One thing about us IT folk is that we have a tendency to over-complicate everything. However, when it comes to data security, there isn’t much we can do about it.
IT environments are not only growing in size, but they are becoming increasingly more complex, distributed and dynamic. Most modern IT environments consists of a large number of different users, applications and devices; with data spread across multiple platforms – both on-premise and in the cloud.
Now, with more people working from home, users are accessing critical assets with any device they choose, from potentially anywhere in the world. In some ways it’s a catch-22 situation.
If we don’t keep up-to-speed with the latest trends and technologies, we will get left behind, which will leave us vulnerable to attack. If, on the other hand, our systems are constantly changing and expanding, we could easily find ourselves losing both visibility and control over where our data resides, and how our data is being accessed and used.
Perhaps the best place to start when it comes to simplifying our cyber-security strategy is to figure out which technologies and practices are the least relevant and move forward from there.
Many moons ago, when data was mostly collected, processed and stored in-house, the focus was mainly on perimeter-based security, where the core objective was to build a wall around our network to keep the bad guys out.
Prior to the advent of cloud-based services and the use of VPNs to access company networks remotely, this was a reasonably effective model. Even-though a lot of security incidents are caused by insiders, organizations could at least carry out background checks on their employees and keep a lookout for any suspicious behaviour.
These days, since our data is typically spread across multiple platforms, some of which we have little to no control over, the perimeter-based security model is being replaced by a more data-centric approach.
The Blockchain is often touted as a “next-generation” technology, which could potentially solve our data protection woes. In my opinion, this is a misunderstanding of what the Blockchain is, and what makes it special.
The Blockchain was specifically designed to achieve distributed consensus without the need for a centralized authority. This is great for digital currencies or situations where we don’t want to trust a centralized authority to create, read, update or delete our sensitive data. However, for most organizations, this is simply not relevant.
It should be noted that even seasoned security professionals struggle to understand how the Blockchain works, and how it can be used to protect our sensitive data.
Unless you really know what, you’re doing, and why you’re doing it, I would argue that it’s better to avoid using the Blockchain. Whichever way you look at it, you need to trust someone with the data you process and store, which means carefully managing access permissions and monitoring how your data is being handled.
Artificial Intelligence (AI) and Machine Learning (ML)
You will often hear security experts talk about how technologies that leverage Artificial Intelligence (AI) and Machine Learning (ML) will be the future of data security.
While technologies that use AI and ML will (and already do) play an important role in protecting our critical assets, the implementation of these technologies will usually be left to the vendors, and so it’s not worth attempting to design policies around them, as that will only add to the confusion.
To be clear, I’m not implying that the techniques and technologies mentioned above are irrelevant, more that trying to implement them, or even understand them, is not a top priority.
So, the question remains how should we prioritize and streamline our security strategy to achieve the best results with the least amount of complexity? Well, as mentioned previously, we need to focus on the data itself.
Data Discovery & Classification
Data-centric security is, as you might expect, a security model that focuses on restricting and monitoring access to sensitive data. Typically, the first stage of any data-centric security strategy is to find out exactly what data you have, where it is located, and how sensitive data is.
Naturally, any unused/redundant data should be removed or archived, to help simplify the process of assigning permissions and monitoring access to the data. There are plenty of solutions available which can automatically discover and classify sensitive data, and even classify the data at the point of creation.
Authentication & Access Control
Data-centric security heavily depends on having robust authentication and authorization protocols in place. Implementing Multi-Factor Authentication (MFA) would be highly recommended; however, if that’s not possible, a strong password policy is a must. Additionally, users should be granted the least privileges they need to be able to carry out their role.
An approach that is often adopted to help simplify the process of assigning access controls is Role-Based Access Control (RBAC). As opposed to assigning access rights to each specific user, which is time consuming and prone to error, users and access rights are assigned to roles.
Detecting & Responding to Anomalous Events
One of the most important areas of data-centric security is User Behaviour Analytics (UBA). UBA, as you may have already guessed, is about monitoring user behaviour. This includes monitoring changes to user accounts and their privileges, monitoring access to files and folders containing sensitive data, and so on.
Most UBA solutions use machine learning algorithms to learn patterns of behaviour, which can be tested against in order to identify anomalies. An anomaly can be both a single event involving a critical asset, or a series of events that match or exceed a pre-defined threshold condition.
As to what constitutes a “threshold condition”, this could be when a certain number of file have been accessed, modified, moved or deleted within a specified time-frame, or when multiple login attempts have failed within a specified time-frame. One of the main benefits of using a UBA solution is that they provide the end-user with a list of all relevant changes via a single pane, which can be easily filtered based on a flexible criterion. Additionally, the end-user can be alerted in real-time, when potentially critical changes take place. This will enable the security team to respond to events in fast and efficient manner.
In a nutshell, the best way to reduce the complexity of our IT environment, and thus ensure that we have clear visibility and control over how our sensitive data is being accessed, is to ensure that we know exactly what data we have, where the data is located, who has (and should have) access to what data, and when our data is being accessed. This information must be presented to us in real-time, to enable us to take action before a potentially serious security incident unfolds.