[BreachExchange] Five Tips for Minimizing Data Loss Risk in a Hybrid IT Environment

[Audrey McNeil]

http://virtual-strategy.com/2018/07/12/five-tips-for-
minimizing-data-loss-risk-in-a-hybrid-it-environment/

Once upon a time, IT environments were standardized. Policies and controls
to mitigate risk could be consistently applied without much concern for
crossing multiple platforms. Then came a cascading series of technology
changes over the last decade that eliminated those standards –
virtualization, private and public cloud infrastructure, and software as a
service (SaaS), consumed on BYOD laptops and mobile devices, and running a
variety of operating systems.

The resulting hybrid IT environment means that you can have the best
policies and controls in one part of your environment, but inconsistency in
another part of the environment can open the door to data loss. For
example, you might have an automated means of removing employee access to
applications or data when an employee leaves your company, through
integrations between your HR and Identity Management systems. But if it
only works for apps running in your data center, then cloud-based apps or
file management systems might be vulnerable to abuse by a disgruntled
former employee or hackers who acquire credentials to orphan accounts.

Here are five common data loss risks found in hybrid environments and tips
for what can be done to mitigate them.

1. Uncontrolled privileged users

Data loss stemming from inappropriate use of privileged access can be
devastating. Whether a privileged user intentionally abuses their rights to
steal data, as we saw in the Panama Papers, WikiLeaks or Edward Snowden
cases, or their credentials are stolen and abused, as we saw in the OPM or
Anthem attacks, the end result is costly, can damage careers and destroy
companies.

Policies for managing privileged user access need to be consistent across
cloud and distributed systems. The controls that support those policies
need to be consistent as well, including:

- Two-factor authentication (2FA) for sensitive data
- Privileged application management that limits and records privileged
sessions
- Privileged access governance that discovers orphan accounts and those
with excess access compared to peers – in other words, identify accounts
outside of policy

2. Inconsistent access management and governance

Enterprises have invested significantly in access management and governance
systems to provide employees and contractors with simplified access to
resources they need, while demonstrating that least privilege is enforced
to auditors. But much of that investment has been focused on the
distributed environment. The public cloud environment is often a patchwork
of SaaS services acquired by business units, and IaaS or PaaS (primarily
AWS or Azure) used by developers.

The difficulty is that in a hybrid IT environment, there is integration
between cloud and distributed environments, so the policies and controls in
effect are going to represent the most permissive. A centralized approach
is necessary to consistently enforce policies and provide visibility of all
access privileges and unusual usage, including:

- Identity Governance and Administration that spans all environments, and
includes analytics that identifies outliers
- Single sign-on that is centrally administered regardless of where the
application runs
- Integration with HR systems, so that access can be consistently assigned
and revoked

3. Incident response procedures that don’t include service providers

Like access management and governance, most enterprises have invested
heavily in incident monitoring and response processes to minimize damage
when (not if) attackers succeed. The challenge in a hybrid environment is
that service providers need to be factored into both the monitoring and the
response processes.

Many organizations don’t adequately plan for how to engage with cloud
service providers during breaches, which can cause delays in responding.
Even though many cloud service providers have security controls that exceed
that of their customers, no security is impossible to breach. Your incident
management needs to include:

- Knowing where the service provider’s security responsibility ends and the
enterprise’s security begins
- Drills that include contacting service providers and interacting with
their staff
- Monitoring access to cloud services and any other relevant data that the
cloud provider offers

4. Irregular encryption application

Data security has been a major focus of both enterprises and cloud
providers, and encryption of data at rest is an option for either Amazon S3
buckets or Azure SQL Database. Sensitive data in transit also can and
should be encrypted, especially between enterprise and external cloud
environments.

The challenge is to apply policies consistently across the hybrid IT
environment, particularly for unstructured data. Most enterprises make
extensive use of file sharing and code repositories both hosted internally
and in the cloud that may or may not be encrypted. If employees aren’t
provided with a convenient way of sharing information, they will
self-source file sharing from companies like Dropbox or Bitbucket, without
enterprise security policies and controls. Your encryption policies should
include:

- Consistent application across the hybrid IT environment and across the
data lifecycle
- Transparency to the end user so they won’t seek ways around the controls
- Support for both structured and unstructured data

5. Poorly-maintained configurations

As new vulnerabilities are identified in existing software, such as via bug
bounty programs or revealed on “patch Tuesday”, configuration policies must
be updated and systems and applications must be patched. New server builds,
whether being deployed in the data center, or in containers in the public
cloud, also need to be built in accordance with current policies. And
records must be available to demonstrate to auditors that policies are in
place and being enforced when required by regulations, regardless of where
the infrastructure resides.

The scale of this effort in the enterprise, subject to multiple regulations
can be overwhelming. Your configuration management in a hybrid environment
should include:

- Close alliances between the operations teams who maintain the automation
for deploying servers and those responsible for maintaining security
policies
- Education for operations teams on where to look for gaps in coverage
across the hybrid environment
- Configuration management that includes automated scans for configurations
that are outside of policy, and is cloud and data center compatible.

As enterprises continue to consume more cloud infrastructure and services,
it will become increasingly critical to have a hybrid approach to
minimizing the risk of data loss. Without the luxury of standardization in
a hybrid IT environment, an intentional effort must be made to become more
consistent with policies and controls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180712/ba4ca5df/attachment.html>