IT Focus Area: Security
September 13, 2016
10 Keys to Data-Centric Security
2015 saw some of the largest data breaches ever, and 2016 is delivering more of the same as organizations including Verizon, Snapchat, the NSA and numerous hotel chains have stepped forward to report breaches. When you consider the litany of IT security headlines, one thing is clear: no industry or organization is immune from cyber attacks. Even companies with mature security programs can be breached. The threat landscape is increasingly dangerous, while new technologies are distributing sensitive data farther across locations, devices and repositories.
In the past, organizations based their defenses on traditional network and host-based controls like perimeter firewalls and anti-virus software, but IT security practices are in the midst of a major transition.
The Shift to Data-Centric Security
It is no longer enough to focus our efforts on networks and endpoints. As IT changes continue to occur, organizations need to keep pace and advance their security by focusing on the data itself through the development of a data-centric security program.
A comprehensive data-centric security strategy includes the following 10 key elements:
1. Data discovery
2. Data classification
3. Data tagging & watermarking
4. Data loss prevention
5. Data visibility
6. Encryption strategies
7. Enhanced gateway controls
8. Identity management
9. Cloud access
10. Continuous education
Below is a synopsis of each element. As organizations develop a data-centric security program, it is important to assess current maturity levels and determine which areas need to be prioritized and remediated first.
A 2015 State of Data Security Intelligence report by the Ponemon Institute found that 64 percent of companies don’t know where their sensitive information is. Data discovery tools help organizations gain visibility into the location, volume, context and risk associated with sensitive unstructured data across the enterprise — both on premises and in the cloud. They can enable business users to directly access data, blend data from disparate sources together to develop new insights, and perform a range of tasks that used to require the assistance of an expert, from provisioning dashboards to applying predictive models. According to Gartner, 40 percent of organizations currently have adopted some form of data discovery; this will grow to 55 percent by 2020.*
Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information. Information is divided into predefined groups that share a common risk, and the corresponding security controls required to secure each group type are detailed. Classification tools can be used to improve the treatment and handling of sensitive data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive and how it should be protected.
Data Tagging & Watermarking
Data tagging ensures that data can be found quickly and efficiently. Data is "tagged" to reflect its security classification and other associated information. For example, an account number may be governed by regulations that include privacy laws such as the Payment Card Industry Data Security Standard (PCI DSS) and the Gramm-Leach-Bliley Act (GLBA). If individual data fields are effectively tagged, then the resources that transmit, process or store that data inherit their risk, as well as the associated controls that reduce the risk.
Data watermarking allows organizations to apply classification labels and visual markings on email and documents to clearly identify sensitive information. It also facilitates user education with interactive policy tips to encourage appropriate handling and prevent data from being conveyed to unintended recipients.
Data Loss Prevention
DLP identifies, monitors and protects data in use, data in motion on networks, and data at rest in data storage areas or on desktops, laptops, mobile phones or tablets. Through deep content inspection and a contextual security analysis of transactions, DLP systems act as enforcers of data security policies. They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of sensitive information. When properly deployed, DLP protects against mistakes that lead to data loss and intentional misuse by insiders, as well as external attacks on information infrastructure. With proper integrations, DLP can also analyze data that has been discovered, classified and tagged to apply and enforce appropriate policies.
Data visibility allows organizations to monitor how their structured and unstructured data is being accessed, provides a point of validation for company and regulatory compliance, and facilitates the identification of policy violations. Data security policies and standards that specify the processes needed to ensure access is restricted to authorized individuals, groups and third parties should be in place to provide a proper foundation. Security controls can then be implemented to help protect the data by monitoring activity and providing visibility into which data is being accessed, when it is being accessed and by whom. These controls can include data access governance, database activity monitoring and/or data audit and protection tools.
Additionally, data retention policies and tools are needed to properly handle data over time and validate that it is properly disposed of. Current backup, archiving and business continuity/disaster recovery processes and procedures should be evaluated.
Encryption helps to protect data by rendering it useless in the event of a breach. It can be invaluable in the effort to combat targeted attacks and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating; encryption can be applied in many different ways to protect disparate data types. It is often applied in layers, with each layer playing an important role. Failure to build a successful end-to-end encryption strategy increases costs, complexity, and business risk.
In addition to careful consideration of data states and encryption techniques, key elements of a successful approach include collaboration between key data stakeholders, data classification, key management, product testing, access control, policies and SSL decryption at gateway points of access.
