Hardly a day goes by that you don’t hear about a major data breach or a new cyberattack that’s making headlines. J.P. Morgan, Community Health Systems and SuperValu have most recently been in the news for massive breaches. Enterprises are spending billions of dollars each year on network and endpoint security defenses, but it seems like the bad guys have the upper hand. According to the Verizon Data Breach Investigations Report, 71% of analyzed data breaches pointed to compromised endpoint devices. Hiring forensics firms after a breach to piece together what went wrong seems like investigating the lock on the barn door after the horses are long gone. Far too late and too costly to be considered an effective strategy.
In reality, organizations must begin to assume that their perimeter defenses will be breached – largely because threats are highly customized and the perimeter is, at best, fuzzy. This is an important point that bears repeating: if the bad guys decide to target you, they will get in. Even VMware stepped up to the plate to recognize this with the launch of their NSX 6.1 offering last week. They used words like “deperimeterizing security” and “pushing security controls away from the perimeter.”
It’s not to say that you shouldn’t be concerned with your infrastructure – an insecure network puts your data at risk. And in any sizeable enterprise, it’s just not possible to know where all of your sensitive information is located – and cloud environments amplify the problem.
But your data stores can be one of the highest risk areas in your organization. It’s what the bad guys are after. And it’s what will put you on the front page of the national news. Shouldn’t you adopt a data-first security approach and do all you can to defend your data so that you can prevent, or minimize, a breach once your external defenses are penetrated?
Ask your security vendors if they can stop your organization from being breached. If they’re honest, they’ll all tell you the cold hard truth: no, they can’t. Many industries must address compliance mandates and government regulations, but in our experience there are companies who are citing the use of compensating controls but not protecting data because they haven’t been called on the carpet by regulators. When that day comes, the massive fines will be an abrupt wake-up call and spur lax organizations to get serious about data-centric security.
Encryption and access controls are your front-line defenses for defending data-at-rest. Given today’s threat environment, encrypt everything possible, everywhere possible. Then limit access to only those whose work requires it. An intelligent implementation will allow system and application maintenance and operations without exposing data to the privileged users who carry out these tasks. It also meets myriad compliance requirements and stops the threat of legal or physical compromise of the cloud environment. Even if someone walks away with the drive that has your data from the cloud provider, they won’t see a thing. And if you control your own keys, legal challenges in the cloud provider’s jurisdiction aren’t possible without your knowledge and cooperation.
Overall, CISOs should be focusing more on best securing company data from within. With encryption becoming increasingly easier to implement, there’s really no excuse for not protecting your data, regardless of where it is.
So as you start to look at your security budgets for 2015, are you still planning to spend ever more dollars protecting your endpoints because external data shows that’s your weakest link? Or are you ready to turn that thinking on its head and start putting data-first security in place?