Going Beyond Traditional Perimeter Security
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise technology. In this feature, Privacera CEO Balaji Ganesan offers commentary on going beyond traditional perimeter security.
It’s a fact that these days, enterprise organizations are more concerned with protecting their data than ever before – and rightly so. Every data breach, such as the recent Forever 21 breach that saw 500,000 individuals’ private data hacked, or the Tesla breach that leaked more than 75,000 individuals’ personal information, reverberates throughout the business world as a stark reminder to shore up security measures to protect privacy, prevent reputational damage, and avoid regulatory penalties.
The recent MGM cyberattack, including the iconic Caesars, also illuminates the importance of robust data protection, as it potentially exposed tens of millions of individuals’ personal information as a result of an attack that was perpetrated by a hacking group. It reinforces the need for fine-grained data access controls and entitlements; perimeter- based safeguards are not sufficient anymore.
Perimeter Security Governance
Perils of Neglecting Security
According to a report published by the Identity Theft Resource Center (ITRC), 1,802 data compromises occurred in 2022, which was only 60 shy of the all-time high that was set in 2021.Global security spending is projected to reach $219 billion this year and is expected to grow to nearly $300 billion by 2026, according to the International Data Corporation’s (IDC) forecast. Investments in cybersecurity software, hardware, and services are anticipated to increase by 12 percent compared to 2022, surpassing the growth rate of overall IT spending.
According to the IDC forecast, the largest security spenders in 2023 will be organizations in banking, manufacturing, professional services, and federal governments, collectively accounting for over one-third of total security spending. Even with this level of investment, it’s apparent that there is still plenty of room for improvements. This starts with an added layer of security to establish more fine-grained access controls to mitigate potential breaches of the perimeter. Unfortunately when sensitive data is compromised, it underscores the critical importance of robust IT security and data protection policies, and highlights the need to fortify security posture.
Impact of this Incident
Recent events underscore the vital need for organizations to proactively address security vulnerabilities. In the MGM cyberattack on September 7th, a group of hackers who call themselves, “Scattered Spider” breached MGM’s data security framework, which MGM attempted to remedy with a shutdown of their computer systems. The hackers potentially accessed tens of millions of individuals’ sensitive personal data and asked for a ransom of $30 million. MGM allegedly paid half of the ransom, but experts suggest that the shutdown of their computer systems may cost MGM upwards of $8 million per day. On top, MGM customers had a degraded experience with long waiting lines and numerous other inconveniences as a result of the attack.
The MGM attack was orchestrated through social engineering and ultimately they managed to obtain credentials. This incident highlights the imperative for organizations, like MGM Resorts, to enhance their security protocols to secure access to sensitive data effectively. Even in cases with credentials being compromised, the impact of these security incidents can be mitigated by avoiding all users to see and access all of the data. With different roles and data access controls in place, organizations can implement the least privilege model giving any user’s account only those privileges which are vital to perform its intended functions.
How to Avoid a Similar Incident
Data security is necessary to strike the right balance between transforming each organization to be data driven while ensuring the right safeguards and proper data policies in place. Active enforcement of these data policies and controls is paramount to ensure continuous protection of an organization’s data.
Below are key considerations to build toward a unified, enterprise-grade, proven data security framework with comprehensive security, and audit capabilities:
- Modernize data security governance technology towards an active and continuous security: Data security and governance must exist across every part of the data journey and lifecycle. Implement a comprehensive data security platform which includes the ability:
- to easily scan, classify, and tag sensitive data across all of an organization’s data,
- to consistently and continuously secure access to data by applying and enforcing data access policies at scale, through masking or encryption,
- to monitor, alter and audit trails with ease across all of an organization’s data asset for compliance and security purposes and
- to apply the same consistent and continuous security and governance strategies to both – data and emerging AI technologies, such as Large Language Models (LLMs)
- Modernize the roles of your data stakeholders: Data security is becoming well within the purview of the CISO. But a successful strategy will also require inclusion of other key stakeholders, such as data engineers, data scientists and BI analysts.
- Formalize security and data governance objectives early on and empower the business data stakeholders to achieve objectives in a scalable and automated manner.
- Modernize your data governance processes: To achieve the above goal of including all key data stakeholders, end-to-end security and governance workflows are required that are easy to implement while providing the right level of protection. The underlying security governance technology must allow the implementation of a self-serve model. It should allow the flexibility to implement either a decentralized responsibility model, or a fully centralized one, or a mix of both.
The urgency for active and continuous data security controls holistically across an organization’s entire data estate has never been more pressing. By implementing these key considerations, a data driven organization will be able to unlock the value of data to a much wider user audience leading to better, safer products and experiences.