Headlines and industry publications are full of dire warnings about the latest phishing scam or malevolent machinations by cybercriminals. So naturally CISOs focus on their network perimeter in an effort to prevent such exploits. And often they fail.
Why? Because no one can control criminal exploits. And with the advent of enterprise mobility and the widespread adoption of cloud, the enterprise has lost control of endpoints, networks and even applications.
But all is not lost. It’s time to let go of what we can’t control and start focusing on what we can: identities.
Are security professionals trying to solve the wrong problem?
We’ve lost control
Imagine the scenario: an employee uses their personal iPhone to access a work file from Dropbox over their provider’s network while they’re on their commute.
It’s a pretty common picture. And it’s one where you have no control over the application, hosted in someone else’s data centre; no control over the third-party network the employee is using to access the data; and no control over the endpoint the data ends up on.
The combination of enterprise mobility, the always-on culture and the increasingly easy access to the cloud means that the old idea of an organisation’s security perimeter surrounding the office walls no longer applies.
Whereas once the hardware was the criminals’ target – the servers, the laptops, the office blocks – the intended target has shifted to the users. The humans who use the hardware are fallible. They are susceptible to the scams and the cons. It’s their actions, purposefully or not, which often pose the security threat.
The traditional security paradigm has disappeared, and this is why.
Mobility means that people are accessing sensitive data, from inside and outside the corporate network, on a range of devices, some provided by the company, others owned by the individual.
This is a problem. This year, 28% of respondents to PwC’s Global State of Information Security Survey reported security compromises of mobile devices. And as such, securing smartphones and tablets is now a priority.
Always-on culture means that employees expect instant, easy access to whatever they need to do their job, whenever and wherever they are. This leads to two problems:
- Employees circumnavigate the IT department and set up accounts with cloud providers to make their lives easier. This can range from a marketing bod signing up to a SaaS app (for example, a file-sharing service) through to R&D teams setting up Hadoop on an AWS account to rapidly test new analytics. Considering legitimate user credentials were used in most data breaches last year, with some 63% of them using weak, default, or stolen passwords, this unchecked proliferation puts the enterprise at real risk.
- Authentication has therefore become increasingly important at the same time that employee and customer expectations of a seamless experience with technology have grown. As PwC’s Global State of Information Security Survey 2017 says: “Above all, authentication must be frictionless and intuitive for end users. You need only consider the IAM and authentication techniques employed by ‘sharing economy’ services to understand the potential impact of frictionless access on business growth.” This leaves security teams stuck between a rock and a hard place.
Finally, the adoption of cloud services not only means that data no longer flows through the corporate network, it also creates new administrators who have access to your data but who aren’t part of your organisation. As Forrester says:
“Adoption of infrastructure-as-a-service (IaaS) (from providers like AWS, Azure, and Rackspace) and software-as-a-service (SaaS) (like Salesforce and Office 365), public cloud applications, private cloud, and outsourcing creates a new kind of administrator (or privileged user): one who is an employee of the public or private cloud provider (AWS, Azure, SoftLayer, etc.) and interacts with your workloads on their behalf.”
All of this would sound pretty dire if there wasn’t an alternative to the old security perimeter. Thankfully security professionals can do something to keep the enterprise safe: focus on the robust management of data and user identity.
After all, it’s data that’s of value to cybercriminals and it’s data you ultimately want to protect. If you embed security controls in the data itself, then if criminals do get hold of it or if there is a non-malicious breach, the data offers no value and poses no risk to your organisation.
The problem is, thanks to the distribution of data that secular megatrends have sparked, it’s now hard to track down where all your data is and what kind of data you have.
Only 16% of companies know the location of sensitive structured data and, even worse, only 7% know the location of sensitive unstructured data according to research by Ponemon Institute.
So before you can embed security in your data you have to ask a few questions that will not only help you in your security efforts but will also help you make a case to the business for investment in data security:
- Where is it going? How is it flowing/ being used?
- Who has access to it?
- What regulations apply to it?
- Is it protected? Where are the gaps?
- What’s the value of the data? What is the cost if it’s stolen?
- Where’s its residency (the jurisdiction governing it)?
The new perimeter applies to every piece of data
Once you have a clear picture of what data you have, its value and where it travels, you can begin to implement your new security perimeter.
The tools you use will vary depending on the data you are protecting, but will likely include at least one of the three most common:
This should be a minimum for enterprise data, whether it’s at rest or being downloaded to an employee device. You can also create automatic rules based on that encryption. For example, you can prevent encrypted files being synced to a non-approved app to reduce the risk of sensitive data leaking into a shadow IT infrastructure.
This can be ideal for data sets that fall under regulation; for example, PCI DSS regulations for sensitive payment data. Once you substitute a sensitive data element with a non-sensitive equivalent, referred to as a token, that data no longer has extrinsic or exploitable meaning or value. This often means the data set is no longer in scope of regulation, making compliance much easier to achieve.
Transformation (or masking)
This method is particularly good for big data sets or data used in software testing because it creates a functional substitute of the data but doesn’t leave sensitive or identifiable information exposed.
Identity is the key
Of course, as you apply these measures you also have to think very carefully about identity and access management. There is no point opening data up to unnecessary risk: with encryption, for example, the data is only safe if the encryption keys remain secure.
Considering that Forrester estimates that 80% of security breaches involve privileged credentials, it’s important to define and implement role-specific access controls as part of your wider data security practice.
Protection is possible
“Data centric controls are the hot commodity,” says Bill Burns, CISO, Informatica.
If you are holding up department requests for new cloud services apps and trying to rein everyone back inside the old network perimeter, then you are effectively closing the stable door after the horse has bolted.
There’s no doubt that re-drawing the security perimeter and shifting the focus to data itself is a challenge. But it’s a challenge CISO’s can and must meet. And it’s a challenge worth meeting because, rather than the old, breached perimeter, it actually has a good chance of keeping your enterprise safe.
Download our latest infographic – ‘The blueprint for digital transformation’ – to find out what you need to consider when embarking on a transformation project.