Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/8/2016
08:00 AM
Dan Frank
Dan Frank
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Protection From The Inside Out

Organizations must make fundamental changes in the way they approach data protection.

Despite many organizations’ significant cybersecurity investments, sensitive data breaches continue to occur at an alarming rate and have a devastating impact. There are many reasons why these breaches and corresponding effects continue to occur, such as the quickly rising rate of data collection and increasing storage, business and technology innovation (e.g., the Internet of Things and cloud computing), the extended enterprise, inherently flawed technology, and the reliance on outdated security standards and corresponding controls that can’t keep up with attack vectors. Cyber attackers are extremely skilled, well funded, and organized. If an organization has something desirable (such as personal information and intellectual property), attackers will stop at nothing to get inside.

Organizations need to fundamentally change their approach to data protection. For decades, many organizations have spent their time, money, and resources on traditional approaches to data protection and corresponding controls (including identity and access management, vulnerability management, and application security) with the intent of keeping cyber adversaries out of their network and applications and off of their infrastructure. However, breach trends show that although these fundamentals are necessary, relying solely on them isn’t enough and doesn’t work. Organizations need to acknowledge that their cyber adversaries can reach their most sensitive data, and focus more of their time, money, and resources on solutions at the data layer itself.

Data protection from the inside out doesn’t mean that traditional data protection capabilities aren’t necessary or that we should throw our hands in the air and quit. Organizations must continue to implement and maintain these basic capabilities. However, these traditional data protection measures need to be viewed as more of a deterrent to cyber threats than a complete fix. As an organization, view and treat your cyber adversaries in the same way you would treat a common criminal on your own.

For example, common criminals are less likely to break into a house with basic security measures (locks, fence, alarm system, camera/surveillance system, dog). However, if you have something they really want (say, jewelry), are these measures really going to stop them from getting in? No, a determined and sophisticated criminal is going to spend the time and money, and work with the right team, to get into the house and find your valuables. However, as an additional measure, you could store your valuables in a secure safe within the house. That would help protect your valuables “from the inside out.”

Inventorying and classifying sensitive data and assets, as well as maintaining the inventory, is the foundation of your efforts, and incredibly important to data protection. However, many organizations either don’t have an inventory; think they have one, but in reality don’t; or create an inventory without a means to keep it up to date and accurate. Not to oversimplify, but you can’t protect what you don’t know you have. You can’t universally apply data protection capabilities and technologies (e.g., encryption) to “all” of your data because of the cost, and the effectiveness of some data protection solutions (e.g., data loss prevention) is limited without data classification.

Implementing data protection capabilities at the data layer can help to both prevent and detect data breaches at an organization’s last line of defense. These capabilities include preventative solutions such as information rights management, as well as detective solutions such as data loss prevention, data access governance, and database activity monitoring. The adoption rate of these solutions seems to be relatively slow, and even when they’re implemented, their full capabilities often aren’t utilized.

Reducing the value of sensitive data is perhaps the most important principle, and it’s based on the premise that it’s not “if” but “when” a data breach will occur at your organization. One way to reduce the value of sensitive data is to encrypt, tokenize, or obfuscate the data to render it difficult to use when compromised. A second way to reduce the value of sensitive data is to securely destroy it when it’s no longer necessary for legitimate legal or business purposes.

Protecting sensitive data is a complex challenge that requires a holistic and comprehensive data protection strategy, executive support, and investment of time, talent, and funding. Implementing individual data-centric solutions in a siloed manner, and without integration, can lead to critical gaps in an organization’s security. Traditional measures alone are no longer sufficient, so it’s time to change the game.

Related Content:

 

 

Dan Frank currently leads Deloitte & Touche LLP's Privacy and Data Protection service offering in North America. His professional experience includes 19 years in privacy, data protection and cyber risk management. He has helped numerous organizations with various aspects of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MACY_TORREY
50%
50%
MACY_TORREY,
User Rank: Apprentice
8/17/2016 | 2:45:24 PM
Consildation is Key!
One positive strategy to address this moving forward might be to consolidate security products with vendors that provide the ability to secure data from the inside out - starting at the source as data is created.   It's much harder than just securing the perimeter and will likely take time to increase security budgets globally to truly address this.  Enjoyed the article.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-7505
PUBLISHED: 2020-02-18
Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LZW stream in a GIF file.
CVE-2015-7567
PUBLISHED: 2020-02-18
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVE-2012-0718
PUBLISHED: 2020-02-18
IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.
CVE-2019-10791
PUBLISHED: 2020-02-18
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2009-5146
PUBLISHED: 2020-02-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.