Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/8/2016
08:00 AM
Dan Frank
Dan Frank
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Protection From The Inside Out

Organizations must make fundamental changes in the way they approach data protection.

Despite many organizations’ significant cybersecurity investments, sensitive data breaches continue to occur at an alarming rate and have a devastating impact. There are many reasons why these breaches and corresponding effects continue to occur, such as the quickly rising rate of data collection and increasing storage, business and technology innovation (e.g., the Internet of Things and cloud computing), the extended enterprise, inherently flawed technology, and the reliance on outdated security standards and corresponding controls that can’t keep up with attack vectors. Cyber attackers are extremely skilled, well funded, and organized. If an organization has something desirable (such as personal information and intellectual property), attackers will stop at nothing to get inside.

Organizations need to fundamentally change their approach to data protection. For decades, many organizations have spent their time, money, and resources on traditional approaches to data protection and corresponding controls (including identity and access management, vulnerability management, and application security) with the intent of keeping cyber adversaries out of their network and applications and off of their infrastructure. However, breach trends show that although these fundamentals are necessary, relying solely on them isn’t enough and doesn’t work. Organizations need to acknowledge that their cyber adversaries can reach their most sensitive data, and focus more of their time, money, and resources on solutions at the data layer itself.

Data protection from the inside out doesn’t mean that traditional data protection capabilities aren’t necessary or that we should throw our hands in the air and quit. Organizations must continue to implement and maintain these basic capabilities. However, these traditional data protection measures need to be viewed as more of a deterrent to cyber threats than a complete fix. As an organization, view and treat your cyber adversaries in the same way you would treat a common criminal on your own.

For example, common criminals are less likely to break into a house with basic security measures (locks, fence, alarm system, camera/surveillance system, dog). However, if you have something they really want (say, jewelry), are these measures really going to stop them from getting in? No, a determined and sophisticated criminal is going to spend the time and money, and work with the right team, to get into the house and find your valuables. However, as an additional measure, you could store your valuables in a secure safe within the house. That would help protect your valuables “from the inside out.”

Inventorying and classifying sensitive data and assets, as well as maintaining the inventory, is the foundation of your efforts, and incredibly important to data protection. However, many organizations either don’t have an inventory; think they have one, but in reality don’t; or create an inventory without a means to keep it up to date and accurate. Not to oversimplify, but you can’t protect what you don’t know you have. You can’t universally apply data protection capabilities and technologies (e.g., encryption) to “all” of your data because of the cost, and the effectiveness of some data protection solutions (e.g., data loss prevention) is limited without data classification.

Implementing data protection capabilities at the data layer can help to both prevent and detect data breaches at an organization’s last line of defense. These capabilities include preventative solutions such as information rights management, as well as detective solutions such as data loss prevention, data access governance, and database activity monitoring. The adoption rate of these solutions seems to be relatively slow, and even when they’re implemented, their full capabilities often aren’t utilized.

Reducing the value of sensitive data is perhaps the most important principle, and it’s based on the premise that it’s not “if” but “when” a data breach will occur at your organization. One way to reduce the value of sensitive data is to encrypt, tokenize, or obfuscate the data to render it difficult to use when compromised. A second way to reduce the value of sensitive data is to securely destroy it when it’s no longer necessary for legitimate legal or business purposes.

Protecting sensitive data is a complex challenge that requires a holistic and comprehensive data protection strategy, executive support, and investment of time, talent, and funding. Implementing individual data-centric solutions in a siloed manner, and without integration, can lead to critical gaps in an organization’s security. Traditional measures alone are no longer sufficient, so it’s time to change the game.

Related Content:

 

 

Dan Frank currently leads Deloitte & Touche LLP's Privacy and Data Protection service offering in North America. His professional experience includes 19 years in privacy, data protection and cyber risk management. He has helped numerous organizations with various aspects of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MACY_TORREY
50%
50%
MACY_TORREY,
User Rank: Apprentice
8/17/2016 | 2:45:24 PM
Consildation is Key!
One positive strategy to address this moving forward might be to consolidate security products with vendors that provide the ability to secure data from the inside out - starting at the source as data is created.   It's much harder than just securing the perimeter and will likely take time to increase security budgets globally to truly address this.  Enjoyed the article.
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12928
PUBLISHED: 2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12929
PUBLISHED: 2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.