Make a Data-centric Security Strategy Your New Year’s Resolution
Data breaches will happen in 2019. That’s a prediction for this year that I’m very comfortable making. Another unfortunate prediction that I’ll make for 2019 is that some of you reading this post will suffer some form of breach. Since it is customary to craft New Year’s Resolutions allow me to suggest one for you to consider: Stop focusing on only securing collaboration platforms and their repositories and adopt a data-centric mindset to your information security.
It is now regrettably a case of when, not if, an organization will be breached. Whether it’s a headline grabbing breach like Marriott Hotels or NASA, or a less public, but often equally damaging, leak caused by someone within your organization accidentally, or intentionally, sharing information with someone that they should not be.
So why will a data-centric approach make a difference?
Organizations have spent billions on trying to secure their IT perimeter, the databases and other repositories that hold their data. While it is still essential to allocate budget to efforts like this, at a minimum they will at least delay or slow down a determined hacker. There needs to be more focus and resources spent on a data-centric protection to limit the damage when a breach occurs. Location-based access controls and permissions on the information repositories are typically the second level of defense that is applied. However, McKinsey showed that 50% of breaches involve some aspect of an insider element. 22% of data breaches were as a result of accidental leaks. Defenses at the perimeter and location-based access controls will provide little if any protection once someone is within your walls and has the keys to unlock your collaboration and information repositories.
A data-centric approach looks beyond the information at rest scenarios in the collaboration tools and associated repositories that traditional access controls and permissions provide. When you consider the data itself rather than the container in which it resides and how it will be created, how it will change, be used and shared across its lifetime you quickly realize that security and protection must be extended to more than just the collaboration repository. It also greatly mitigates against breaches caused by insider threats, whether that is due to compromised credentials, a deliberate leak by a disgruntled employee or a user accidentally exposing information.
A data-centric mindset also fits better with how people within and between organizations collaborate by using a variety of different tools. An approach of this type will apply regardless of where the data moves and the tools and platforms that it moves through.
The nature of collaboration means your data’s risk profile is constantly changing
To help you to get into a data-centric mindset for information security let’s consider a file that contains a sensitive piece of information for your organization. If you are the person typing the keys on your IT provided laptop while sitting in your corporate office that first brings this information into the electronic world then the risk associated with it leaking out is relatively low. As you save it to either your on-premises or cloud-based collaboration system this risk profile increases a little. Later, you access it on your own device from home to make some edits. Then once again the following day from your local coffee shop. You then share it with other members of your team. A colleague adds some additional information to make this file one of the most critical pieces of information for your entire organization. At each stage the risk profile has changed.
Is it enough to try to mitigate the risk solely based on whether you allow or do not allow access to the file? Would restricting access to only IT provided machines or from office locations be any better? In the modern workplace this would not work for several reasons. Location-based access permissions rely on the sensitive information being placed in the correct place. Even if something is initially placed in the correct location in the above scenario the level of sensitivity changed over time, yet the file very likely remained in the same place within the collaboration system.
How would location-based control mitigate the risk for the above case? It would have to rely on the users to recognize the increased risk profile of the file and to move it to the correctly secured location. Is that going to happen 100% of the time? And is it realistic to expect users to only require access from the office or from an IT provided machine? Even using a VPN when working from a remote location has its security limitations. Regardless of whether this was kind of access control limitations was acceptable, all that has been achieved at this point is controlling initial access. How do we protect the information while it is in transit as people use and share the files? What about controlling the other things that a user can do once they access the file?
How a data-centric approach works
The data-centric approach goes beyond the initial access to information. It considers what you wish a user to be able to do once they have access. Let’s go back to our scenario from before. The file is now highly sensitive and has been shared with colleagues. What do you want them to be able to do with the file? Do you want them to be able to invite other people to access the file? Do you want them to be able to edit the file? Save a copy that could then be sent to someone else? How do you keep a level of control when the file is shared with someone who is external to your organization?
Location based access controls fail miserably at this point. Even if you do secure the location and prevent users from inviting others to the collaboration space what happens then? Simple, the users that do have access will find another way to share the information. In most cases, they are not doing this maliciously but instead feel that this needs to be done in order to get their work done. It’s why 70% of organizations suffer from having data in rogue clouds. Shadow IT is very much still with us and our tech-savvy user base will continue to find ways around IT tools if they feel that they are preventing them from achieving their business goals. Information security must provide the protection necessary to mitigate risk from data loss but at the same time be flexible enough to allow users to work and collaborate how they wish.
Security that adjusts as the data and user risk profile changes
A data-centric approach respects the boundaries and capabilities of the data repository. But it also recognizes that protection must also be applied when a file is in transit during the collaboration and sharing process as the data leak risk profile changes. Furthermore, this must be achieved without negatively impacting a user’s ability to get their job done. The key to the approach is recognizing that the content within the file and the context of the user accessing the file must both be used to determine the type of access and protection that is needed.
When the sensitivity of the content changes over time the protection must identify when this occurs and dynamically adapt the access or usage rights accordingly. The same is true for users. The policies and systems must recognize that users need access across a variety of devices and locations. The protection mechanisms must once again be dynamic enough to recognize the context of the user and make the appropriate adjustments on the fly. Different users will be allowed different usage rights, some will be allowed full control to edit the file and share it as they see fit while others may only be allowed to view the file. The same file being accessed by the same user can also have different protection based on the device or location. In the office, allow the file to be fully opened on the local machine in Word etc. but while in the local coffee shop or from a mobile device only allow the file to be viewed within a secure browser.
Make a data-centric security strategy your New Year’s Resolution
The traditional location-based access controls that only provide a binary allow or do not allow access to information does not fit with how users need to work and collaborate in the modern workplace. Equally, securing your sensitive information by beefing up perimeter security alone in 2019 will unfortunately not be enough to guarantee protection from external hackers and does little to protect from accidental or malicious insider threats. Only adopting a data-centric approach that utilizes both file content and user context to provide dynamic access and in-transit protection will provide the level of information security that you need in 2019 and beyond.
Read our latest white paper 5 Data Security Challenges to Modern Collaboration on how data security needs have changed as collaboration has moved data beyond fixed office locations and corporate firewalls, cybersecurity threats have increased and new regulations have come into effect. Learn about the 5 biggest data security challenges to modern collaboration and how to mitigate them using a data-centric security strategy.