Blog

Tag: zero-trust

Extend your DLP with zero-trust data protectionThe term data loss prevention or DLP is used throughout the information security industry to mean any technology that can stop users from sending sensitive information outside the corporate network.  It can take many forms and can include locking down USB ports on PCs, stopping emails from leaving the company, and preventing documents from moving outside of your firewall.  DLP can mean many things to different people.

While DLP can enhance your information security by changing employee behavior, it does so by limiting activities and is dependent on creating adequate policies.  It acts to restrict data use, not enable it.  Business users need to legitimately share and use information and preventing that can cause problems.

DLP has two main functions, monitoring, and blocking.  Many organizations only monitor activity to understand usage patterns.  Once they start blocking the movement of information, there are typically a lot of exceptions because people need to get their jobs done.  If you are only monitoring data access and movement, you are not protecting the data.  You are only aware of a problem after the data has left your organization and already gotten into the wrong hands.  If you throttle back blocking to the point where it is primarily monitoring, you have the same situation.

What are some of DLP’s challenges?

DLP’s ability to scan, detect data patterns, and enforce appropriate actions using contextual awareness reduces the risk of losing sensitive data.  It depends on policies to govern the movement of information, and those policies can become complex to manage.  A lot of companies will monitor and potentially block personally identifiable information (PII), personal health information (PHI), social security numbers, PCI data, and any data that is governed by regulations.  You can easily write policies to block this information, but what about all the trade secrets and intellectual property (IP) that really drive your business?

The problem is that most businesses need to share sensitive data with outside people.  DLP does not provide any protection in case users have to send confidential information legitimately to a business partner or customer.  It cannot protect information once it is outside the organization’s perimeter.  This has become more of an issue with remote work becoming the norm for many businesses.

Considering most data leaks originate from trusted insiders who have or had access to sensitive documents, organizations must complement and empower the existing security infrastructure with a zero-trust data security solution that protects data in use persistently.

Add zero-trust data security

By adding context-aware data protection to DLP, you ensure that only authorized people can access sensitive information no matter where it is.  The three key areas to consider are:

    • Encryption – by encrypting the data with centralized security policies, you can extend the monitoring capabilities of DLP.  If the information does leave your network, it is always protected and under your control.  If an unauthorized person tries to access that information, the protected data will appear as useless bits.  This policy can even apply to authorized people who are on the wrong device, or in the wrong place.
    • Control use of the data – apply a persistent security policy that travels with the data and controls what a user can do with it when they open a file.  By limiting editing, copy & paste, or printing, you eliminate sharing data with the wrong people.  This can extend to immediately revoking access to files once shared, regardless of location or device.
    • Monitor and validate use – continuously validating user access to sensitive data is critical since people’s roles change and the data may not be relevant if the person changes jobs or leaves your organization.  This ensures you only grant access to sensitive data if and when a user needs it.

 

Today data is everywhere and continues to grow.  I could access a file on my mobile device, move it to the cloud, copy it onto my PC, and then move it into a document repository.  Keeping up by managing and monitoring every location and every device is almost impossible.  It’s like playing whack-a-mole.  You plug one hole and another appears.

You need to expand your thinking on how you protect your data, by locking it at the moment you create it and continuously validating user access.  This gives you visibility and control through its entire lifecycle.

 

US House Recommends 'Zero-Trust' Model for Insider Data AccessData from our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” was recently cited in Tara Seal’s Infosecurity Magazine article, “US House Recommends ‘Zero-Trust’ Model for Insider Data Access.” The article referenced the statistic that 72 percent of surveyed organizations are not confident in their ability to manage or control employee access to confidential documents and files. This leads to the actions of careless employees being the primary cause of data breaches, rather than malicious attackers.

The US House has recommended that federal agencies invoke a “zero-trust” system to keep personal, confidential data out of the hands of foreign attackers . The House views government employees as just as big a risk to their organizations as they do malicious attackers — a consideration that all organizations would benefit from adopting. While “zero-trust” sounds a bit harsh, there are multiple ways that these federal agencies can implement security measures to reduce the employee risk they fear so much.

Bill Blake, president of Fasoo, Inc., was quoted in the article saying “What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information.  Deploying DRM solutions is a first step. Beyond that, organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization’s most valuable information is located at all times.”

The first step to reducing the risk is to take control over all employee access and permissions. The second step is to consistently monitor and follow up on these protocols. How many employees really need access to sensitive data? For the employees who do access it, what are they doing with it? Who are they sharing it with? An organization that places security as a top priority should be able to easily answer these questions.

Deploying technology to help discover, protect and control confidential data at all times would be the next logical step once the organization can answer these questions.  Limiting access to select groups is important, but having a way to dynamically change that access and even revoke it on information already shared provides a more robust approach to protection.  Auditing and monitoring is key to understanding changing business requirements, since roles and responsibilities are always changing.  Coupling policy changes with technology that can enforce those policies provides the best way to invoke a “zero-trust” system.

Think of sensitive data as a toddler at the park…you must always keep an eye on it, even if from afar.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.