Securing the breach trumps breach prevention

Data breaches aren’t going away, and the costs of a breach are becoming more tangible. By implementing a three-step approach, organizations can prepare for a data breach.

In posts before, I discussed both the changing face of data breaches and the reality distortion field surrounding today’s IT security professionals when they talk about effective ways to combat data breaches. Three things we know for certain, though, is that data breaches are not going away, our adversaries are continuing to innovate and attack, and the costs of a breach are becoming more tangible.

A couple of months ago, Verizon claimed the massive hack on Yahoo caused irreparable harm to the tech company in terms of customer trust, possibly allowing the wireless provider to withdraw from or renegotiate the terms of its $4.83 billion acquisition agreement. Also, in October, the U.K. Information Commissioner’s Office hit TalkTalk with more than $400,000 in fines for its 2015 cyber attack.

Breaches are going to happen. Not only is there a need to move from a breach prevention to a breach acceptance mindset, but we need to invest security dollars into the technologies that help us prepare for these occurrences and protect our most sensitive information. To do this, each organization needs to address a number of key questions and issues, including the following:

1.  How do you define sensitive data?

More focus needs to be placed on understanding what constitutes sensitive data and setting parameters for defining it. For example, a company’s customer service and IT departments may have very different ideas on sensitive data. Every organization should have an enterprise-wide security policy that clearly lays out information classification guidelines (public, confidential, regulatory, etc.), what happens at each classification (public information can be shared by anyone, confidential information must be encrypted), as well as measures to ensure compliance with external regulations such as PCI-DSS and HIPAA, among others.

1. Who accesses your data?

Enterprise data lives in more places than ever before. Companies need to protect themselves not only from external threats, but the misuse of data and malicious attacks by insiders as well. After sensitive data has been defined, organizations need to regulate who has access to it and on which devices. Multi-factor authentication (MFA), also known as two-factor or strong authentication, can help by ensuring that users, no matter where they are, are whom they claim to be and are authorized to gain access. MFA also can enable role-based access, ensuring users have the appropriate level of entry for their position and function, and that the organization has a way to provision, manage and report on each group.

1.  Where is your data?

Whether it’s within physical networks, virtualized environments, the cloud or in motion, data is in more places than ever and enemies are not always obvious. In fact, a recent global study conducted by Gemalto and the Ponemon Institute found that half of all cloud services and data stored in the cloud are not controlled by the IT department.

• Companies need to first locate where sensitive data resides within their organizations. Is it stored in databases, file servers, endpoint devices, storage networks? Is it located on premise, virtually or in the cloud? This is important to determine because encryption can be employed in multiple locations and cover both structured and unstructured data.
• Companies must understand what happens to data while it is being transmitted to another location. From the moment data is in transit, the company is no longer in control of it, and it can be easily and cheaply “tapped” by cyber-criminals for a variety of unauthorized reasons. In addition, human error and technical equipment failings are real risks that can manifest more often than you would think. However, these risks can be eliminated by automatically encrypting the data while it’s in motion.

1. How do you manage encryption and where are your keys?

Identifying and encrypting all of the sensitive data within an organization is just the first step to securing the breach. This requires encryption keys, and many times the management of these is imprudently overlooked. Without an enterprise-wide key manager, maintaining these disparate encryption systems becomes time consuming and unmanageable.

Since keys are being stored in a variety of places, often on the very systems containing sensitive data, they are vulnerable to theft and misuse. Backed up keys are also not being secured while in transit, leaving another area of exposure. Restricting access to these cryptographic keys is also a best practice. It’s also critical to ensure no single user has rights to everything.

3-step approach to data breach protection

By implementing a three-step approach—1) encrypting all sensitive data at rest and in motion, 2) securely managing and storing all keys, and 3) controlling access and authentication of users—organizations can effectively prepare for a data breach. This allows us to see through cybersecurity’s reality distortion field and transition from an approach optimized for “reality as it was”—breach prevention—to a strategy optimized for “reality as it is”—the secure breach strategy.

This post first appeared in Network World: