Cybersecurity Needs to Shift Focus to Data
If the Equifax breach failed to make the case for moving beyond network security, the coming European Union (EU) data protection rules that take effect in January of 2018 will make it painfully clear.
The GDPR will become law across all 28 EU member states and will impact every entity that holds or uses European personal data both inside and outside of Europe. This means most businesses who operate Internationally and will set the bar for US compliance at the Federal and State levels.
A key element of the GDPR is that it not only gives rise to increased compliance requirements, but these are backed by heavy financial penalties, which will be $27 million or 4% of annual worldwide revenue, whichever is greater.
GDPR represents a paradigm shift in the way that data collection and processing is regulated and it is not just is not a compliance or legal challenge; it will force organizations to adopt entirely new behaviors in the way they collect and use personal information.
It will affect not just businesses like Equifax but supplier businesses like Fazio Mechanical Services, the provider of refrigeration and HVAC systems to Target Stores who unwittingly enabled that huge breach in 2014.
Are YOU a supplier?
In addition, the GDPR adopts specific prescriptive rules around how organizations will need to demonstrate that they comply with the GDPR. Businesses will have to genuinely adopt governance and accountability standards and not just pay lip service to data privacy obligations otherwise they could be in for a surprise as the stiff new fines will apply to that requirement too. The U.S. government will not be far behind.
It will require that covered entities map and classify all their personal data, perform risk assessments, design privacy protections into all business operations and practices, employ dedicated data protection officers, monitor and audit compliance, and document everything they do with data and everything they do to achieve legal compliance – all in 2 years beginning May 25, 2018.
Companies today collect more data from more sources than ever before. Often, the data is distributed across on-premises and cloud systems and on partner and supplier networks. The traditional network perimeter behind which most enterprise data resided has all but gone, and users now have the ability to access the data from anywhere and at any time via laptops, smartphones and other mobile devices.
Existing (PCI, GLBA, HIPAA) and new (NYDFS, SEC, GDPR) regulations present imposing challenges. The distribution of data and the myriad ways in which it can be accessed has made it extremely difficult to prevent unauthorized data access and insider threat and destruction. Bring your own device (BYOD) and increasing mobile workforces have exacerbated the risk of data leaks resulting from unsecured and malware-infected devices and incompletely secured cloud storage and sharing services.
Cybersecurity systems must be able to protect data wherever it is being used, viewed or saved which requires much more rigor than simply installing conventional endpoint security approaches. We need to know where data is moving, and be able to protect it in transit and during storage while controlling user access rights within context. This all needs to happen in concert with governance and risk management technologies that enable auditing and logging of all access to data and documents stored anywhere.
If you have ever contemplated this effort for your own organization, you understand that this alone is a herculean task. This is data life-cycle management and it requires a data-centric security approach which starts with data discovery and data classification.
It is much more than just data encryption and data masking, which is what many organizations assume end-to-end data protection is all about. Context-aware access control, authentication, user and usage monitoring, and auditing are essential ingredients along with processes to ensure data is minimized and securely destructed at the end of its life-cycle.
There are many useful tools available to help companies move toward the goal of a data-centric Cybersecurity plan. Data classification tools help automatically tag individual data elements with sensitivity values so it becomes easier to assign protection levels. You can separate sensitive, confidential, public and internal data, enabling different policies to be applied to each.
But these tools are helpful only if you know what data exists and how to get to it. Shadow IT groups using unsanctioned IT applications are more difficult to discover and the size of that problem expands the space accordingly.
Data loss prevention (DLP) controls are another essential component of a data-centric security strategy which help prevent data leaks by monitoring network traffic for data elements that match specific patterns — such as a payment card or SSN — and then either blocking or quarantining the traffic. Businesses should implement policies to control not only the types of data users can access but also what privileges they have with that access and the context within which that access can be granted.
Going beyond the least-privileged access model, companies today need to implement context-aware controls.
Context-aware security requires knowledge of who the user is, what the user is requesting, how the user is connected, when the user is requesting information and where the user is located. This approach might allow an end user to browse the network from inside the office, for example, but deny access if the end user is trying to connect with public Wi-Fi.
Moving to a model where Cybersecurity protections travel with the data is going to be critical to future compliance and the path to get there is long and hard.
Because it changes the entire perspective of Cybersecurity protection and controls from network-centric to data-centric, achieving that goal probably can’t be completed within a two year period.
But if we don’t start today, we can drop the “probably”.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management