LexisNexis in the Security Hot SeatBy CIOinsight | Posted 06-01-2006
Nevertheless, for LexisNexis, a $2.7 billion subsidiary of publishing company Reed Elsevier that provides specialized legal and business data to customers, the compromise was a potentially serious blow. Cronin, 47, says the company has taken specific steps to minimize the risk of the company's data being pilfered again.
And like other security professionals, Cronin says that what's needed is a "defense-in-depth" strategy, an industry term that refers to applying security measures ubiquitously across the computing infrastructure.
One key layer for Lexis-Nexis: Its $2 million project to deploy intrusion prevention system (IPS) appliances, which not only detect network attacks but are designed to automatically neutralize them.
What lessons did you learn from having data on 310,000 individuals stolen?
The big message we took away is that we absolutely have to be concerned about our customers' environments when it comes to accessing our services. Providing a fortress around LexisNexis and making sure nobody can spearhead an attack against our data centerthat's one thing. But the fact that someone could go in and manipulate a customer's environment to steal [a password and user ID] ... to get access to our service is an issue we need to absolutely worry about.
And we are doing a lot of things within Lexis to lock that down, for example, by restricting where certain customer user IDs can be used from on the Internet. We are looking very hard at two-factor authentication systems [which require both a password and a specialized hardware device to log on to a network], very much like what banks are doing.
What's a typical misconception businesspeople have about data security?
The assumption that it's therethat when I go out and hook my computer up to the Internet, somehow someone was thinking about safety. When in reality, where we've come from, is that nobody was thinking of safety. Microsoft was thinking about selling more Windows operating systems. The [telecommunications] carriers were interested in getting people on the Internet. And at the end of the day, I don't think anyone was really thinking about the safety aspect of it.
Read the full story on eWEEK.com: LexisNexis in the Security Hot Seat