Once again, we find ourselves in the thick of National Cybersecurity Awareness Month (NCSAM). This year’s theme of “Own IT. Secure IT. Protect IT.” highlights how it’s impossible for organizations to achieve a sufficient level of digital security with a single initiative and then be done with it. Security is an ongoing process that requires multiple steps.
Let’s look specifically at how this applies to the ‘Secure IT’ sub-theme for NCSAM 2019. Organizations cannot secure their information technology (IT) simply by training everyone in the organization to identify and avoid falling victim to a phishing attack. There is much more to security than just phishing attacks. To fulfill the ‘Secure IT’ element, organizations also need to create strong password policies, implement multi-factor authentication and protect all sensitive data to foster safe online digital experiences as well as to comply with regulatory requirements.
So, how can organizations secure IT?
It’s not that hard. Every ‘Secure IT’ action item traces back to a fundamental security control that strengthens an organization’s security posture. Phishing attacks, account takeover (ATO) fraud and data breaches can be mitigated by multi-factor authentication, strong access controls for regular as well as privileged users, and by encrypting all sensitive data for instance. Encryption and tokenization can help organizations secure their customers’ digital transactions. In addition, the entire compute, network and data storage infrastructure must be kept up to date by installing the latest security patches recommended by vendors.
Lastly, the chief information security officer (CISO) must nominate information security champions throughout their organization. Information security champions play an important role in evangelizing good security practices and creating a “security first” culture.
Below are descriptions of each of these security practices:
Access Controls and Authentication
Given the rise of cloud-based infrastructure and the proliferation of Software as a Service (SaaS) applications, organizations now have a large and growing number of IT applications that employees need to access. The key is for organizations to allow such access only within the context of zero-trust and least privilege. That is to say, no one should be able to access an asset, application or device with more than the minimum required privileges.
Organizations can achieve this type of control using Identity and Access Management (IAM) solutions that authenticate and secure access, identities and interactions.
These IAM solutions must offer multi-factor authentication (MFA). This security control overcomes the weaknesses of password-based single-factor authentication (SFA). Most commonly, it does this by requiring users to authenticate themselves using a token, a one-time password and device identification, in addition to a password. That way, MFA protects an employee’s accounts even if a password is compromised.
Data encryption is an essential component of ‘Secure IT’ in that it enables organizations to secure sensitive and confidential data that resides on your file and database servers, both on premise and in the cloud.
The most effective encryption solution is one that offers operational simplicity in the form of centralized encryption key and policy management. The solution should also enable organizations to address the data security requirements of the entire enterprise ecosystem. For instance, it should empower organizations to scale their data encryption deployment to meet their evolving compliance needs and the changing threat and ecosystem landscape.
Data encryption and key management go hand-in-hand. Robust, centralized, integrated key management is necessary for complying with regulations, meeting high-assurance requirements (such as being FIPS 140-2 standard certified), and providing separation of duties between the security administrator and data administrators.
Recognizing these threats, organizations would benefit from investing in a solution that centralizes key management across multiple encryption environments. Such a means of consolidation helps organizations avoid multiple vendor sourcing, eliminate encryption silos and make it easier to maintain visibility over all of their encryption keys. Better visibility equates to better reporting, auditability and compliance to regulatory requirements.
Per SearchSecurity, tokenization refers to the process of “replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.” These identification symbols are unique tokens that retain all the essential information about the data in the same format as the sensitive data it replaces. It sounds a little bit like encryption. Tokenization prevents applications such as Extract, Test and Load (ETL) from breaking whereas encrypted data breaks such applications.
One of the most common types of data to which organizations apply tokenization is credit card information. To protect these details, organizations need to make sure their deployment of tokenization follows the Payment Card Industry (PCI) Council’s guidelines for Data Security Standard (DSS). This will reduce the scope of compliance audits for servers containing sensitive data. Tokenization of sensitive data is necessary to comply with data privacy regulations such as Global Data Privacy Regulation (GDPR), which impose stiff penalties when there are data breaches that expose sensitive data.
Secure IT with Thales
Encryption, tokenization, key management and access management/MFA will go a long way towards helping organizations secure their IT. Most organizations don’t have the internal knowledge to implement these foundational security measures on their own, however. That is why they should consider looking to a trusted vendor to help them secure their information assets across the entire enterprise.
*** This is a Security Bloggers Network syndicated blog from Data Security Blog | Thales eSecurity authored by Ashvin Kamaraju. Read the original post at: https://blog.thalesesecurity.com/2019/10/17/using-foundational-controls-to-secure-it/