[BreachExchange] Data Protection From The Inside Out

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 9 19:25:35 EDT 2016


http://www.darkreading.com/cloud/data-protection-from-
the-inside-out-/a/d-id/1326527

Despite many organizations’ significant cybersecurity investments,
sensitive data breaches continue to occur at an alarming rate and have a
devastating impact. There are many reasons why these breaches and
corresponding effects continue to occur, such as the quickly rising rate of
data collection and increasing storage, business and technology innovation
(e.g., the Internet of Things and cloud computing), the extended
enterprise, inherently flawed technology, and the reliance on outdated
security standards and corresponding controls that can’t keep up with
attack vectors. Cyber attackers are extremely skilled, well funded, and
organized. If an organization has something desirable (such as personal
information and intellectual property), attackers will stop at nothing to
get inside.

Organizations need to fundamentally change their approach to data
protection. For decades, many organizations have spent their time, money,
and resources on traditional approaches to data protection and
corresponding controls (including identity and access management,
vulnerability management, and application security) with the intent of
keeping cyber adversaries out of their network and applications and off of
their infrastructure. However, breach trends show that although these
fundamentals are necessary, relying solely on them isn’t enough and doesn’t
work. Organizations need to acknowledge that their cyber adversaries can
reach their most sensitive data, and focus more of their time, money, and
resources on solutions at the data layer itself.

Data protection from the inside out doesn’t mean that traditional data
protection capabilities aren’t necessary or that we should throw our hands
in the air and quit. Organizations must continue to implement and maintain
these basic capabilities. However, these traditional data protection
measures need to be viewed as more of a deterrent to cyber threats than a
complete fix. As an organization, view and treat your cyber adversaries in
the same way you would treat a common criminal on your own.

For example, common criminals are less likely to break into a house with
basic security measures (locks, fence, alarm system, camera/surveillance
system, dog). However, if you have something they really want (say,
jewelry), are these measures really going to stop them from getting in? No,
a determined and sophisticated criminal is going to spend the time and
money, and work with the right team, to get into the house and find your
valuables. However, as an additional measure, you could store your
valuables in a secure safe within the house. That would help protect your
valuables “from the inside out.”

Inventorying and classifying sensitive data and assets, as well as
maintaining the inventory, is the foundation of your efforts, and
incredibly important to data protection. However, many organizations either
don’t have an inventory; think they have one, but in reality don’t; or
create an inventory without a means to keep it up to date and accurate. Not
to oversimplify, but you can’t protect what you don’t know you have. You
can’t universally apply data protection capabilities and technologies
(e.g., encryption) to “all” of your data because of the cost, and the
effectiveness of some data protection solutions (e.g., data loss
prevention) is limited without data classification.

Implementing data protection capabilities at the data layer can help to
both prevent and detect data breaches at an organization’s last line of
defense. These capabilities include preventative solutions such as
information rights management, as well as detective solutions such as data
loss prevention, data access governance, and database activity monitoring.
The adoption rate of these solutions seems to be relatively slow, and even
when they’re implemented, their full capabilities often aren’t utilized.

Reducing the value of sensitive data is perhaps the most important
principle, and it’s based on the premise that it’s not “if” but “when” a
data breach will occur at your organization. One way to reduce the value of
sensitive data is to encrypt, tokenize, or obfuscate the data to render it
difficult to use when compromised. A second way to reduce the value of
sensitive data is to securely destroy it when it’s no longer necessary for
legitimate legal or business purposes.

Protecting sensitive data is a complex challenge that requires a holistic
and comprehensive data protection strategy, executive support, and
investment of time, talent, and funding. Implementing individual
data-centric solutions in a siloed manner, and without integration, can
lead to critical gaps in an organization’s security. Traditional measures
alone are no longer sufficient, so it’s time to change the game.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160809/6e500805/attachment.html>


More information about the BreachExchange mailing list