No network to defend: A data-centric approach to infosec, Part 3 – Technologies

Protecting sensitive information from cyberattacks requires a multi-pronged defense strategy, one that incorporates people-centric practices – such as security awareness training – alongside comprehensive data governance that ensures secure access and regulatory compliance. These measures require support from proven technologies, which we will focus on in this third and final entry in our infosec series. Let’s look at some of the best technical approaches to defending your information outside the disappearing network perimeter.

Segmentation and atomization of cloud computing instances

Cloud computing now reaches into almost every corner of consumer and business tech. Everything from Spotify and Instagram, to many of the most popular ERP, CRM and transportation management solutions, is cloud-based. Plus cloud’s proliferation is far from finished: Gartner estimated a $31 billion year-over-year increase in worldwide public cloud spending just in 2018.

Protecting all of this cloud-stored data requires careful segmentation, so that sensitive information is not intermingled within architectures hosting multiple customers’ assets. This is a fundamental security principle, with a similar logic to washing your hands or wearing a mask to prevent infections – you want to deny intruders any chance to land and expand and thereby amplify their damage. With cloud implementations, a secure setup might have the following features:

  • A dedicated (i.e., only for use by your organization) instance in a cloud like Amazon Web Services (AWS).
  • Access restricted to a virtual private network (VPN) connecting the end-user organization to AWS.
  • No intersections with any infrastructure belonging to third-parties, including that of project implementers.

A further step is atomization, which is basically what it sounds like: Shrinking network connections down so much that any threat afflicting a given app or device simply has nowhere else to go. There are no local, wide or metropolitan area networks connecting remote endpoints. This atomization prevents trojans, ransomware and other malware from spreading, leaving email phishing (which can be trained for) as one of the few viable attack vectors.

 

MDM containers for safer device use

Mobile and remote work is more popular than ever, especially in knowledge industries like IT. A Gallup report found that more than 40 percent of Americans reported working remotely at least some of the time in 2016. Mobile device management (MDM) solutions go beyond the byzantine measures once required to support employees on the go.

“Mobile and remote work is more popular than ever, especially in knowledge industries like IT.”

For example, critical apps such as email can be run in MDM containers. These sandboxes isolate specific programs in order to shield them from threats. Moreover, they may enable advanced features such as the toggling of risky functions and the ability to remotely wipe data in case of emergencies. That said, MDM by itself is only one piece of the security puzzle. Not all apps may work well within containers, which can sometimes cause compatibility and usability issues. Other protections are also necessary for securing data beyond the device level.

Data encryption and retention policies

Encryption has always been a staple of infosec, but it has gained particular prominence in recent years as concerns about data privacy have skyrocketed. In a post-perimeter world, with many locations and devices in the mix, it’s usually best to encrypt data both in transit and at rest, so that it is never at risk of being intercepted and read by untrusted parties.

Another practice that could greatly reduce the risks to important information, yet is currently underutilized, is the formulation of a data retention policy. Many breaches affect data that technically is no longer needed by the victimized organization. Still, retention policies are tough to develop and often intersect with various regulations.

Inspirage adheres to the infosec best practices discussed throughout this series, and we prepare our teams to help customers pursue the same protections in their implementations. Visit our Services page for more information on our offerings.

HybridCloudeBookCTA

Norm Messenger | Key Contributor

Norm is the Chief Security Officer For Inspirage. He is also an experienced aerospace and defense professional with more than 30 years of experience in federal and commercial program management, integrated logistics support, IT systems development, financial management, and operations research. He has been a Solution Director for Oracle and Inspirage focusing on service lifecycle management and supply chain management solutions for large enterprise customers. Norm blogs on a variety of topics across these domains.