[BreachExchange] Three questions to make security vendors sweat

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 10 14:12:56 EDT 2016


http://www.itproportal.com/2016/06/10/three-questions-to-make-security-vendors-sweat/

As the frequency of cyberattacks and high profile data breaches continues
to increase and make headlines, businesses are starting to realise that
it’s no longer a case of ‘if’ they will be a victim, but ‘when’.
Consequently, companies are adopting new cybersecurity measures and
technology in the hope that it will minimise the impact a cyberattack or
data breach can have on ongoing operations. The issue is that, as with any
booming industry, there is a plethora of organisations contesting for their
piece of the pie, each using the security ‘buzzwords’ and claiming to offer
the utmost defence.

With so many layers of security and tactics for securing company data, it’s
easy for companies to feel overwhelmed and pile on the security technology
with little thought about how these work together and what’s actually being
protected. This leaves both them and their data at risk as the technology
may not provide as comprehensive protection as first thought. As such,
there are three questions businesses must ask security vendors to really
scrutinise the capabilities of their solutions.

Is encryption tied to identity and policy?

As encryption is almost useless if you can’t control who should access
data, when they should access it and under which circumstances. For
example, some vendors will claim that their offerings provide true
‘end-to-end’ encryption but sometimes this can simply mean basic HTTPS. A
simple technology, it only provides encryption in transit meaning data
remains readable on both the sender’s and recipient’s devices; a major flaw
that leaves sensitive data accessible should either device become lost or
stolen.

Businesses require more robust encryption to secure their sensitive data.
For example, advanced data-centric encryption not only encrypts individual
packets of data prior to it leaving the sender’s device and being sent to
the server, but it also requires the recipient to prove their identity and
meet specific policy requirements every time they wish to access the
information. Without passing the checks the data remains unreadable,
meaning should it fall into unintended hands, the new possessor won’t have
sensitive information presented on a silver platter.

How granular are the access controls?

And where do audit trail capabilities truly stop? Businesses must have the
ability to set specific access policy controls to individual packets of
data, enabling them to set the requirements that must be met in order for
encrypted data to become readable. They should also be able to amend the
access controls at any time, with all subsequent access requests subjected
to the new requirements.

However, businesses can’t ignore the fact that some files will be
downloaded and they can then be shared and forwarded on to anyone without
the company ever knowing – therefore bringing the audit trail to an end. To
mitigate some of the risk, companies require the capability to set rules
regarding downloading, or in the case of highly sensitive data – such as
classified government documents – prevent it completely. This ensures that
data remains within the secure walls of the network where it is more easily
secured and businesses can monitor exactly who is accessing it, how long
for and what they are doing; ensuring a true full audit trial.

While controlling access to data can go a long way to ensure data
integrity, organisations must also have the ability to block access
completely if they believe it to be at a truly high risk of being
compromised. For example, in cases where information is being misused by
employees or accessed by unauthorised individuals, companies can close the
data off and give themselves time to investigate and respond accordingly.

There is also the risk of employees taking photos of classified documents
and sharing them with outsiders which, other than through physical
measures, can be difficult to mitigate. Companies should adopt technology
that watermarks all documents meaning that, at the very least, any photo
will be distorted and not easy to view.

And finally: the most important security question…

Finally, businesses must discover the level of visibility into data
sovereignty provided and whether data location can change without their
knowledge or approval. Many organisations find it difficult to identify
where information is residing at any given time; and the challenge becomes
even more complex when vendors trust data to cloud service providers (CSPs)
which who often bounce it around their global data centres. This means that
firms are unsure what regulations their data is governed by and, more
worryingly, whether the data is potentially at risk from exposure to
external parties.

While the incoming EU GDPR will result in many security vendors and CSPs
relocating their data centres to within the EU – meaning all data will be
governed by the one regulation – organisations still need to be able to
identify the exact location of their data. For example, if an employee is
travelling and can meet the specific requirements required to unlock data,
they may be in a country with a reputation for ‘monitoring’, such as China.
This means that, should access be granted, it’s highly possible that
information could be viewed by external entities. This insight can be
achieved through advanced geolocation. It provides organisations with
complete visibility of their data’s whereabouts and, should it be within a
country that is considered risky, enables them to lockdown access to it all
together.

Ultimately, as companies continue to collect more data on their own
customers and wider consumer base, data stores are growing and containing
more sensitive information. The potential costly ongoing ramifications of a
cyberattack or data breach are forcing businesses to invest heavily in
cybersecurity, but not all variants are created equal and consideration
must be made for how it integrates. As part of a comprehensive security
strategy, firms must place vendors under increased scrutiny, asking the
questions which reveal the true capabilities of the technology. Only then
can organisations ensure that they aren’t being lulled into a false sense
of security over the protection of data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160610/60d9ce83/attachment.html>


More information about the BreachExchange mailing list