With increasingly more people working from home because of the ongoing Corona virus pandemic, a data-centric approach to cyber security has never been more relevant. However, let’s be clear, it is a shift that was going to happen regardless of the pandemic, and it’s one that we need to embrace.
Allowing employees to work remotely is ultimately beneficial to all parties. However, some employers are understandably skeptical. They tend to picture their employees sitting on the couch in their pajamas watching Netflix or scrolling through Facebook.
Let’s face it, if you’re not required to show your face at 8am each morning, there’s a greater temptation to stay in the pub for “one more” (assuming the pubs are open).
These are valid concerns, however, recent studies have shown that allowing people to work remotely actually increases productivity by 13% – perhaps because employees tend feel happier when left to their own devices, using their own devices.
The real issue with remote working isn’t to do with a reduction in productivity, but security.
A Loss of Visibility and Control
Many of the internal controls that were put in place to prevent data loss are no longer relevant. IT security teams have much less control over how and where employees use their device, and the authentication protocols used to protect it.
They have less control over the websites they visit, the apps they can install, and the communication channels they use to share company data. IT security staff are not able to see when an employee is transferring data onto a USB drive, or keep track of who is printing what data.
Given the impersonal nature of remote working, employees may be more likely to fall victim to targeted phishing scams. All it takes is for one employee to respond to an email from “technical support”, for an attacker to infiltrate the system.
A device that has access to sensitive data may get lost or stolen. Devices get damaged, and data gets corrupted. Employees may choose to take their device to a back-street repair shop, where the service provider has free reign over the data stored on the device.
In some cases, the employee may decide to upgrade their device, and discard the old one, without ensuring that the data stored on the old device has been securely disposed of. And let’s not push aside the fact that some employees may act with malicious intent.
A cash-strapped or disgruntled employee may share sensitive data with an unauthorized party for financial gain, or some other reason. These are just a few scenarios, but there is no doubt many more.
The End of Perimeter-Based Security?
Not quite, however, traditional perimeter-based security measures are much less effective than what they used to be. Trying to keep the bad guys out, whilst letting the good guys in, is a seemingly insurmountable task.
For example, a Virtual Private Network (VPN) can be used to ensure that communications between a remote worker’s device and the company network are encrypted. The problem, however, is that VPNs make it harder for Firewalls to differentiate between malicious and non-malicious traffic.
Basically, a more data-centric approach to cyber-security is required.
Data-Centric Audit & Protection (DCAP)
DCAP provides us with the visibility and control we need keep our data out of the wrong hands and satisfy the relevant compliance requirement. It helps us to determine where our data resides, how it is protected, when it accessed, and by who. It also helps us to determine what data we actually need to store.
Below are some of the main areas that are covered by DCAP:
Data Discovery and Classification
Naturally, in order to protect our most sensitive data, we need to know where it resides. Most sophisticated DCAP solutions provide data discovery and classification out-of-the-box. They are able to automatically classify data at the point of creation, as well as scan drives and devices for sensitive data, classifying it as it is found.
They are able to identify a wide range of data types, such as payment card information, protected health information, Social Security numbers, and any other data that is covered by the applicable data protection laws. Data classification can also help to identify data that is redundant and ready for disposal.
DCAP relies on Identity and Access Management (IAM) to determine who has access to what data, and what they are allowed to do with it. Organizations are strongly encouraged to adhere to the “principal of least privilege”, to ensure that employees only have access to data, if it crucial for them to do their job.
Many organizations use Role-Based Access Control (RBAC), where users and access controls are assigned to roles. Although less granular than other forms of access control, RBAC is easier to manage, as it doesn’t require assigning access controls to individual users.
Administrators must limit or restrict the use of shared user accounts, to ensure that all individuals are accountable for their actions.
All sensitive data should be encrypted, both at rest and in transit. As more people work from home and rely on cloud storage providers, the use of encryption for storing sensitive data is becoming increasingly more relevant.
Real-Time Security Auditing
The ability to identify, in real-time, who, what, where and when, sensitive data is being accessed, is a core principal of DCAP. While it is theoretically possible to obtain this information by manually scrutinizing the native server logs, this approach is not recommended, as it is a process that is slow, painful and prone to errors.
Not only that, but if you are relying on cloud services for storing sensitive data, you would need to scrutinize their logs too. A better approach would be to use a proprietary DCAP solution, of which there are many.
A sophisticated DCAP solution will be able to aggregate event logs from multiple platforms (including the most popular cloud platforms) and display a summary of important changes via an intuitive console. DCAP solutions use machine learning techniques to monitor employees and learn their behavioral patterns.
Should an employee’s behavior deviate from this pattern, an alert will be sent to the administrator, or an automated response will be initiated. A DCAP solution will monitor access permissions, detect suspicious file and folder activity, including privileged mailbox access.
They can detect and manage inactive user accounts, as well respond to events that match a pre-defined threshold condition, such as multiple failed login attempts or bulk file encryption. It’s also possible for a DCAP solution to identify redundant data, by searching for files which haven’t been accessed for a given period of time.
Used in conjunction with data classification, it could be configured to automatically classify potentially redundant data. The organization may then choose to remove the data or make it inaccessible to regular employees. To summarize, a DCAP solution will provide visibility into all events (or non-events), affecting our critical assets.
Finally, a DCAP solution is able to auto-generate a wide range of pre-defined reports, that are customized to meet the demands of the most relevant data protection laws. Generating these reports manually would be a slow and cumbersome process.