Digital Security in a Zero Trust World
When it comes to enterprise security, the times have radically changed, leaving companies vulnerable in ways that they never were before.
- By Jeff Capone
- Apr 01, 2018
We’re hearing about security breaches every day
in the news. From retailers like Target and TJ
Maxx, to financial services firms like Equifax
and J P Morgan Chase, and government agencies
like the Securities & Exchange Commission
(SEC), it seems like no organization is safe. There are also generalized
attacks that affect everyone like WannaCry, Notpetya and
ransomware. Unfortunately, there are no signs of this letting up. A
recent survey conducted by Enterprise Strategy Group (ESG) found
that more than two-thirds of respondents were subjected to ransomware
last year, and 22 percent of them were attacked on a daily or
weekly basis.
Besides data hacks, enterprises are dealing with more compliance
regulations, which impose additional security requirements across
sectors, covering financial institutions, public companies, government
partners, healthcare, consumer privacy, credit card transactions
and more. Examples include: Sarbanes-Oxley Act, Basel II (International
Standards for Banking), COBIT (Control Objectives for
Information and related Technology), FISMA (Federal Information
Security Management Act of 2002), GAAP (Generally Accepted Accounting
Principles), HIPAA (Health Insurance Portability and Accounting
Act), IFRS (International Financial Reporting Standards),
ITIL (Information Technology Infrastructure Library), PCI DSS
(Payment Card Industry Data Security Standard), and TQM (Total
Quality Management).
In the past, companies could count on isolating confidential and
sensitive files and protecting them through firewalls and access control
technology. In a time when they had one point of egress, they
could create a perimeter that could be secured around their enterprise.
But now, in today’s cloud-first environment where there are
multiple paths for data to flow in and out of the organization, all
bets are off. The data is accessible, anywhere, anytime and from any
device. Today, employees are collaborating and sharing data in a
free-flowing manner inside and outside the organization, bringing
multiple BYOD devices into their companies and using mobile apps
in unsecure locations–all creating greater vulnerabilities for the data
and making the security professional’s job seem near impossible.
The reality is that we are living in a “zero trust” world, as coined
by Forrester Research. It’s a world where we can’t count on the security
of our internal or external networks and instead need to change
our mindset about how we think about safeguarding data. We need to
come up with very new, innovative ways to keep it safe.
Unstructured Data
Presents Added Problems
One of the most problematic data types to secure is unstructured data, which does not have a defined data format,
such as a database. While the most common
type of unstructured data is text, it can
also include pictures, audio, video, website,
network and application logs, social media,
medical records, financial transactions, and
sensor data from Internet-of-Things (IoT)
devices, among other data types.
Unstructured data comprises about 80
percent of an organization’s data. It is the
fastest growing, least controlled type of
data–and it’s a highly valued asset within the
enterprise. The dilemma for security professionals
is how they can effectively manage
the huge volumes of unstructured data that
are shared across all types of documents and
formats and spread internally and externally.
Six Strategies for
Securing Your Data
Security professionals need to take a radically
different security approach to safeguard
unstructured data and address the realities
of data sharing in today’s enterprise. Following
are six key strategies:
Expand your coverage protection. To
prevent security breaches before sensitive
information becomes exposed, you have to
make sure that you’re covering what’s important.
But that is often easier said than done
in today’s cloud-first environment. The best
way to tackle that challenge is to take the
zero trust approach and protect all data by
default, instead of relying on users to accurately
identify what’s important. Zero trust
is also a much easier approach, allowing security
professionals to simply release specific
files that don’t need protection.
Consider the context. You can use contextual
information, such as the requestor’s
location, device or content of the data to determine
the level of security that is needed.
For example, it is more likely that confidential
information will be created by an organization’s
executives rather than those on the
front lines. By using context-based security,
the most sensitive and timely data, such as
financial reports from an ERP system, can be
classified and protected automatically.
Don’t overlook internal threats. It was
easier when security professionals knew
that breaches were only coming from external
sources. Now, that’s no longer the
case. Up to 43 percent of data breaches are
caused by insiders. Disgruntled employees,
collaboration, and inadvertent sharing can
lead to security breaches and the spread of
confidential information. Internal threats
also include events such as phishing, malware
on devices, using devices in unsecured
public networks, downloading unauthorized
applications, and more. To be effective, today’s
security procedures must treat internal
threats with the same level of importance as
external threats.
Don’t depend on people. Given the realities
of human behavior, security measures
that depend on people to do things typically
fail. This is especially true for security since
it’s usually not in the best interest of the
user to make data harder to access. Whether
people forget, are too busy, make a mistake,
or it’s just an oversight, it’s too easy for confidential
information to go unprotected. Automate
security in a way that is seamless to
end-users, so they don’t try to circumvent it.
Look for solutions that automatically protect
data regardless of how it moves from place
to place. Agnostic solutions should not care
if the data is sent or stored in email, a messaging
app, a public cloud, or a file server.
Use encryption. Security solutions encrypt
data so users without permission cannot access
it. Today’s encryption standards are very
effective. AES256, for example, meets the
requirements for “Top Secret” classified information.
Encryption should be automatic
and the process invisible to users. Don’t force
them to enter passwords or to manually apply
encryption before sharing files because it becomes
too difficult and often fails. Make sure
the encryption protects the data at all phases:
at rest, in transit, and in use.
Follow the content – derivative works.
Because enterprise users typically re-use and
share information, security professionals
need to make sure that they are protecting
derivative works no matter what form the
data takes throughout its lifecycle. For example,
if a user copies sensitive information
exported from a financial ERP system from
a spreadsheet into a presentation, it should
still be protected. This requires that data be
tracked and followed throughout its lifecycle
because it’s content that is really the important
asset, not a particular file.
When it comes to security, we’ve entered
a brave new world. The old rules of depending
on the perimeter and focusing on external
breaches no longer apply. Those companies
that take a zero trust data-centric approach
and adopt the cloud-first mindset of securing
their data everywhere and at all times, will be
in compliance, be more productive and effectively
protect one of their
most valuable assets–the
proprietary data that lies
at the heart of their competitive
advantage.
This article originally appeared in the April 2018 issue of Security Today.