Enhanced Gateway Controls
Organizations need to reinforce traditional perimeter defenses and create additional layers of continuous data protection to limit unauthorized data exfiltration. Several solutions can facilitate this effort. Next-generation firewalls (NGFW) offer application-level inspection and intrusion prevention, and incorporate intelligence from outside the firewall to restrict available attack vectors. Secure web gateways provide additional web security measures including dynamic URL filtering, advanced threat defense, malware protection and application control technologies to address external-facing threats, and help to enforce policy compliance. SSL decryption facilitates the decryption of SSL/TLS encrypted traffic for analysis by firewalls, secure web gateways, IPS, DLP, sandboxing and other security controls to protect against potential malware and data exfiltration.
Advanced email security solutions help not only to encrypt emails containing sensitive information and data, but also to defend against targeted phishing campaigns with URL link protection and attachment sandboxing. And secure file transfer solutions can protect sensitive data that is transferred daily across your workforce, systems, customers, suppliers and partners.
Identity and access management (IAM) helps to protect data by ensuring that only the right people have access to the right information at the right time and for the right reasons. Corporate networks have become globally connected webs of users and devices that are accessing IT environments wherever, whenever and however they choose, and users and their identities are the most vulnerable link. IAM solutions including access management, governance and recertification, federated identities/single sign-on, and privileged user management help to fill gaps left by the disappearance of the traditional perimeter. They help organizations ensure that people have access to what they need in order to do their job and nothing more, securely connecting users to distributed business services using identity as the new perimeter.
Organizations are increasingly re-evaluating their application portfolios and "cloudifying" traditionally internal applications. Policies and security controls aimed at securing cloud access and data will vary based on the type of cloud providers used — SaaS, IaaS, and/or PaaS.
Cloud access security brokers (CASBs) help to protect data by providing better access control, authentication and analysis of data and user activity moving in and out of SaaS cloud services. CASBs protect key SaaS-based applications, and they can orchestrate security across solutions including IAM, DLP, NGFW, Secure web gateway, malware and threat emulation, and security information and event management. By correlating threat intelligence and automating response actions across a number of disparate solutions, CASBs can increase the effectiveness of security programs.
Gartner predicts that by 2020, 85 percent of large enterprises will use a cloud access security broker product for their cloud services, which is up from fewer than 5 percent today.
Each type of IaaS/PaaS cloud provider introduces a different set of capabilities and architectures that need to be evaluated to determine the security policies, architecture and controls needed to access and secure data that is stored with the provider, and transmitted to and from the organization. Even though current policies and controls can potentially extend to these providers from what is being used on-premise, they will need to be assessed for viability and effectiveness.
Humans are the weakest link in any data protection strategy; even the most advanced security controls can be accidentally or intentionally circumvented by human interaction. The importance of user security awareness at all levels of the organization cannot be understated.
Many targeted attacks take the form of emails that leverage social engineering tactics to entice users to click on a malicious link or open an attached file, thereby triggering the attackers’ code and installing a back door for outbound communications to command and control servers. In its 2015 Data Breach Investigations Report, Verizon found that it takes an average of just 82 seconds before a phishing campaign gets its first click.
You can reduce successful phishing attacks and malware infections by continually educating employees — especially those with access to critical intellectual property — about the threat to their company, their personal information and their livelihood. Continuous security awareness training programs help organizations in all industries inform users about the latest security best practices, deliver targeted training when and where it’s most needed, and effectively change lax behaviors over time.
Protecting Your “Crown Jewels”
In today’s threat landscape, traditional approaches to securing data fall short. In order to protect data from evolving IT changes and targeted attacks, we need to shift our focus from securing networks, applications and endpoints to identifying and securing our “crown jewel” data. The development of a comprehensive data-centric security program — including data discovery, classification, tagging/watermarking, DLP, data visibility, encryption, enhanced gateway controls, IAM, cloud access controls and continuous education — can uniquely position your organization to protect what matters most, and make security move with your data.
Find out how to secure your cloud data. Get your guide to developing a cloud strategy.
*Gartner, Forecast Snapshot: Data Discovery, Worldwide, 2016, February 25, 2016 http://www.gartner.com/document/3226417?ref=solrAll&refval=170993281&qid=a40cb0fa5022b08b93feca61693c6fc7
**Gartner, Market Guide for Cloud Access Security Brokers, October 22, 2015 http://www.gartner.com/document/3155127?ref=solrAll&refval=171324213&qid=75ff56a851825575792ee311c0afe0c6
View more presentations from Forsythe Technology