security should not impact application uptime or impose management burden. The solution should meet availability and performance requirements while not introducing operational risks. In addition, it should support centralized management, monitoring, auditing, and reporting to streamline administration for large, distributed deployments. Data Security: The Future of Security and Compliance To address the full scope of today’s security and compliance requirements, Imperva has created a new technology category, Data Security. With Data Security, organizations can mitigate data breach risks and directly satisfy auditing and compliance mandates by implementing one, integrated, best-of-breed security solution. Data Security protects business-sensitive data where it lives, in database and file servers and how it is accessed, through applications. With data-layer protection, data security solutions can block the attacks that lead to costly data compromises more accurately than any existing technology. It can also monitor users to prevent insider abuse, and audit all activity with unmatched visibility for compliance. The Imperva SecureSphere Data Security Suite Imperva SecureSphere Data Security Suite encompasses the market-leading SecureSphere Web Application Firewall, and the award-winning SecureSphere Database Security and File Security Solutions. Either deployed alone, or together as one integrated, centrally managed solution, SecureSphere Data Security Solutions offer a powerful defense against hackers and malicious insiders, streamline and automate regulatory compliance, and prioritize and mitigate data risks. Imperva White Paper < 5 >
  • 6. The Business Case for Data Security DatabaseFileWeb SecureSphere Data Security Solutions offer organizations several unique capabilities: » Complete, End-to-End Data Protection - SecureSphere protects data where it is stored – in databases and files – and how it is accessed – through applications – and addresses the full Data Security and compliance life cycle. » Automated Security – Imperva’s patented Dynamic Profiling automatically learns application and database usage without manual intervention. The unique ThreatRadar service further streamlines security by automatically stopping attacks from known, malicious sources. » Full Visibility with Separation of Duties – SecureSphere monitors and audits all database and file activity, including privileged user access, without relying on native auditing capabilities. Interactive audit analytics enable users to analyze, correlate and view activity from any angle. » Streamlined User Rights Management – SecureSphere simplifies the process of reviewing and managing user rights across distributed file servers and databases. SecureSphere aggregates access rights, identifies dormant accounts and highlights excessive privileges. » Zero-Impact Deployment – SecureSphere offers multiple, transparent deployment options for easy integration into any environment with no impact on existing applications, databases or files. Imperva White Paper < 6 >
  • 7. The Business Case for Data Security Contrasting Imperva’s Data Security with Alternative Approaches DatabaseFileWeb To meet security and compliance requirements, organizations may rely on a combination of native logging tools, manual reporting processes, and manual application vulnerability fix and test procedures. The following section investigates various approaches to prevent data breaches and address compliance mandates. Security Information and Event Management To manage the massive amounts of data collected, some organizations have turned to Security Information and Event Management (SIEM) solutions. SIEMs aggregate log data across multiple servers and devices, correlate events to identify anomalies, and streamline compliance reporting. However, SIEMs that rely on native logging for audit data present the following challenges: » Complex configuration of native database and file server logging utilities by DBAs and IT Administrators » No separation of duties as logging policies and audit trails can be manipulated by the users that should be audited » Significant degradation database and file server performance In addition, SIEMs, as cross-product security event aggregators, do not provide in-depth analysis or purpose built reports for database and file activity, and cannot prevent unauthorized access or monitor activity in real-time. Data Governance and Information Management Information Management vendors offer a broad spectrum of solutions for data management and governance. This breadth enables organizations to use one supplier to address multiple data security and data management requirements. However, such an approach often increases the cost, complexity, and duration of data security and compliance projects. Broad-scale, non-specialized information management vendors may turn relatively simple auditing projects into multi-year, company-wide consulting engagements. In addition, while broadening project scope, information management vendors often fall short in terms of addressing all necessary auditing and compliance requirements. For example, an information management vendor may be able to secure database data, but not files nor applications. Organizations should assess their current and future security requirements and determine if such a solution is aligned with project goals and will address monitoring and security