Visibility is, and has always been, the key to protecting sensitive data. If you don’t know exactly who, what, where and when, your sensitive data is accessed, modified, moved or deleted, there’s simply no way you can keep this data out of the wrong hands.
Of course, gaining such visibility is easier said than done, and requires the right tools, policies and procedures. Below is a summary of the 5 most important steps you can take to gain the visibility required to protect your “crown jewels”.
1. Locate Your Sensitive Data
Before you can audit changes made to your sensitive data, you must first know where it is located. For those using Windows Server, it is possible to use the File Server Resource Manager (FSRM) to discover and classify data based on pre-defined conditions. FSRM enables you to scan your files and folders for sensitive data containing PII, such as credit card details, protected health information, login credentials, and tag/score the data based on its importance.
Knowing where your sensitive data is located will make it a lot easier to apply the appropriate access to controls and will make it easier to locate and retrieve this data in a timely manner. FSRM will also enable you to automatically classify data as it is created.
For those who are not using Windows Server, there are a number of third party data discovery tools which can automatically locate and classify a wide range of data types. Once you have discovered and classified your data, it is good practice to delete any unused data and then perform a secure backup all data. Additionally, you will need to make sure that all unused data is disposed of securely.
2. Implement an Access Control Policy
Now that you have a clear view of what data you have and where it resides, you will need to begin assigning access controls to this data. Identity Access Management (IAM) is essentially about setting up policies which control how users interact with the data and applications on a given network. IAM uses authentication and authorization to grant access to a given dataset or application. Authentication is used to verify that someone is who they claim to be, and authorization is used to determine whether a user should be allowed to access the data.
Enforcing access controls has become increasingly more complicated in recent years due to the increasing number of different devices and platforms that companies use to store their data. For example, more companies are adopting BYOD – a trend which enables staff members to use their own device in the workplace. Additionally, more companies are taking advantage of cloud-based services – meaning they have less control/visibility over their data.
The two most popular approaches to IAM are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). With Role-Based Access Control you simply setup roles (groups), which are logical groupings of users who share affiliations. For example, they could be grouped by department, physical location, user type, company experience, and so on. ABAC allows you to assign access rights with more specificity. For example, an employee can be granted access to certain types of data if they are in X department, at Y location and have Z years’ experience working for the company.
The downside of ABAC is that search queries will take longer and require more processing power, which could be especially problematic in companies with a large number of users. It is generally a good idea to start with RBAC, and then use ABAC for certain exceptions when you need fine-grain control.
In addition to setting up policies which control access privileges, you will need a way to keep track of these privileges and be alerted when they change. There are many commercial auditing tools which provide an intuitive dashboard where you can review permissions, and receive real-time alerts when changes are made to those permissions.
3. Enhance Perimeter and Endpoint Security
The chances are, you are already using a firewall to prevent unauthorised access to your network and use anti-virus software as a basic layer of defence against malware.
It is obviously important to keep these solutions up-to-date. However, these tools alone will not be sufficient in protecting your perimeters and endpoints. You will need to look into more advanced solutions such as Intrusion Detection and Prevention Systems (IDPS), which use advanced threat intelligence to identify potential security threats.
Additionally, Data Loss Prevention (DLP) hardware/software can be used to prevent sensitive data from leaving your network. Firewalls, anti-virus. IDPS and DLP solutions generate event logs, which can be collected and correlated using an SIEM solution to give you much greater visibility into the events that take place on your network. Bring Your Own Device (BYOD) is a growing trend which allows employees to use their own device in the workplace.
While there are many good reasons to adopt BYOD, it also raises a number of security concerns. To address these concerns, you will need to keep an inventory of all devices that connect to your network and apply restrictions to prevent unauthorised devices from gaining access. Employee’s should have two-factor authentication (2FA) enabled on their device, and if they are connecting to the network from a public Wi-Fi hotspot they must use a virtual private network (VPN) to ensure that the connection is secure. Employee’s must be educated about the security risks of using their own device.
They should also use a password-protected screen lock on their device, and all software must be kept up-to-date. They must also install mobile device management (MDM) software so that companies can either reset the device or wipe the hard drive in the event that the device gets lost or stolen.
4. Put Data at the Heart of Cyber Security
Perhaps the most important thing you need to change about your cyber security strategy is to start with your data. Whilst enhancing perimeter and endpoint security is also a must, everything other foundation in this document will fail if you don’t have this mindset.
It is imperative that you are able to detect, alert, report and respond to suspicious file and folder activity. You must be able to detect and manage inactive user accounts, monitor privileged mailbox access, and automate the process of reminding users to reset their passwords.
Auditing sensitive data is not only necessary for identifying security threats, but it is also necessary for regulatory compliance. For example, under the GDPR, organizations are required know exactly who, what, where and when, changes are made to any personally identifiable information (PII) they store. In the event of a data breach, organizations are required to prove this knowledge to the supervisory authorities. A failure to do so could result in very costly fines.
Data-Centric Auditing solutions such as LepideAuditor are able to generate over 300 pre-set reports, which provide a detailed summary of historical changes made to permissions and PII, thus making it a lot easier for organizations to satisfy compliance requirements. LepideAuditor will also allow you to locate your sensitive data, run reports on changes being made to the data, the permissions to it and the platforms surrounding it.
5. Education! Education! Education!
Since the majority of security incidents are caused by insiders, educating staff members about cyber-security is crucially important. They must have a clear understanding of the risks and ramifications of a data breach and be able to identify social engineering attacks in a timely manner. This includes verifying a sender’s email address and checking for suspicious web links.
Staff should be encouraged to report on anything suspicious, including any performance issues associated with their device or network connection. Employee’s must be well versed in all applicable regulatory compliance requirements and understand the ramifications of failing to comply. Training should be an ongoing process, and include periodic meetings, as well as the occasional impromptu test.