In today’s world, sensitive information is scattered throughout the enterprise. Given this reality, firewall-only solutions are hopelessly outdated and IT organizations need to re-think their approach to enterprise security. Given the scope of the problem, this is a daunting task, but success is possible.
To get started, companies should focus their energy on five areas of concern:
Discovery and classification. Enterprise data that was once sequestered in legacy systems can now reside in the cloud, in data lakes and even on employees’ mobile devices. The attack surface—the number of “doors” through which hackers can gain access to corporate data—has also grown exponentially. With the rise of software-as-a-service (SaaS) solutions, for example, data that was once inside the firewall is now in the cloud, and employees may be accessing that data with their smartphones via risky Wi-Fi connections in airport cafés. Internet of things (IoT) devices that are often easy targets for hackers may be linked to mission-critical applications.
Companies can’t protect their data if they don’t know where it is, and that fact makes discovery and classification crucial first steps in forming a post-firewall enterprise security strategy. These aspects of data governance, and governance in general, have never been a high priority for IT because of their complexity, the strain they put on resources and the lack of demonstrable ROI. But if companies are to be safe in the post-firewall era, that point of view much change.
The human factor. More sensitive data resides in endpoints not under the control of IT than ever before. Disgruntled, untrained or merely careless employees can be a huge source of problems given their degree of access. There are two fundamental trade-offs in dealing with this situation.
The first is security versus business demands. Here’s an example: Salespeople may be able to close more deals or “top off” an existing sale if they have direct access to information about inventory levels or shipping data via their smartphone. But granting that access to a production application increases the risk of attack. The second trade-off is security versus friction. Access control measures for remote devices such as dual-factor identification and mandatory password changes help protect data, but they also make users less efficient. The same is true of on-device encryption that slows performance.
Whatever decisions are made in these areas, employees should continue to receive training about password discipline, suspicious email messages with links and attack modes that involve social engineering.
Remediation strategies. We live in a “not-if-but-when” world when it comes to data breaches. Modern hackers are not lone individuals. They are corporations with capable employees and functional division of labor for maximum efficiency. They are capable of launching coordinated attacks with thousands of computers, and they are relentless.
A strong security information and event management system (SIEM) is essential for enterprise security. Combating today’s well-organized enemies requires a real-time threat alert system and systematic collection of forensic data from which “normal” patterns can be derived to help identify anomalies. A well-trained incident response team should be established, with the means to quickly isolate compromised portions of the network. Equally important is the establishment of backup and disaster recovery strategies where regular testing is observed.
Automation. The importance of artificial intelligence (AI) and automation in security efforts can’t be over-emphasized. In the past, the discovery and classification of sensitive data was an arduous task. Now, with the help of AI and automation, sensitive data can often be discovered and classified by matching the taxonomy from metadata or the pattern of the data stored. Once sensitive data is identified, data protection controls can be applied automatically based on the classification.
The transmission of sensitive data via email can be automatically blocked, as can suspicious incoming traffic (although this is more difficult due to the cleverness of today’s hackers.) AI and automation play a big role in penetration detection as well.
All in all, security tasks that would have been prohibitively expensive, if not impossible, are now within reach, even when budgets are limited. IT organizations need to be sure they’re aware of the latest capabilities.
Board-level involvement. CIOs and CISOs need to bridge the gap between the business thinking that prevails in the boardroom and the technical thinking that dominates IT organizations. These days, most boards’ priority is avoiding a high-profile incident that could severely damage the company’s reputation, and its bottom line as well.
Beyond preventing a catastrophe, however, companies face a host of security decisions that need to be addressed in such a way that they support business goals. The consequences of a successful attack can usually be quantified and the cost of establishing an effective defense against such an attack can also be known. IT needs to develop business cases that enable the company’s leadership to evaluate defenses beyond the firewall on a cost/benefit basis.
The conventional thinking of the past is no longer adequate to meet today’s threats. Fortunately, new approaches—and the technology to support them—are now available to defend against inevitable attacks.