In the first part of our information security series, we examined the importance of educating and training your teams so they can reliably spot attacks such as email phishing and social engineering. These practices help strengthen your protection against some of the most common dangers to today’s organizations, but they’re not enough on their own – which is why we’re looking at necessary improvements in governance in this entry.
More specifically, by implementing single sign-on (SSO), password management and multi-factor authentication (MFA), you become safer from external and internal threats. IBM has estimated 60 percent of all cyberattacks originate on the inside, with password leaks and stolen identities among the biggest particular problems. Superior governance directly addresses these issues, providing effective defense at a time when the traditional network perimeter is disappearing.
Setting limits with security groups and the principle of least privilege
The old adage “A little knowledge is a dangerous thing. So is a lot,” applies well to information security:
- Granting any access to untrusted accounts can result in privilege escalation attacks, which have recently been prominent in discussions of serverless apps (i..e, programs without their own dedicated servers). An audit by PureSec found one-fifth of such applications had critical security flaws, like publicly viewable secrets in their code.
- Permitting too much access, even to nominally trusted users, can also result in data leakage. For example, in 2017 a contractor working with a major health plan sent a file containing thousands of health records to a personal email account. The breach wasn’t discovered for months.
With security groups (via a platform such as Active Directory) and adherence to a least privilege model, similar incidents can be minimized. Groups allow user rights to be efficiently managed, with anyone added to or removed from a group automatically inheriting or losing specific privileges. Meanwhile, the least privilege model mandates that each program and system have access to only the minimum set of capabilities necessary for its task.
Protecting accounts with SSO, password management and MFA
SSO and password management are like the drawbridge to a castle: They offer a convenient way in for trusted users while keeping everyone else out. SSO lessens the number of credentials they have to remember, streamlines account recovery and empowers administrators to enable/disable access. Password management simplifies the process of creating and keeping up with multiple logins.
MFA is akin to a moat, providing an extra layer of protection. There are many viable options for additional factors, including hardware tokens, smart cards, SMS codes and apps such as Google Authenticator. All of them are better than allowing access via passwords alone because they reduce the likelihood of breaches via dictionary attacks (which guess common passwords) and lost/leaked credentials.
GDPR and regulatory compliance
The General Data Protection Regulation (GDPR) of the European Union goes into effect on May 25, 2018. It creates a vast new scope for how data is processed and exported out of the EU and will require significant adjustments by many firms.
A 2018 survey of 531 IT professionals by Crowd Research Partners found that a majority of them (60 percent) thought they would miss the compliance deadline, even though 80 percent regarded GDPR as a top priority. Most were also struggling with countering insider threats. However, 56 percent expected increases in their data governance budgets, which would help.
“Under least privilege, each system has access to only the minimum set of capabilities necessary for its task.”
Research firm IDC has discovered similar issues among SMBs. Twenty percent of small organizations in the U.K. and Germany, and half outside Europe, were unaware of GDPR as of April 2018. Moreover, many of these organizations had no time to comply.
These numbers are concerning since the GDPR applies to any data on EU citizens, regardless of the location of the companies that process that information. GDPR creates the possibility of civil as well as criminal liability for violations.
Complying with GDPR is complicated in a post-perimeter world, with data routinely moving between locations and devices. New technologies and workflows may be necessary to ensure proper stewardship. For starters, clear data processing agreements are now essential for spelling out how information on EU citizens is handled. Physical, platform and application security measures are also crucial in protecting GDPR-relevant data both in transit and at rest.
Inspirage is fully prepared for GDPR and our consultants are ready to help any customers who have exposure to GDPR identify and remediate shortfalls in their data management, systems and processes. Inspirage’s Enterprise Data Management consulting and implementation services can help companies identify and manage GDPR data collections, processing, retention, and disposal across the many systems and silos where it exists in the enterprise. You can visit our Enterprise Data Management practice area for more details on our services, and be sure to check out the third part of this series on the key technologies for protecting sensitive information.