Data, like any business operation, is scalable. Together with the natural growth of your company, the amount of data hosted by your enterprise increases, which necessitates to protecting it wisely. Out of this scenario comes a breed of cyber threats that is particularly worrisome.
Most enterprises place a premium on cyber-security and believe their systems, networks, and other assets responsible for data storage have ironclad defenses. However, data breaches from cyber-attacks continue to climb. Organizations are spending billions on security solutions but more IP/data is stolen than ever before.
Why is this happening? The prime reason is gaping vulnerabilities in the ways defenses are deployed; companies barely pay attention to data visibility, which is important to defend against modern threats. That’s why it’s important to think about data first before planning your layered defense.
What Is The Issue With Conventional Security Approaches?
Conventional approaches to enterprise security are valid, but they have certain weaknesses. Previously attackers used to breach or intrude into a network for bragging rights and physical damage to enterprise hardware. Today they conduct cyber-attacks primarily to steal data. Their attack chain infiltrates different levels of security settings to attack different types of data strategically.
As a result, organizations that still implement the castle/moat approach to security continue to suffer. What they do is put a bunch of guards at the gate for security, such as web application firewalls and intrusion-detection systems. However, most data breach analysis reveals that attackers are most likely to figure out a way to steal data by attacking vulnerabilities in data storage devices.
Clearly, cyber-criminals will continue to test perimeters in your security. Nevertheless, implementations like intrusion-detection systems no longer protect against data theft as much as they used to. Therefore, security policies should be aligned with business requirements by focusing on the level of access to data, while IT controls should be aligned with quantified risk.
Apart from intrusion-detection systems, the following implementations adopted by organizations are also ineffective:
Locking down hardware only: Many companies attempt to protect data by making corporate information only accessible remotely through servers inside a data center, while securing other endpoints. When it comes to employees, they may email some sensitive information to their personal devices to continue to work outside the protected endpoints, which means securing hardware or limiting access doesn’t seem like the best data-protection strategy.
Blocking protocols and ports: By using technology components and APT blockers, organizations have geared security towards blocking network protocols and ports and limiting the vulnerable footprint of their companies. However, enterprise data has grown to be more mobile in recent years with BYOD and social networking, which means that blocking ports and protocols may not be enough to protect an organization’s critical data.
Compliance-focused programs: Because of the increase of regulation around data protection, many organizations invest to address program requirements, rather than taking measures to secure data itself. As a result, their approach is too compliance-focused, and often times networks, systems, servers, etc. that are a part of the compliance program are focused upon. Others are neglected, which makes it easy for intruders to access them and extract sensitive data. Network segmentation is also ineffective as one side of the network divide is enough to grant access to the other side.
While taking these measures, many CISOs and IT professionals forget what is most important: the business processes flowing through their enterprise and how that data is affecting the company. The value of data changes in each process; data that looks unimportant one day can be classified as sensitive the next day, or even the next few hours.
Also, cyber-criminals evolve, but conventional security technologies fail to evolve at similar pace with cyber-attacks. It requires just a few tweaks for the bad guys to evade detection. If learning systems and security models don’t evolve in real time, organizations won’t be able to address adversaries’ new approaches and will leave too many loopholes that never see a viable patch.
To better protect data against adversaries, many CISOs are now being tasked with knowing what specific data went out of the organization and where it has moved. However, even with granular access to data flows, security teams alone can’t be the sole protectors of sensitive data. They should involve IT managers, employees, departments, as well as the company unit leaders. Otherwise, adversaries going beyond the above-mentioned guardrails will have free reigns over sensitive data they can access.
The case for data-aware security
Because a data-aware security approach places you in a position where you can see data flow activities, it is the great hope of architecturally being able to protect data across all infrastructure and endpoints.
However, organizations wanting to adopt data-aware security first need to evaluate where they stand with data by going through the following steps:
- Identify and classify data before segmenting the network and infrastructure.
- Understand the flow of data across each business process, and then optimize those flows.
- Define transaction paths that allow proper use of data, and flag activities that involve misuse of data. For this purpose, microperimeters can be planted around the most critical data.
- Create rules and inspection policies for sensitive data to spot malicious attempts.
- Continuously monitor, log and inspect all external and internal traffic.
After these steps, security efforts should revolve around automated solutions that feature strict administrative and encryption controls through policy management. This is essential to enforce standards on the data stored on different devices and at scattered endpoints. It is also important for security administrators to include contingency keys for accessing encrypted data in instances where employees leave the organization.
Why is such an approach better? Because by addressing the vulnerability of data itself and not just the potential security of endpoints and devices where data is stored, organizations can secure data regardless of where it flows. Encrypting data along with applying access controls and monitoring access attempts will dramatically reduce the loopholes available to cyber criminals and malicious insiders.
A robust data-aware security policy also requires enterprises to perform the following functions:
- PKI encryption should be used to protect sensitive data inside corporate files
- Contingency key support should be provided to access files in case of emergencies
- Federal level organizations should comply with FIPS 197 and FIPS 140-2 requirements
- Command line interface and API protection should be incorporated regardless of security format
Not only do these approaches reduce the risk of data theft/breaches, they also create a path for data to move freely across the organization, even across untrusted environments. For instance, in a data-aware security model, on-premise data (structured and unstructured) can flow to the cloud without needing SSL or another network security protocol since data tags will ensure protection.
Further, the data-aware model in cloud technology and other similar infrastructure protects against the risk of rogue applications trying to bypass security gates defined by hypervisor technologies. If security audits demonstrate a series of events pointing to the presence of unusual activity, the enterprise in question can tighten controls around sensitive data.
As a result, attaching security policies directly to data gives you far greater control over data protection than any security approach that tries to build walls around something that needs protection. A data-aware security model allows you to specify rules in a borderless environment, regardless if data is stored on enterprise servers, the cloud, or locally. Key aspects of data-aware security will include policy & authorization management, granular monitoring & reporting, and a highly scalable and secure infrastructure.
At the end of the day, the real value of adopting a data-aware security approach for an organization is to improve visibility, keep threats at bay, and provide more value to its clients as trustees of sensitive data.
Dan Virgillito is a Security Researcher for the InfoSec Institute and has a particular interest in enterprise security.