This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Kurt Mueffelmann of archTIS explores why enterprises need a new approach to data protection.
This past June, an employee at Tesla was discovered to have exfiltrated large amounts of highly sensitive data to unknown third parties. For a global enterprise like Tesla, whose intellectual property constitutes one of their most prized and valued assets, the ramifications of such a leak can have material consequences — both to their brand and their bottom line. It’s clear that businesses need a new approach to data protection.
Of course, Tesla is hardly alone. Microsoft, General Electric, and Marriott are just a few of the notable global brands that have had sensitive data intentionally or accidentally leaked by trusted inside users who had legitimate access to protected network resources.
One of the main reasons why these types of threats have been so challenging to protect against is due in part to the prevailing security philosophy embraced by most security teams today: an expansive ‘telescope’ approach that prioritizes a holistic view of the network in order to bolster it against an array of external threat actors. But as the examples above demonstrate, this broad top-down approach falls woefully short when it comes to keeping an organization’s most critical asset – its sensitive data and files – fully secured. This is why we need to re-think our current approach to data protection by embracing a more granular, data-centric ‘microscope’ approach that embeds modern security and access controls at the file level.
The Silent Threat of Insiders
The fact of the matter is that sensitive information is compromised every day by so-called ‘trusted users.’ But what exactly does ‘trusted’ mean in this context? It often merely implies that the user possesses the proper credentials or privileges to access certain network resources – however, it offers little insight into their intentions or aptitude. This leaves us with a number of challenging questions regarding a wide range of potential insider threat types.
How do you secure sensitive data when an unidentified third party compromises a trusted user’s credentials? What can you do to ensure a sensitive file isn’t inadvertently shared with someone who shouldn’t have access? And how do you strike the right balance of providing contractors and other trusted third parties with the access they need to do their work without impacting productivity?
While most media headlines are focused on data breaches caused by hackers and other external bad actors, the threat represented by insiders – whether malicious or unintentional – needs to be taken just as, if not more, seriously. That’s due in part to the fact they are much more difficult to detect. Dwell times for insiders are double that of other security incidents and still can average over 77 days to contain. In fact, only 13 percent of insider incidents were contained in less than 30 days.
Broadly speaking, insider threats can be grouped into three broad buckets:
- Negligent insiders who inadvertently compromise data. For example, an employee misplaces a laptop or incorrectly sends an email, or clicks on a phishing email, compromising their system.
- Malicious insiders who commit acts such as data/IP theft, fraud, sabotage, and espionage.
- Compromised insiders whose credentials are stolen by a bad actor.
A survey conducted by Cybersecurity Insiders found that more than two-thirds (68%) of the security leaders confirmed that insider attacks were growing in frequency and acknowledged that they were vulnerable to these attacks. The high-profile cases of Edward Snowden and Chelsea Manning also provide an enduring yet often overlooked lesson about these types of attacks: by the time sensitive data has been exfiltrated, it’s already too late.
The Microscope: Extending Zero Trust to the File Level
The increasing volume of insider threats has compelled cybersecurity professionals to take a more proactive stance towards insider threats and data protection. This is why we are seeing a sharp uptick in the adoption of new technologies such as User and Entity Behavior Analytics (UEBA) tools that help security teams detect, classify and alert them to abnormal behavior, as well as Security Information and Event Management (SIEM) which gathers and unifies data from a variety of network security systems to help continuously monitor employee actions within the network. While these tools serve an important purpose, they remain largely reactive and do little in the way of preventing sensitive data from being exfiltrated.
Furthermore, these types of tools require a great deal of specialized attention to operate and manage. SIEM tools, for instance, must be regularly tuned and regulated, which means the security analysts and engineers are wasting precious cycles triaging the constant influx of data, and less time focused on what they should be doing: analyzing and mitigating potential threats. This complexity is compounded by an increasing volume of false-positive reports that keep security teams in a reactive mode of always having to put out fires.
Then there is a fundamental flaw inherent in many of these common tools that fails to achieve data protection: weak authentication processes do little to ensure that the logged-in user is who they say they are. So, if someone logs in with stolen credentials, they can leverage the access and escalate privileges of the compromised account to navigate systems and data, stealing as they go. The security lies within the permissions.
That’s why a data-centric, policy-based approach based on the principles of ‘Zero Trust’ is a far more effective methodology to ensure data remains secure. This modern ‘least-privilege’ approach does not automatically trust any user inside or outside your perimeters. Instead, you must verify anyone trying to connect to any systems, applications, or individual data files before granting access to them.
Attribute-Based Access Control
Attribute-based access control (ABAC) is a Zero Trust security model that continuously evaluates attributes (or characteristics of data and/or users), rather than roles, to determine a given file’s access rights. An ABAC model represents a data-centric security approach in which access is embedded in the file itself and can therefore evaluate and validate each file’s attributes. This includes security classification and permissions and other ancillary user-defined attributes such as security clearance, time of day, location, and device to determine who can access, edit, download, or share a particular file.
A data-centric approach enables granular control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at any given point in time. If the user scenario does not match or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours, and they are using a BYOD device in another country, file access will be denied – effectively thwarting the efforts of a hacker using stolen credentials.
In the coming decade, security leaders must be able to adapt their techniques and methodologies to meet threats from wherever they might come. While we have focused much of our attention on keeping threat actors from penetrating the network perimeter, we need to expand our methodologies and our thinking to ensure we can provide that same level of security to our most valuable asset – our data.
- Why Enterprises Need a New Approach to Data Protection - June 24, 2021