objectives within a desired timeframe and budget. Integrated Application Delivery and Security One approach to achieve Web application attack protection is to combine a Web Application Firewall with a load balancer for combined application delivery and security. Such an approach can consolidate multiple functions onto a single hardware platform. However, adding Web application security to existing application delivery controllers (ADCs) can have a number of unexpected consequences, including drastically degrading ADC performance and impacting the stability of mission-critical networking equipment. Most importantly, ADCs only tackle one aspect of data security: application protection. They cannot monitor or protect application data stored in databases, nor can they secure unstructured data in files. Manual Vulnerability Management Most organizations invest considerable effort to ensure that Web applications, databases, and file servers do not contain vulnerabilities. Web developers must allocate time and resources to ensure that applications are written according to secure coding best practices. IT administrators and DBAs must deploy vendor-supplied patches into key applications and databases. Security personnel must test applications and servers for weaknesses and then fix any discovered vulnerabilities. Imperva White Paper < 7 >
  • 8. The Business Case for Data Security However, while an essential aspect of any data security strategy, manual vulnerability patch processes: DatabaseFileWeb » Burden developers and administrators with disruptive fix and test cycles (“fire drills”) » Can expose organizations to attack for weeks or months while vulnerabilities are being fixed Based on extensive research, fixing a single Web application vulnerability takes on average between two to four months.7 With 83% of Websites having had serious vulnerabilities, relying on manual fix and test processes is not sufficient. The length of time to apply database security patches is even longer, often exceeding three months after a patch is released.8 Unfortunately, attackers will not wait for weeks or months to unleash online attacks. Organizations should evaluate solutions that can virtually patch vulnerabilities to eliminate this window of exposure and reduce the costs associated with emergency fix and test cycles. Approaches to Data Security SecureSphere Native Data Governance Application Manual Function Capability Data Security Logging and Information Delivery and Vulnerability Suite and SIEM Management Security Management Security Purpose-Built Platform    End-to-End coverage of all     data assets Proactive Policy Enforcement    Instant Vulnerability    Mitigation Compliance Compliance Automation     Separation of Duties    User Accountability     Deployment Rapid Time-to-Value    No impact on systems and   business processes Imperva White Paper < 8 >
  • 9. The Business Case for Data Security III. Return on Security Investment (ROSI) with Imperva SecureSphere9 DatabaseFileWeb The SecureSphere Data Security Suite is designed from the ground up to meet all aspects of security and compliance for business-critical applications and data. SecureSphere provides conclusive cost-savings by offloading operationally-expensive logging from database and file servers and by driving down manual compliance reporting costs. More importantly, SecureSphere offers return on security investment (ROSI) by drastically reducing the risk and impact of a devastating data breach. In order to quantify the cost savings provided by Imperva, we compared the cost of implementing SecureSphere versus the cost of “doing nothing” and the subsequent expenses created by a data breach or manual auditing and reporting processes. The following table shows our assumptions. The number of protected records is an estimate for a medium size company, but this number will vary widely and should be adjusted according to the individual business profile. The average number of records lost in a data breach is extrapolated from results of the Ponemon Institute “2009 Cost of a Data Breach” report. The probability of a data breach is estimated at 5%. Basic Assumptions Value10 Number of Protected Records 100,000 Average Number of Records Lost in a Data Breach 33,088 Probability of a Data Breach 5% Annual Cost of a Full Time DBA or IT Security Administrator (in USD) $110,000 Reducing the Financial Impact of a Data Breach Data breaches are costly, averaging $6.75 million per incident.11 The expenses mount as organizations are forced to investigate breaches to assess affected records, notify customers, and pay legal fees and fines. However, the single highest cost is lost business, accounting for nearly half of the total financial impact of a breach. Statistics show 98% of compromised records originated from servers,12 predominantly Web application, database, and file servers. A dedicated data security solution could lower the cost of a data breach by accurately identifying the scope of the breach or preventing the breach from ever occurring. SecureSphere Database Activity Monitoring and File Activity Monitoring can audit every access to sensitive data and quickly identify the individual records that were compromised. Without this independent and tamper-proof audit trail, organizations often have to assume the worse and notify all potential victims – even if only a fraction of that data was accessed by a perpetrator. An Activity Monitoring solution can drastically reduce the extent of a data breach, by an estimated two thirds. A proactive defense such as a Web Application Firewall, Database Firewall and File Firewall can block attacks, avoiding the breach altogether for almost all application-related breaches. The following table shows the costs of a data breach with and without a data security solution. 