Secure Locations Alone Don’t Protect Sensitive Data
Another day and yet another example of a company failing to provide any protection to sensitive data beyond passwords to access it. In this case it was, ironically, Citrix – a technology company whose own marketing talks about the merits of providing security and protection for sensitive data.
Hackers were able to infiltrate Citrix’s corporate network for a period of 6 months and remove an unknown number of documents. Initially the reporting claimed that only business documents that were removed but later is was discovered that content containing PII of their employees was also leaked. Too often we’re seeing headlines telling similar stories where organizations are ill-advisedly relying on location-based security rather than a modern data-centric approach to protecting sensitive data.
Failures – Too Many to Mention
Just yesterday, job hunting website Ladders exposed almost 14 million user records thanks to lack of even password protection on the data store. In March Terabytes of sensitive data from dozens of organizations was exposed to the public via their Box collaboration shares. In January millions of mortgage and loan related documents were leaked. The list of data breaches continues to grow despite heightened awareness of the problem and risk, including new more stringent regulations like GDPR.
Where are the Failures Occurring?
First, let’s be clear that this isn’t a failure of cloud-based collaboration and data systems. These data leaks happened across a variety of environments and under a variety of circumstances. From external hackers exploiting compromised credentials to users making configuration mistakes. There isn’t a common attack vector and in truth the examples here are difficult to fully mitigate against.
Yes, detection technologies are improving and its easier to sniff out when it isn’t really “john.smith@” who is logging in to download content. But they are not fool proof. Regardless of how much vendors improve the administration and configuration interfaces for systems, the reality is that people will always make mistakes. And when the mistake is made on the container holding your data the results, as described earlier, are disastrous.
There is however a common denominator in the failure to protect the sensitive content. The afore mentioned reliance on the single point of failure – solely protecting the data container and not the content within it.
Time for a Belt and Suspenders Approach – Multi-factor Data Protection
Just as I was not pinning the blame on deficiencies of cloud-based solutions for these leaks, the same goes for all the cybersecurity approaches being employed. The solutions themselves are not failing as such, they are just not adequately meeting the requirements for fully protecting sensitive content. Just as companies have moved to strengthen identity and access security with multi-factor authentication instead of just usernames and passwords, the same approach should be taken for securing sensitive content.
By applying data-centric protection to the content itself you can greatly mitigate the impact of a location-based security breach. How? This approach leverages metadata and other facets of the content itself in combination with various user attributes to determine if the sensitive data can be accessed. And if it can, what can be done with it. This greatly reduces the impact in the event of a breach of your first line of defense.
When Will Organizations Act?
Until organizations recognize the need for a data-centric security strategy and implement technologies that can enforce those strategies, we will continue to read about breaches like those I referenced earlier. It’s encouraging to see a rise in interest in modern DLP, Rights Management, CASB and solutions that enable conditional access to sensitive content. However, if you’re not currently looking at these types of solutions then I cannot state strongly enough that you must start to.
When considering these categories of solutions be aware that not all of them have been created equally. Several still apply protection based on the location or container with only a partial acknowledgement of the nature of the content and very little consideration of the user context. Be wary of the marketing messages that make them sound like they are applying data-centric principles but, still predominantly rely on or have merely altered location-based security practices.