3 control elements that make up modern data security protection
- Posted on January 16, 2017
In the midst of designing programs that implement modern data security protection, security and IT leaders are continuously searching for the controls that will make the biggest impact in reducing breach. It could be said that many of the recently published breaches were of companies and programs that had a fairly good handle on the traditional IT security controls and processes that we’ve come to expect in the last 15 years. Some of these traditional controls consist of tools such as firewalls, intrusion prevention systems, timely system patching, antivirus, and the like.
The traditional controls make sense and are required for best practices. These are the controls by which audit teams measure the success of a data security program. Still, the question remains, what control or controls would be the most effective in reducing the risk of a breach?
In order to answer this question, we must deconstruct how most data breaches occur. If you look at some of the most common indicators of compromise, you’ll start to see almost immediately that identity is a control plane for access to almost any system. Identity is relied upon by both the user and the threat actor to successfully gain access to both structured and unstructured data inside the perimeter, the hybrid environment, or the Cloud.
So what do we do with that information? Traditionally strong, hard-to-guess passwords have been difficult, if not impossible, to enforce throughout the enterprise. Password reuse and easy to guess passwords are subject to password guessing, dictionary attacks, and most famously phishing attacks. Also, some of the most popular authentication systems have been vulnerable to simple hash and Kerberos authentication tricks for many years.
Below are the top three controls that help to decrease risk and increase data security for the modern enterprise.
Control #1 - Authentication
If we get to the heart of the matter, new authentication implementations, like multifactor authentication, biometric authentication, and adaptive authentication based heavily on probability and machine learning of patterns of behavior, may go a long way in reducing the risk of credential compromise. These types of authentication fundamentally challenge the user for something the user has or ‘is’, which cannot be ‘known’ to the threat actor attempting to impersonate them.
Control #2 - Advanced Threat Prevention
The next line of defense needs to be technology that can detect and blacklist any potential zero-day behavior on any system with the aid of machine learning. Again, here we will not be able to eliminate risk entirely, merely reduce the risk of bad things happening, while simultaneously increasing the risk that legitimate business will be impeded by an advanced anti-malware system that is still prone to false positives.
If you envision the amount of change we must introduce into our organizations for the last two controls, you may quickly realize that any control, especially the last two, are going to require a certain amount of change enablement within the organization. For example, we have worked with company officers who have flat out refused to utilize multifactor authentication, or insist on using the same password for all of their accounts company, personal, or otherwise.
Inherently, one of the controls we need to find a way to implement would be organizational change. Although a cliché, it still remains true that everyone is responsible for security. As I once told a company officer, additional authentication hassle is part of your pay grade. These are table stakes, and until the technology catches up with our behavior, which by the way is happening very quickly, be prepared to be inconvenienced from time to time. Take comfort in the thought that those outside of the organization are also inconvenienced in getting at our company’s most sensitive data.
Authentication complexity should be table stakes for those in your organization that have access to or create highly sensitive information on a daily basis.
Much has been said about the chief information security officer’s ability to reach across the aisle to the business and socialize the concepts of security in day-to-day business activities in addition to security as it relates to keeping employee and customer information private. As an example, all Avanade personnel are required to pass a series of information security training courses, including safe information security practices, Client Data Protection (CDP) training, understanding data classification and applying Avanade’s Code of Business Ethics. (You can learn more at the Avanade Trust Center.)
Control #3 – Engage the User in Data Protection Efforts
Don’t stop at showing users how to be good at security, tell them why. Explain to them that today’s companies are under the threat of having their most sensitive data exposed, and exposure of sensitive data leading to not only fines and legal fees, but reputational impact to company that’s difficult to quantify and even more difficult to regain trust.
Identify which users are responsible for the creation and maintenance of the most sensitive data in your organization. Identify sensitive data and its level of sensitivity in accordance with your data classification policy. Do so throughout your organization, so that if and when you move to the cloud you know precisely what kind of data you are moving.
Surely not all the data in the organization is sensitive. Lower costs and effort by differentiating the degrees of protection based on data sensitivity. Keep in mind that there will be situations where some data cannot move to the cloud. Once the sensitive data in your organization is identified, find ways to label it. This means retroactively stamping the data, or making sure the data is appropriately classified as or after it is created. Leverage advanced rights management technologies to ensure that access is applied to sensitive data appropriately.
Make data protection and privacy a core value and even a market differentiator for your organization. If you can equate data protection and privacy with consumer trust, that might be the component that gives you the competitive advantage. Another competitive advantage is reducing risk which in the long term reduces cost. A culture of data security and privacy can be shown to go a long way in reducing risk.