Digital Security in a Zero Trust World

Digital Security in a Zero Trust World

When it comes to enterprise security, the times have radically changed, leaving companies vulnerable in ways that they never were before.

We’re hearing about security breaches every day in the news. From retailers like Target and TJ Maxx, to financial services firms like Equifax and J P Morgan Chase, and government agencies like the Securities & Exchange Commission (SEC), it seems like no organization is safe. There are also generalized attacks that affect everyone like WannaCry, Notpetya and ransomware. Unfortunately, there are no signs of this letting up. A recent survey conducted by Enterprise Strategy Group (ESG) found that more than two-thirds of respondents were subjected to ransomware last year, and 22 percent of them were attacked on a daily or weekly basis.

Besides data hacks, enterprises are dealing with more compliance regulations, which impose additional security requirements across sectors, covering financial institutions, public companies, government partners, healthcare, consumer privacy, credit card transactions and more. Examples include: Sarbanes-Oxley Act, Basel II (International Standards for Banking), COBIT (Control Objectives for Information and related Technology), FISMA (Federal Information Security Management Act of 2002), GAAP (Generally Accepted Accounting Principles), HIPAA (Health Insurance Portability and Accounting Act), IFRS (International Financial Reporting Standards), ITIL (Information Technology Infrastructure Library), PCI DSS (Payment Card Industry Data Security Standard), and TQM (Total Quality Management).

In the past, companies could count on isolating confidential and sensitive files and protecting them through firewalls and access control technology. In a time when they had one point of egress, they could create a perimeter that could be secured around their enterprise. But now, in today’s cloud-first environment where there are multiple paths for data to flow in and out of the organization, all bets are off. The data is accessible, anywhere, anytime and from any device. Today, employees are collaborating and sharing data in a free-flowing manner inside and outside the organization, bringing multiple BYOD devices into their companies and using mobile apps in unsecure locations–all creating greater vulnerabilities for the data and making the security professional’s job seem near impossible. The reality is that we are living in a “zero trust” world, as coined by Forrester Research. It’s a world where we can’t count on the security of our internal or external networks and instead need to change our mindset about how we think about safeguarding data. We need to come up with very new, innovative ways to keep it safe.

Unstructured Data Presents Added Problems

One of the most problematic data types to secure is unstructured data, which does not have a defined data format, such as a database. While the most common type of unstructured data is text, it can also include pictures, audio, video, website, network and application logs, social media, medical records, financial transactions, and sensor data from Internet-of-Things (IoT) devices, among other data types.

Unstructured data comprises about 80 percent of an organization’s data. It is the fastest growing, least controlled type of data–and it’s a highly valued asset within the enterprise. The dilemma for security professionals is how they can effectively manage the huge volumes of unstructured data that are shared across all types of documents and formats and spread internally and externally.

Six Strategies for Securing Your Data

Security professionals need to take a radically different security approach to safeguard unstructured data and address the realities of data sharing in today’s enterprise. Following are six key strategies:

Expand your coverage protection. To prevent security breaches before sensitive information becomes exposed, you have to make sure that you’re covering what’s important. But that is often easier said than done in today’s cloud-first environment. The best way to tackle that challenge is to take the zero trust approach and protect all data by default, instead of relying on users to accurately identify what’s important. Zero trust is also a much easier approach, allowing security professionals to simply release specific files that don’t need protection.

Consider the context. You can use contextual information, such as the requestor’s location, device or content of the data to determine the level of security that is needed. For example, it is more likely that confidential information will be created by an organization’s executives rather than those on the front lines. By using context-based security, the most sensitive and timely data, such as financial reports from an ERP system, can be classified and protected automatically.

Don’t overlook internal threats. It was easier when security professionals knew that breaches were only coming from external sources. Now, that’s no longer the case. Up to 43 percent of data breaches are caused by insiders. Disgruntled employees, collaboration, and inadvertent sharing can lead to security breaches and the spread of confidential information. Internal threats also include events such as phishing, malware on devices, using devices in unsecured public networks, downloading unauthorized applications, and more. To be effective, today’s security procedures must treat internal threats with the same level of importance as external threats.

Don’t depend on people. Given the realities of human behavior, security measures that depend on people to do things typically fail. This is especially true for security since it’s usually not in the best interest of the user to make data harder to access. Whether people forget, are too busy, make a mistake, or it’s just an oversight, it’s too easy for confidential information to go unprotected. Automate security in a way that is seamless to end-users, so they don’t try to circumvent it. Look for solutions that automatically protect data regardless of how it moves from place to place. Agnostic solutions should not care if the data is sent or stored in email, a messaging app, a public cloud, or a file server.

Use encryption. Security solutions encrypt data so users without permission cannot access it. Today’s encryption standards are very effective. AES256, for example, meets the requirements for “Top Secret” classified information. Encryption should be automatic and the process invisible to users. Don’t force them to enter passwords or to manually apply encryption before sharing files because it becomes too difficult and often fails. Make sure the encryption protects the data at all phases: at rest, in transit, and in use.

Follow the content – derivative works. Because enterprise users typically re-use and share information, security professionals need to make sure that they are protecting derivative works no matter what form the data takes throughout its lifecycle. For example, if a user copies sensitive information exported from a financial ERP system from a spreadsheet into a presentation, it should still be protected. This requires that data be tracked and followed throughout its lifecycle because it’s content that is really the important asset, not a particular file.

When it comes to security, we’ve entered a brave new world. The old rules of depending on the perimeter and focusing on external breaches no longer apply. Those companies that take a zero trust data-centric approach and adopt the cloud-first mindset of securing their data everywhere and at all times, will be in compliance, be more productive and effectively protect one of their most valuable assets–the proprietary data that lies at the heart of their competitive advantage.

This article originally appeared in the April 2018 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3