During the current stage, information security systems for an enterprise can be classified as two types: data security systems for defending against external breaching and data security systems for preventing internal data from being leaked out. Data security products mentioned in this article will focus on “prevention against leakage of internal data”.
Is buying a data security product equivalent to buying an insurance? This needs to be explained starting from the purpose of buying an insurance. If the insurance is a personal insurance, we buy a commercial personal insurance because we cannot predict whether an accident will occur or we will suffer from a major disease in the future, so we buy an insurance. However, it may be possible that the sum for buying the insurance may not be refunded. If no accident occurs to us or we do not suffer from a major disease, then the insurance must be claims expenses which cannot be obtained until the accident occurs to the insured or the insured suffers from the major disease. However, we all do not hope that such accident or disease occurs to us, the only point is that we are not god and buying an insurance is for the purpose of preventing an accident. This does not mean that the accident will not occur or we will not suffer from a major disease if we buy the insurance, that we can pay no attention to traffic safety and we may have junk food every day arbitrarily and this cause us to suffer from diseases. Normally speaking, the insurance may also cause us to pay great attention to life safety and diet and ensure that events insured by the insurance will not occur to us.
Is the effect the same if the same scenario is applied to the data security product for enterprises? An enterprise always has such confidential data as trade secrets, personal data of customers, etc. which need to be protected. Moreover, most of these data are digitalized. Even though the customer is requested to fill in with personal data, these data will be entered into the CRM information system. Original sources of such trade secret data as design drawings, technical data, etc. are electronic files. To protect such secrets from being arbitrarily leaked out, the operator needs to purchase a data security product for “preventing internal data from being leaked out” to put an end to such event. Therefore, I believe that the enterprise’s buying a data security product is not completely equivalent to buying an insurance because the operator actually completely does not hope that secret data are leaked out and this act is a preventive measure.
In addition to preventing trade secrets from being leaked out, to cope with Personal Data Protection Law of Taiwan, some industries such as the banking industry, general merchandise industry, online platform, etc. must also protect massive personal data of their customers. In more strict cases, EU implemented GDPR on May 25, 2018. If the company conducted businesses with an European enterprise and kept personal data of civilians from EU members, then it should be better to take appropriate preventive measures because the rights and interests of the party involved are damaged due to the leakage of personal data of customer and this greatly affects the company both reputationally and economically.
Therefore, I believe that a data security product is equivalent to the role of “guard”. Taking FineArt’s X-FORT data security product as an example, the background protection program is installed on the user end and the administrator develops relevant policies. For example, X-FORT can implement multiple control functions such as “use prohibited”, “write encryption”, “write review”, “read only”, etc. for the control of portable disks. Therefore, it is somehow difficult for the user to carry the files out via the portable disk as the channel. The files cannot be written onto the portable disk until reviewed by the supervisor. X-FORT provides treatment according to the variability of an individual and different users have different rights.
- Some individuals can write files onto the portable disk at any time,
- Some individuals are completely prohibited from writing files onto the portable disk,
- Some individuals can use the portable disk, provided that they can only duplicate files on the portable disk onto the computer and computer files cannot be written onto the portable disk,
This is like a guard in such manner that the guard can control which persons can exit, which persons cannot exit, those who are not supposed to exit will be blocked by the guard and they cannot exit. Recording of writing files can be deemed as a monitor. The writing data of all files which are recorded can be investigated to obtain relevant records on secret leakage if a data security event occurs in the future.
If it is believed that the above mentioned guard and monitoring system provide insufficient protection of important assets (trade secrets), the general method is to buy a safe and put important assets in it as if the SVS module of X-FORT can place important data on the computer onto the SVS disk and only allow the trusted software to execute files on the SVS disk and files on the SVS disk cannot be retrieved until the authorization is provided. Therefore, files can be prevented from being arbitrarily carried out and secret files can be prevented from being stolen by hackers.
The enterprise may import a data security product by implementing the concept of installing a security system for a house. Engaging a guard at the access to be protected, equipping a window with an iron frame, installing a monitor at the place needing to be monitored and placing important properties into a safe are in the same way as that a data security system is installed on a computer. Each channel that may cause data leakage is controlled and monitored and important confidential files are stored on the SVS disk so that pre-event prevention and routine auditing are achieved and the person leaking data can be determined by invoking relevant records in the case where a data security event occurs in the future. Therefore, buying a data security product is not buying a insurance but the leakage prevention measures of the company are truly established because the enterprise already identifies the channel that possibly causes leakage and protects such channel to minimize events in which insiders cause secrets to be leaked.