Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/8/2016
08:00 AM
Dan Frank
Dan Frank
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Protection From The Inside Out

Organizations must make fundamental changes in the way they approach data protection.

Despite many organizations’ significant cybersecurity investments, sensitive data breaches continue to occur at an alarming rate and have a devastating impact. There are many reasons why these breaches and corresponding effects continue to occur, such as the quickly rising rate of data collection and increasing storage, business and technology innovation (e.g., the Internet of Things and cloud computing), the extended enterprise, inherently flawed technology, and the reliance on outdated security standards and corresponding controls that can’t keep up with attack vectors. Cyber attackers are extremely skilled, well funded, and organized. If an organization has something desirable (such as personal information and intellectual property), attackers will stop at nothing to get inside.

Organizations need to fundamentally change their approach to data protection. For decades, many organizations have spent their time, money, and resources on traditional approaches to data protection and corresponding controls (including identity and access management, vulnerability management, and application security) with the intent of keeping cyber adversaries out of their network and applications and off of their infrastructure. However, breach trends show that although these fundamentals are necessary, relying solely on them isn’t enough and doesn’t work. Organizations need to acknowledge that their cyber adversaries can reach their most sensitive data, and focus more of their time, money, and resources on solutions at the data layer itself.

Data protection from the inside out doesn’t mean that traditional data protection capabilities aren’t necessary or that we should throw our hands in the air and quit. Organizations must continue to implement and maintain these basic capabilities. However, these traditional data protection measures need to be viewed as more of a deterrent to cyber threats than a complete fix. As an organization, view and treat your cyber adversaries in the same way you would treat a common criminal on your own.

For example, common criminals are less likely to break into a house with basic security measures (locks, fence, alarm system, camera/surveillance system, dog). However, if you have something they really want (say, jewelry), are these measures really going to stop them from getting in? No, a determined and sophisticated criminal is going to spend the time and money, and work with the right team, to get into the house and find your valuables. However, as an additional measure, you could store your valuables in a secure safe within the house. That would help protect your valuables “from the inside out.”

Inventorying and classifying sensitive data and assets, as well as maintaining the inventory, is the foundation of your efforts, and incredibly important to data protection. However, many organizations either don’t have an inventory; think they have one, but in reality don’t; or create an inventory without a means to keep it up to date and accurate. Not to oversimplify, but you can’t protect what you don’t know you have. You can’t universally apply data protection capabilities and technologies (e.g., encryption) to “all” of your data because of the cost, and the effectiveness of some data protection solutions (e.g., data loss prevention) is limited without data classification.

Implementing data protection capabilities at the data layer can help to both prevent and detect data breaches at an organization’s last line of defense. These capabilities include preventative solutions such as information rights management, as well as detective solutions such as data loss prevention, data access governance, and database activity monitoring. The adoption rate of these solutions seems to be relatively slow, and even when they’re implemented, their full capabilities often aren’t utilized.

Reducing the value of sensitive data is perhaps the most important principle, and it’s based on the premise that it’s not “if” but “when” a data breach will occur at your organization. One way to reduce the value of sensitive data is to encrypt, tokenize, or obfuscate the data to render it difficult to use when compromised. A second way to reduce the value of sensitive data is to securely destroy it when it’s no longer necessary for legitimate legal or business purposes.

Protecting sensitive data is a complex challenge that requires a holistic and comprehensive data protection strategy, executive support, and investment of time, talent, and funding. Implementing individual data-centric solutions in a siloed manner, and without integration, can lead to critical gaps in an organization’s security. Traditional measures alone are no longer sufficient, so it’s time to change the game.

Related Content:

 

 

Dan Frank currently leads Deloitte & Touche LLP's Privacy and Data Protection service offering in North America. His professional experience includes 19 years in privacy, data protection and cyber risk management. He has helped numerous organizations with various aspects of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MACY_TORREY
50%
50%
MACY_TORREY,
User Rank: Apprentice
8/17/2016 | 2:45:24 PM
Consildation is Key!
One positive strategy to address this moving forward might be to consolidate security products with vendors that provide the ability to secure data from the inside out - starting at the source as data is created.   It's much harder than just securing the perimeter and will likely take time to increase security budgets globally to truly address this.  Enjoyed the article.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.