Companies that need to protect their data must take a hard line, and there is no way around it.
“With an increase in encrypted communications and an onslaught of enterprise file-sharing solutions available, it is becoming increasingly more complex to manage and control the integrity and confidentiality of business data,” said David Rudduck, managing director of Insane Technologies, an Australian-based IT Consultancy that focuses on cyber-security awareness training, managed IT & security services, and disaster recovery solutions.
This is certainly true. When you add the requirements for data privacy and security compliance specified in many standards and regulations, not to mention protecting against possible litigation under e-discovery, data management becomes a necessity for business survival in some cases.
“Where previously it was easier to control access to files and folders using rudimentary access controls and policies, the introduction of services like Let’s Encrypt and a push for all communications to be secured with SSL/TLS, the Bring-Your-Own-Device culture, and millennials introducing their own favoured solutions (aka Shadow IT), even measures like Data Loss Prevention (DLP) tools are becoming increasingly complex and sometimes even futile,” said Rudduck.
What security controls are necessary to control data in the modern business when BYOD policy, Wi-Fi and broadband make the task even more futile?
Just Because You’re Paranoid Doesn’t Mean They Aren’t Out To Get You
It’s all well and good to say that you should trust your employees, but insider threats are common, whether intentional or otherwise.
“To be truly secure, we need to lock down all exit and entry avenues that the data can take; and as a result of a cloud and mobile-first mentality that is shaping the modern business, control measures are becoming less and less effective,” said Ruddock.
Citing his experience with several film production studios, Rudduck is well versed in the measures and guidelines they employ to protect their intellectual property.
“Whilst some are more advanced than others, the challenges they are trying to overcome are no different than those that any other organization trying to protect its IP is facing,” he said.
Some of his clients require all mobile phones to have stickers over the camera lens to stop staff from taking photos of confidential assets. Others enforce a policy that requires mobile phones to be left far away from the confidential information, along with the requirement to use AES256-bit encrypted storage devices when data does need to be transferred from one device to another manually.
Many of these are easily circumvented, added Rudduck.
Enhanced Data Security
“The most effective solutions took into consideration the human elements, realizing that no one is perfect. These implementations either leveraged DRM [digital rights management] protection on the content, some form of password/encryption on the content, or at least encrypted the content before it left the corporate storage and made its way to another party,” said Rudduck.
Rudduck argues that in order to combat insider threats, the protection of confidential information is key.
“The organization needs to own the workflow – from endpoint to endpoint. This means ensuring the location the data is stored at is secure, the devices connecting to it are secure (and controlled by the organization), the method used to transfer the files to another party (external or otherwise) are secure, and that the end party has been vetted to meet their security standards,” he added.
In terms of technology, yes, it’s very much necessary to protect your data.
“In many instances, blocking access to unauthorized USB storage devices, file sharing solutions at the endpoint and firewall, in combination with a secure file transfer solution are usually the key factors in a corporate copyright protection workflow,” said Rudduck.
Can access and permission management solutions ensure safety and compliance with regulations such as PCI-DSS and others?
“The protection of the solution is only as good as the people using It, managing it and developing it. People are, ironically, only human – and as a result we make mistakes,” said Rudduck.
Rudduck had several examples of such mistakes. Some of his solutions include:
- Small bugs in code can be leveraged to exploit access to systems that shouldn’t be accessed, so it’s imperative that solutions aiming to deliver secure file transfer should have regular penetration testing by different organizations.
- Data should remain encrypted at rest, using a passphrase or key that the client (or sending user) has specified, there should be no “break glass” option for administrators of the vendor to access the data.
- The client should have the option to specify where the data resides – either geographically in the vendors “cloud”, or in their own data center. This is an important consideration as some regulations prevent data storage or in another jurisdiction, especially in the healthcare industry, in Australia, for example.
Defending Against A Deliberate Leak Is Difficult
Assuming that all data is locked down with user permissions, access control and even device management solutions to prevent unauthorized access with memory sticks, there are many other ways to acquire information.
Basic social engineering could occur. For example, a user peeks over the shoulder of an authorized user and takes a photo using a smartphone or spy camera. The photo can be viewed later, sent to any number of cloud services (such as Dropbox) or transferred using their chosen social media or chat solution.
For visitors to several printed circuit assembly (PCA) contract manufacturing facilities in China and Japan, one thing holds true. All employees go through an airport-style scanner (or at the very least a handheld scanner) to prevent IP theft. With no exceptions, all detected electronics must be stored in assigned lockers until they leave the premises. Car keys are even included. This rule also applies to visitors. They must give up their cellphones, cameras and any other devices, including memory sticks, all of which are returned later. BYOD is not an issue here (as it doesn’t exist) and only those that require internet access for their role are allowed it.
In this industry, considering that they deal with IP from global companies, it makes sense to implement such a strategy. Even a bill of materials (BOM) or packaging specs are valuable information to competitors if leaked. In my opinion, companies that work in design or production, where IP is crucial, could learn from this example. After all, we can survive without a cellphone or personal electronics while working. It’s certainly worth thinking about.
Shadow IT Is A Possibility
The impact of a data breach or loss of IP is sometimes so devastating that drastic steps are necessary.
“Regular discussion with the user base is essential to get their understanding and buy in on the importance of protecting an organization’s proprietary information. The impact of an accidental or purposeful leak, could result in a loss of income for the organization, and therein a loss of ability to employ staff in the future,” said Rudduck.
“Solutions that provide end to end, encrypted, authorized and controlled transfer are a key piece in the puzzle of controlling access when data needs to be transmitted out of the “safe” confines of an organization,” he added.
If I ruled the world, or was asked to recommend a way to prevent shadow IT, the first thing I would do is ensure all sensitive data is encrypted and secure. Network users would only be given access to the specific folders related to their department. Then, I would ban all electronics in the workplace, supplying employees with encrypted company-owned devices (smartphones and laptops) as needed. I’m undecided about Spandex uniforms for all with colors depicting seniority or department, not unlike Star Trek. Want to come work for me in my new company? Didn’t think so.