When beginning a data protection initiative, most companies begin with local controls; identifying sensitive information and limiting access. This is a logical approach, and addresses areas over which direct control of employees (“insider control”) is possible.
It’s important to remember, however, the “other insiders”: business partners, vendors, customers, and contractors. They are subject to their own companies’ security policies – not yours – but still have access to systems and networks. Aside from monitoring network activity, we need to ensure that these users are not accessing data they don’t require, or introducing malicious software (purposely or inadvertently).
For an example of this, we can look to Edward Snowden. He was a security contractor for Booz Allen Hamilton, working at the NSA. As with many long-term contractors, he was essentially treated as an employee. His role, as well as that of his peers, required elevated user privileges. By all accounts, they shared credentials as a normal course of business, and he used those privileges to copy and steal sensitive documents.
We also can’t assume that we are at only put at risk by malicious users. The effects of this were demonstrated in the Target breach. An employee of an HVAC vendor logged into Target’s network using a device previously infected through a phishing attack. The attack then moved to Target’s systems, reported back to a command and control server, and eventually exfiltrated millions of customer records.
Securing your data supply chain simply means extending data protection policies to those users outside of your control. The simplest method for doing so is to apply security directly to data itself. Here are a couple of examples:
Privileged user management – This is more than a matter of trust. Privileged users, including contractors and system administrators, may possess elevated privileges necessary to administer systems. By default, this provides access to information on those systems. By uncoupling device and data privileges, you can allow those users to perform their jobs without putting sensitive data at risk.
Control how data is shared – Partners, customers, and vendors may require your confidential information in the form of design documents, parts lists, and other data. Once it is on their devices and systems, you lose control. Automatically encrypting that information, based on the data type or classification, provides you with downstream control of who can access or modify that data. External networks – Third parties on your network should not simultaneously be connected to other networks. Understanding the context of what a user is doing (e.g., the class of data, the action, and the user) can prevent accidental or deliberate information sharing.
Unapproved applications – In the Target breach, malicious software was automatically installed from the HVAC contractor’s device. In a data-centric world, organizations can control which users and applications have the privileges necessary to not only access applications, but add or remove applications. In this case, an unknown (or external) device should not have had rights to install new, unknown software.
Sharing sensitive data is a necessary part of business. Protecting that data, inside and outside your network, can be challenging. Looking at the world from a data-centric viewpoint makes solving the challenge easier.
Data Protection Vendor Evaluation Toolkit
The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.
Related ArticlesInsider or Outsider - Does it Matter?
Much noise is made about the risks associated with insider threats versus outsider threats, but why?The Dutch Boy and the Data Leak
Home Depot, Healthcare.gov, and Goodwill all announced data breaches in September. They will all now investigate how these leaks occurred and build defenses to prevent those particular attacks from repeating.Analysts on Data-Centric Security
The Times They Are a-Changin' – a look back on analysts' evolving views on information security