This post first appeared on Risk Management Magazine. Read the original article.
Data is the lifeblood of the modern enterprise and underpins most strategic business decisions a company makes. As such, organizations constantly work to maintain high levels of data security and protect valuable data assets. While most defensive efforts are applied to outside-the-firewall threats, inside-the-firewall data access can create equal risk—making database access authorization one of the most critical components of information security and risk management.
This source of corporate vulnerability is quickly rising to a top security concern. As such, C-level business executives and CISOs need to strongly consider supporting adoption of new data access management tools and methods that will help them understand and measure where exactly their data is, how it is accessed and by whom, how much data is downloaded, when and from where. This is not fundamentally a technical issue¾it impacts business liability, compliance and productivity as well. And it is no longer optional.
Who Is Accessing Your Business Data?
Virtually all organizations are struggling to keep up with controls around their data. But a three-part challenge is creating major complexities and risks at levels that we have not experienced before:
- In a fully connected digital world, adversaries are becoming more sophisticated in their vulnerability exploits. In addition, state-sponsored attacks are becoming the norm.
- Several business functions have found new value in large stores of enterprise data, and are demanding it at an extremely fast pace. Marketing teams are aggressively trying to find ways to produce more leads, while operations teams use data to provide a better customer experience or innovate cost reduction practices, and financial teams use data to prepare better budgeting. Shadow IT is being used aggressively because IT functions cannot keep up with these teams’ needs while also maintaining proper compliance. Further, customer data has actual and often significant value. Companies like Facebook and Google have created a market to sell access to or use of that data, and companies are collaborating in new ways to combine data and identify digital synergies.
- Many new regulatory efforts are enforcing the application of basic data security principles. More than ever, government entities are imposing responsibilities on data owners. In addition, frequent data breaches are raising the bar on what can be defined as “standard of care” principles that regulators and courts expect organizations to institute and maintain. So when breaches happen, not only will regulators ask questions about the breached data, you will also have to prove that your organization made all reasonable efforts to avoid being breached in the first place. That requires demonstrating how you are meeting these standard of care expectations.
As time-deprived teams hustle to execute business objectives, instant access to data has become a default expectation. But there is a careful balance needed between pursuing enterprise objectives set at executive levels and correctly managing data access in highly complex environments with users moving at a business pace.
That needs to be reconciled with the additional balancing act of senior leadership continually weighing the costs of a potential breach with the costs of compliance. It is well known that cybersecurity budgets have skyrocketed in recent years, and will only continue to increase. Yet with the bulk of resources being directed toward outside-the-firewall protection, IT teams are generally just maintaining basic internal data controls.
It remains technically challenging to translate the risks and appropriate protections associated with all of an enterprise’s data to the bottom line concerns of the C-level. It is incredibly complex to manage who needs and has access to data beyond the application level. Typical security tools like firewalls, load balancers and other network protections simply do not prevent inside threats.
There Are Gaps in Your Security Framework
If you get breached and the Federal Trade Commission asks about stolen data, are you ready to answer simple questions like “What data was stolen?” and “How much data was stolen?” If you cannot, their follow up question will certainly be “How many records did you have?” If you do not know that or other vital information—like who has touched your data and when—it is clear you do not have visibility into your IT infrastructure.
Although network security has been around since the 1990s, this technology typically does not include the tools needed to answer such data-centric questions. Where are the gaps?
In current security formats, there are three levels of protection around data: Network/Perimeter, Endpoint and Application. Unfortunately, determined attackers have often been able to bypass these layered security safeguards. Recall the infamous breaches of Yahoo, Equifax, eBay, Target, Uber, Home Depot and numerous others. How is this happening?
Network/Perimeter controls get bypassed by jumping the perimeter either through exploiting weak vendor controls or by finding ways to physically or logically get inside your network. And cloud-based applications have expanded and blurred the perimeter, making it much harder to defend.
Endpoint protection is very useful and important, but successful social engineering attacks demonstrate how easy it is to bypass. Realistically, the internal user threat complicates endpoint protection’s ability to operate as designed. Further, the adoption of bring your own device (BYOD) policies and the myriad device types and versions that employees and partners use to connect to your data make it hard to stay up to date with endpoint threat protection.
Finally, attackers can exploit application controls via techniques like code injection attacks. Additionally, there is the complexity of the data and how you interact with it. At this point, data access requests seemingly come from everywhere: Robotic Process Automation, internet of things devices, BYOD and numerous other sources. Many artificial intelligence applications can demand almost unrestricted data access to make appropriate decisions and show a return on investment. The connected world is no longer confined to a human interacting with data through a workstation. But the dramatic variety of methods through which we interact with data make it challenging to keep up with appropriate application controls.
Adjusting the Focus
How then should companies address the often-overlooked internal threat? Firstly, C-level business leaders and CISOs need to bolster resources like skilled personnel and database monitoring applications that will enable continual insight into where their data is, how it is being accessed and how much of it is accessed (500 records or 5 million?), who is accessing it and when (during the normal work day or the middle of the night?), from where is it accessed and how often? In addition, leaders must challenge their IT staff to provide constant metrics on all of these factors, so they can proactively understand their environment to not only protect it from attacks, but also be more efficient in business process and security controls.
While the overwhelming majority of insiders are well-intentioned, trustworthy and hard-working, far too many of us are susceptible to highly sophisticated threats deployed from an endless stream of attackers. It is more important than ever to focus on resources that will help overcome internal data management gaps to keep your workforce and your business on track.