Your Weakest Link May Not be Your Employees After All - Securing Your Data Supply Chain



Securing only your employees isn't enough to keep your data safe today - businesses must extend security measures across their entire data supply chain.

When beginning a data protection initiative, most companies begin with local controls; identifying sensitive information and limiting access. This is a logical approach, and addresses areas over which direct control of employees (“insider control”) is possible.

It’s important to remember, however, the “other insiders”: business partners, vendors, customers, and contractors. They are subject to their own companies’ security policies – not yours – but still have access to systems and networks. Aside from monitoring network activity, we need to ensure that these users are not accessing data they don’t require, or introducing malicious software (purposely or inadvertently).

For an example of this, we can look to Edward Snowden. He was a security contractor for Booz Allen Hamilton, working at the NSA. As with many long-term contractors, he was essentially treated as an employee. His role, as well as that of his peers, required elevated user privileges. By all accounts, they shared credentials as a normal course of business, and he used those privileges to copy and steal sensitive documents.

We also can’t assume that we are at only put at risk by malicious users. The effects of this were demonstrated in the Target breach. An employee of an HVAC vendor logged into Target’s network using a device previously infected through a phishing attack. The attack then moved to Target’s systems, reported back to a command and control server, and eventually exfiltrated millions of customer records.

Securing your data supply chain simply means extending data protection policies to those users outside of your control. The simplest method for doing so is to apply security directly to data itself. Here are a couple of examples:

Privileged user management – This is more than a matter of trust. Privileged users, including contractors and system administrators, may possess elevated privileges necessary to administer systems. By default, this provides access to information on those systems. By uncoupling device and data privileges, you can allow those users to perform their jobs without putting sensitive data at risk.

Control how data is shared – Partners, customers, and vendors may require your confidential information in the form of design documents, parts lists, and other data. Once it is on their devices and systems, you lose control. Automatically encrypting that information, based on the data type or classification, provides you with downstream control of who can access or modify that data. External networks – Third parties on your network should not simultaneously be connected to other networks. Understanding the context of what a user is doing (e.g., the class of data, the action, and the user) can prevent accidental or deliberate information sharing.

Unapproved applications – In the Target breach, malicious software was automatically installed from the HVAC contractor’s device. In a data-centric world, organizations can control which users and applications have the privileges necessary to not only access applications, but add or remove applications. In this case, an unknown (or external) device should not have had rights to install new, unknown software.

Sharing sensitive data is a necessary part of business. Protecting that data, inside and outside your network, can be challenging. Looking at the world from a data-centric viewpoint makes solving the challenge easier.

Mike Pittenger

Data Protection Vendor Evaluation Toolkit

The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.

Download Now

Related Articles
Insider or Outsider - Does it Matter?

Much noise is made about the risks associated with insider threats versus outsider threats, but why?

The Dutch Boy and the Data Leak

Home Depot, Healthcare.gov, and Goodwill all announced data breaches in September. They will all now investigate how these leaks occurred and build defenses to prevent those particular attacks from repeating.

Analysts on Data-Centric Security

The Times They Are a-Changin' – a look back on analysts' evolving views on information security

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at] caddisadvisors.com.

Please post your comments here