9 In our opinion, the only viable alternative approach that fully addresses data security requirements is manual compliance and vulnerability mitigation. The ROSI calculation therefore compares Imperva to a manual approach. 10 These numbers vary between organizations. They represent a typical number for a medium-to-large enterprise. 11 Ponemon Institute, “Cost of a Data Breach,” January 2010 12 Verizon Business, “2010 Data Breach Investigations Report” Imperva White Paper < 9 >
  • 10. The Business Case for Data Security Impact of a Data Breach Due to Web, Database and File Security Threats DatabaseFileWeb SecureSphere SecureSphere Without Database and File Web, Database, SecureSphere Activity Monitoring13 File Firewall14 Number of Suspected Compromised Records 33,088 33,088 0 Number of Confirmed Compromised Records Not available 11,029 0 Consulting Services and Investigation Costs $1,350,000 $225,000 0 Notification Costs $742,000 $247,000 0 Legal Costs $1,147,000 $382,000 0 Identity Protection and Other Services $202,000 $67,000 0 Lost Business and Related Costs $3,307,000 $1,102,000 0 Cost of a Data Breach $6,750,000 $2,023,000 0 Vulnerability Remediation Efforts In addition to reducing the likelihood of an expensive data breach, a dedicated data security solution can also cut vulnerability remediation costs. First, Imperva SecureSphere can virtually patch application and database vulnerabilities, thereby eliminating disruptive emergency fix and test cycles. Vulnerabilities can be fixed as part of regular development schedules, which is significantly less expensive than fixing vulnerabilities in production. Second, SecureSphere typically allows organizations to delay minor patch updates until a cumulative patch is available or a new software version is released. This provides organizations considerable cost savings compared to the expense of developing, testing, staging, and implementing software patches. The following table compares the labor costs of remediating Web application and server vulnerabilities for an organization with 10 online applications, 15 Web servers, and 5 database servers. Annual Vulnerability Remediation Labor Costs Without SecureSphere With SecureSphere Emergency Fix and Test of Custom Vulnerabilities $120,000 $0 Custom Vulnerability Fixes in Scheduled Releases $0 $19,200 Operating System Patches $25,000 $12,500 Web Server Patches $25,000 $12,500 Database Server Patches $12,500 $6,250 Total $182,500 $50,450 13 SecureSphere Database and File Activity Monitoring offer auditing but no access control; 14 When SecureSphere is implemented in “Firewall” mode, the risk of a Web, Database or File data breach is immeasurable. While auditing can reduce the impact of a breach by identifying actual compromised records, when SecureSphere is deployed inline, it can proactively prevent attacks from occurring. Imperva White Paper < 10 >
  • 11. The Business Case for Data Security Labor Costs of Auditing and Reporting DatabaseFileWeb While both databases and file servers offer native logging capabilities, managing and maintaining audit log files can be an expensive proposition. Database or IT administrators must determine what activity to audit, create log rules, and then sort through reams of log messages to find materially relevant information for reports. Raw data must be arranged into a presentable format for auditors. Organizations must also develop in-house tools to prevent unauthorized access or manipulation of log data for separation of duties. Native tools only address one aspect of the data security and compliance lifecycle. They cannot locate sensitive data on the network, test databases for vulnerabilities, or patch these vulnerabilities. Organizations that use native audit tools must also account for the costs of manually discovering and classifying sensitive data – two requirements either implied or explicitly spelled out in many compliance regulations. Furthermore, many regulations require that organizations limit user access rights to business need-to-know and remove dormant accounts. For large enterprises, managing database and file access rights for thousands of users can be an overwhelming task, leading many administrators to grant excessive privileges. A dedicated data security solution such as SecureSphere can eliminate manual administrative tasks, automate auditing and compliance reporting, and dramatically improve the overall security posture of the organization. The following table compares the number of full time employees required to meet database and file security compliance requirements, with and without a data security solution. Without SecureSphere With SecureSphere Labor costs for Labor costs for Labor costs for Labor costs for Task initial setup ongoing maintenance initial setup ongoing maintenance Discovery $55,000 $55,000 $11,000 $11,000 Classification and Assessment $55,000 $55,000 $11,000 $11,000 Managing User Rights to $110,000 $110,000 $55,000 $11,000 Databases and Files Enablement of Auditing $27,500 $27,500 $11,000 $1,100 Writing and Maintaining $165,000 $55,000 $11,000 $11,000 Custom Scripts Creating Custom Reports $110,000 $55,000 $27,500 $11,000 Implementation of Workflow $110,000 $55,000 $11,000 $11,000 and Business Processes Total $687,500 $412,500 $137,500 $67,100 Software and Hardware Investment for SecureSphere Versus Native Auditing In addition to comparing the labor expenses of security and compliance, businesses must also analyze the hardware and software investment. With SecureSphere, the costs are relatively straight forward: the price of the SecureSphere Data Security Suite, which includes the price of the Web Application Firewall, Database Firewall and File Firewall, plus the MX Management Server. If organizations opt for native logging, then they will need to purchase additional hardware and software licenses to maintain previous performance levels. This is because full logging of all activity can degrade server performance by approximately 30 - 50%. The table below compares the infrastructure costs incurred by using native logging tools versus deploying the SecureSphere Data Security Suite. Imperva White Paper < 11 >
  • 12. The Business Case for Data Security DatabaseFileWeb Without SecureSphere With SecureSphere Additional Database and File Server Hardware $50,000.00 $0.00 Additional Database and File Server Software $200,000.00 $0.00 SecureSphere Data Security Suite and $0.00 $73,600.00 MX Management Server Annual Support and Maintenance Fees $40,000.00 $14,720.00 Hardware and Software Administration Costs $20,000.00 $20,000.00 Total $310,000.00 $108,320.00 Total Return on Security Investment Because security and compliance must be addressed holistically, the following table compares the total hardware, software, and management costs of the SecureSphere Data Security Suite to native logging and manual compliance processes. In addition, a Return on Security Investment (ROSI) calculation must factor in the cost and risk of a data security breach. The following table combines the data from the above tables to provide the return on investment of the SecureSphere Data Security Suite versus no dedicated Web application, database, or file security. Without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $182,500 $182,500 $182,500 $182,500 $182,500 Auditing and Compliance Costs $687,500 $412,500 $412,500 $412,500 $412,500 Hardware and Software Costs $310,000 $60,000 $60,000 $60,000 $60,000 Data Breach Cost = Probability x Impact $337,500 $337,500 $337,500 $337,500 $337,500 Total Cost without SecureSphere $1,517,500 $992,500 $992,500 $992,500 $992,500 SecureSphere Costs and Risk Posture Year 1 Year 2 Year 3 Year 4 Year 5 Vulnerability Remediation Costs $50,450 $50,450 $50,450 $50,450 $50,450 Auditing and Compliance Costs $137,500 $67,100 $67,100 $67,100 $67,100 Hardware and Software Costs $108,320 $34,720 $34,720 $34,720 $34,720 Data Breach Cost = Probability x Impact $112,500 $112,500 $112,500 $112,500 $112,500 Total Costs with SecureSphere $408,770 $264,770 $264,770 $264,770 $264,770 Cost Savings with SecureSphere $4,019,650 ROSI with SecureSphere 274% Investment Based Discount Rate 10% NPV (Net Present Value) $3,654,227 The total infrastructure, labor, and data breach costs of the SecureSphere Data Security Suite over five years totaled $1.47 million, compared to $5.49 million for native logging, manual compliance processes and no proactive Web, database or file security protection. Note that the projected data breach cost savings for SecureSphere were conservative, assuming only the cost savings associated with monitoring traffic and pinpointing individual breached records. With 98% of breached records originating from servers, the SecureSphere Data Security Suite, with an integrated Web Application Firewall, should be able to prevent most data breaches from ever occurring. Imperva White Paper < 12 >
  • 13. White Paper Summary With the growing threats to applications and data, from large-scale, automated Web attacks to insider malfeasance, proactive data security has become mandatory. Besides protecting critical assets, a host of regulations have spurred the need to audit activity and streamline compliance processes. Unfortunately existing security solutions cannot effectively stop data security attacks or address security and compliance concerns holistically. A dedicated Data Security solution like Imperva SecureSphere not only satisfies today’s security and compliance requirements, it also offers a return on investment of 274% compared to not using a data security solution at all. When compared to alternative solutions, Imperva SecureSphere is the only sensible and effective choice to secure sensitive applications and data. With SecureSphere, organizations can: » Protect applications, databases, and files from internal and external threats » Lower the cost of auditing while implementing separation of duties » Automate compliance reporting » Virtually patch application and database vulnerabilities With its indisputable value, it is not surprising that Imperva has become the market leader for Web, database, and file monitoring and protection. Trusted by thousands of leading organizations around the world, Imperva SecureSphere is the practical, cost-effective solution for Data Security. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com. Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-BC-DATA-SECURITY-1010rev1