If there’s one priority for security teams, it has always mitigating data theft and destruction. Thanks to policymakers, keeping data under control just became even more important. New regulations are imposing stricter rules than ever. Take the EU’s General Data Protection Regulation (GDPR), for example. This EU regulation, which came into force in May, affects any company in the US that holds data on European residents. It joins a complex patchwork of existing regulations affecting many US companies, ranging from HIPAA in the healthcare sector through to Gramm-Leach-Bliley in finance.
It’s time for US companies to up the ante when protecting files from intruders, going beyond simple cybersecurity hygiene measures such as patching software and using effective firewalls. Here are some things to think about:
Data security was easier when networks were like walled cities. In the days before mobile and cloud computing, IT administrators focused on protecting only the perimeter of the network. Mobile computing, third-party systems access and hybrid cloud have exploded networks like popcorn. What was once inside is now exposed. So, now what?
Today, just because someone is on the network doesn’t mean that they’re friendly. Proper data protection begins close to the data, on the virtual computer and network segment in which it is located. ‘Never trust, always verify’ is the order of the day.
Admins can use secure infrastructure techniques like network segmentation and traffic inspection to spot and stomp on suspicious traffic. By checking user privileges and context for every access request, data admins can prevent data compromises before they happen and zero-in on network intruders.
Encryption at rest
If you want to protect data, scramble it. Encryption in transit has long been an important measure for data protection to prevent people from snooping on the wire, while encryption at rest is also a highly useful mechanism for protecting corporate data.
Data encryption is especially important for enterprise cloud customers. In a January 2018 cloud security report, the Ponemon Institute and Gemalto found that 77% of 3,285 executives surveyed globally considered encryption important, and 91% felt that this would become more important in the next two years.
This enthusiasm isn’t translating to action. Only 47% secured their data in the cloud using encryption. That’s because it is difficult to encrypt data on a system controlled by a service provider rather than directly by the owner of that data. One option here is the use of a cloud access security broker (CASB) service to encrypt data as it flows to and from the cloud.
Admins must also consider key management as a critical factor in data encryption. These digital keys unlock encrypted data, and companies must control them exclusively. If a cloud service provider controls the keys and a thief steals them, the encryption will be useless. Hardware security modules stored locally are the most appropriate way to secure encryption keys, and these have been gaining popularity; 35% of Ponemon Institute respondents used these in 2017, up from 27% in 2015.
Robust identity and access management
Encryption won’t help a company with rogue or hapless employees. Enterprise systems automatically decrypt files during regular everyday access by legitimate users, so if a malicious insider uses their account to steal files or a malicious outsider hijacks an employee’s credentials, they’ll get all the information in plain text.
Minimize those risks by granting access on a least-privilege basis. Users should only see the information that they must see to do their jobs, meaning that a junior accounting clerk should not be able to access the entire customer contact database.
Identity and access management (IAM) systems help by enabling companies to map access privileges against user roles and responsibilities. Some of them even help prevent account takeover using access mechanisms like multi-factor authentication (MFA) that thwart password theft, and behavior analysis to spot and block suspicious access patterns.
To truly protect something, you have to know its properties. Each data record has its own origin, owner, sensitivity and legal status. Some records may contain personal information, and some might be generic. Some might have only one use and should be deleted as quickly as possible, while regulations may force companies to retain other records for years.
By classifying data when it is created or collected, companies can help to govern its journey through the organization. This enables them to automate decisions about how they deal with the data and who has access to it.
Data classification tools embed metadata directly into documents, so that the documents themselves can describe what these properties are. Then, applications can decide what to do with a file based on its owner, its sensitivity level, and its compliance requirements. If a customer asks you to delete all their records, as they can under GDPR, it’ll be a lot easier to find if it’s tagged with the right descriptors.
Effective backups have always been an important part of any data protection methodology, but this is especially true in the age of the latest, nastiest software irritant: ransomware. This malicious software has evolved over the years to tie up not just data on endpoint devices, but data on servers and network attached storage (NAS) devices, too.
Companies can protect themselves against this threat by using backup tools that support multiple backup points. Use stopgaps to prevent maliciously encrypted files from contaminating backups and rendering them useless. Some form of offline or write-once-read-many (WORM)-based backup can be useful here.
Which of these measures is right for you? All of them. Data protection is like a bullet-proof vest. These vests don’t use a single layer of protection. Instead, they use many layers, densely woven into a strong fabric that makes threats hard to penetrate. Similarly, a layered combination of tools and techniques will complement each other and minimize the risks of data falling under others’ control. They’ll also go a long way toward keeping your company name out of the headlines.
Looking for proactive security solutions? See how CenturyLink can help protect your data.