[BreachExchange] Data security matters more than ever in the new normal

[Destry Winant]

https://www.helpnetsecurity.com/2020/06/30/approaches-to-data-security/

Even before lockdowns, there was a steady migration toward more
flexible workforce arrangements. Given the new normal of so many more
people working from home—on top of a pile of evidence showing that
productivity and quality of life typically go up with remote work—it
is inevitable that many more companies will continue to offer those
arrangements even as stay-at-home orders are lifted.

Unfortunately, a boom in remote access goes hand-in-hand with an
increased risk to sensitive information. Verizon reports that 30
percent of recent data breaches were a direct result of the move to
web applications and services.

Data is much harder to track, govern, and protect when it lives inside
a cloud. In large part, these threats are associated with
internet-exposed storage.

Emerging threat matrix

Traditionally, system administrators rely on perimeter security to
stop outside intruders, yet even the most conscientious are exposed
after a single missed or delayed update. Beyond that, insiders are
widely considered the biggest threat to data security.

Misconfiguration accounts for the vast majority of insider errors. It
is usually the result of failure to properly secure cloud storage or
firewall settings, and largely relates to unsecured databases or file
storage that are directly exposed on a cloud service.

In many cases, employees mislabel private documents by setting storage
privileges to public. According to the Verizon report, among financial
services and insurance firms, this is now the second most common type
of misconfiguration error.

Addressing this usually means getting open sharing under control,
figuring out where sensitive data resides and who owns it, and running
a certificate program to align data access with organizational needs.

Optimistically, companies hope that a combination of technological
safeguards and diligence on the part of users—whether employees,
partners, or customers—will eliminate, or at least minimize, costly
mistakes.

Other internal threats come as a part of a cloud migration or backup
process, where a system admin or DBA will often stand up an instance
of data on a cloud platform but fail to put inconvenient but necessary
access controls in place.

Consider the example of cloud data warehouses. Providers such as
Amazon, Google, and Snowflake now make it simple to store vast
quantities of data cheaply, to migrate data easily, and to scale up or
down at will. Little wonder that these services are growing so
quickly.

Yet even the best services need some help when it comes to tracking
data access. Some tools makes it easy to authenticate remote users
before letting them inside the gate of the cloud data warehouse. After
that, though, things often get murky. Who is accessing which data, how
much of it, when, and from where?

These are issues that every company must confront. That data is ripe
for exploitation by dishonest insiders, or by careless employees, with
serious consequences. In more fortunate circumstances, it is
discovered by security teams, or by management who make an irate call
to the CISO.

Born in the cloud

More approaches to data security that are born in the cloud are now
appearing, and the new normal means the enterprise is motivated to
adapt. As most organizations turn to the cloud for what used to be
on-premises IT deployments, the responsibility and techniques to
secure the infrastructure and applications that hold data are also
being moved to the cloud.

For instance, infrastructure-as-a-service (IaaS) provides virtualized
computing resources like virtual firewalls and network security
hardware, and virtual intrusion detection and prevention, but these
are an intermediate step at best.

The idea is that IaaS can offer a set of defenses at scale for all of
a cloud provider’s customers, built into the platform itself, which
will relieve an individual cloud customer from having to do many of
the things that used to be on-premises data-protection requirements.

But what has really changed? A top certification may be enough to be
called “above average” data security, but in reality that security
still remains totally contingent on perimeter defenses, hardware
appliances, and proper configurations by system administrators and
DBMs. And it’s still only as good as the data hygiene of end users.
There are a lot of “ifs” and “buts,” which is nothing new.

Data Security-as-a-Service (DSaaS) complements IaaS as it integrates
data protection at the application layer. This places data access
services in the path between users who want data and the data itself.
It is also portable because it goes where the application goes.

Developers can embed data access governance and protection into
applications through a thin layer of technology wrapped around
database drivers or APIs, which all applications use to connect to
their databases. An obvious advantage is that this is more easily
maintained over time.

Shared responsibility

Data security is a shared responsibility among security pros, end
users, and cloud providers. As the new normal becomes reality, shared
responsibility means that a cloud provider handles the underlying
network security such that the cloud infrastructure ensures basic,
customer-level network isolation and secure physical routers and
switches.

>From here, under the DSaaS model the cloud service provider offers
DSaaS—or else the customer provisions it through a third party—as a
set of automated data security components that complete a secure cloud
environment.

This makes it possible to govern each user at a granular level so that
they access only the types of data they should, and perform only those
actions with the data for which they are authorized. CISOs can
implement and adapt rulesets to govern the flow of data by type and
role. In terms of data protection, application-layer data security
makes it possible to isolate and block bad traffic, including
excessive data volumes, down to an individual user.

>From this perspective, DSaaS can act as both an intrusion detection
system (IDS) and intrusion prevention system (IPS). It can inspect
data access and analyze it for intrusion attempts or vulnerabilities
in workload components that could potentially exploit a cloud
environment, and then automatically stop data access in progress until
system admins can look into the situation.

At this level it is also feasible to log data activity such as what
each user does with the data they access, satisfying both security and
compliance—a notable accomplishment, considering that the two
functions are often at odds with one another.

Incorporating security at the application layer also offers data
protection capabilities that are similar to network intrusion
appliances, or security agents that reside at the OS level on a
virtual machine or at the hypervisor level.

Moreover, DSaaS governance and protection is so fine-grained that it
does not inhibit traffic flow, data availability, and uptime even in
the face of multiple sustained attacks.

Everyone is talking about how the “new normal” is impacting data
security, but the enterprise was well on this path before the
pandemic. It is tempting for vigilance to give rise to pessimism since
data security has too often been a laggard, and an inventory of the
cloud data-security bona fides of most companies is not encouraging.

However, data protection and governance can be assured should we adopt
shared models for responsibility and finely tuned, application-level
controls. It’s a new world and we can be ready for it.