For this eleventh National Cybersecurity Awareness Month – a time when we’ve most often focused on making people aware of the need for awareness and personal best practices for being safe online – it’s important not to lose sight of how to best implement enhanced cybersecurity for organizations. This should be done in a way that doesn’t negatively impact operations, customers and business performance.
People’s behavior is important; time and time again, data losses start with an email that should not have been opened, a link that should not have been clicked and an insecure password that should not have been used. But it isn’t the only area of concern.
In a world rattled by continuous breaches, it’s easy to say that enterprise cybersecurity must be a higher priority. For example, the second report on the OPM breach noted there were a total of 5.6 million fingerprints lost – a development that stands to affect almost anyone working on classified projects or in intelligence. On the heels of major breaches like this one, we find ourselves going down a familiar path: we assign blame and call out how it could have been avoided. Enterprises also feel the weight of increasing data breach consequences, escalating compliance requirements and tougher data residency regulations – all byproducts of situations that involve insecure data.
Unfortunately, and despite all the breaches and all the headlines, far too many organization still view cybersecurity as a barrier to getting work done. However, we believe there is a middle ground.
The first step for organizations concerned about an impact on workflow, but still wanting to improve their security, is to take a hard look at their IT security stance, business needs and risk tolerance. Then, they must re-balance this against their cybersecurity portfolio. In doing so, they are likely to find that “risky” technologies like cloud computing, Big Data, and the Internet of Things (IoT) are now within reach – provided the right security controls and solutions are in place.
It’s time to get real. If security portfolios and controls are properly balanced, the implementation and deployment of security technology doesn’t need to break the bank or disrupt business processes. In fact, it might even make it possible to support business expansion or growth.
Recognizing Pain Points
There will always be inherent tension between security technology and the consumer of that technology (in Vormetric’s case, enterprise-grade customers). Some security controls impact performance, add to business costs, require extensive solution re-architecting and changes in how users work. Security solutions that impose these “taxes” are consistent failures. In many cases, the businesses that initially select them do not even complete implementation. When they do, it’s not uncommon to find that their employees are ignoring or working around these controls.
New technologies are another pain point. If IT is too slow to implement or broker solutions for the organization, business or operational units will find ways to do it themselves. Typically, this not with the oversight and risk mitigation required to keep information secure. This is one of the most prevalent causes of “shadow IT”.
Solutions that work best preserve existing workflows, have light or non-existent impacts on existing system and application performance, and enable the rapid adoption of new technology solutions that people need to get work done.
Going in the Right Direction
When it comes to incorporating new technologies, IT departments even have the opportunity to step up and be the hero. They can do this by acting as the internal “broker” that brings in both service providers and security tools that make use of these environments a reality without increasing organizational risk.
How can IT do this, you ask? After first identifying their organization’s “risk tolerance”, they then select service providers, and security solution sets that support their preferred level of risk. These teams should also look for providers who are transparent and upfront about their existing security partnerships.
Today, many service providers (SaaS, IaaS, PaaS, Big Data, Hosting, Colocation, and MSP) are extending their solutions with standard and optional security features that enable organizations to tailor security controls to their needs. Many Vormetric Cloud Partners such as Armor, Rackspace and Centurylink offer Infrastructure as a Service (IaaS) offerings designed for those who need to secure their data within their cloud environments. Among other security enhancements, their offerings include encryption and access controls. Similarly, many Software as a Service (SaaS) offerings are using Vormetric for SaaS Providers to offer data-at-rest security that extends their service offerings with encryption, access control, detailed access logging, and end-customer-controlled key management.
This trend was most recently showcased by the world’s largest SaaS provider, SalesForce. The company now enables enterprise customers to control their data with encryption and access controls.
Getting Enterprise Security Right
Nowadays, networks are consistently penetrated by attackers. This reality, coupled with the threat of insider-based attacks and an enormous growth in information, strongly points to the need for a “vault” around sensitive internal data. In some organizations, the lack of visibility into where and when sensitive data is used leads to a policy requiring data security wherever data stores exist.
To get this right, existing applications and systems need to protect data from inappropriate access, as well as “watch” data access patterns to identify suspicious activity. Encryption solutions that shield data with access controls and have minimal performance impacts (usually by using the hardware-based encryption capabilities in today’s CPUs) are the answer. They generally meet the need to support legacy systems, databases and unstructured data. Concurrently, they are capable of protecting data within applications using technologies like tokenization, data masking, and internal encryption libraries.
These solutions can be both “performant” and have a fairly light touch on existing applications. System level tools, for instance, typically have no impact on usage, while application level tools require minor re-architecting. This allows users to “keep doing what works” without large changes to infrastructure, workflow and implementations.
It’s a Two-Way Street
The IT team’s responsibilities don’t end with the selection of a respected service provider and security solution. Ultimately, it’s up to that team to do things like protect data flow from vulnerable accounts (e.g. privileged users) and determine when usage patterns are changing in a way that indicates a threat. This should be done at both the OS level and application level…and all in a way that doesn’t fundamentally change the way people work.
This isn’t impossible, and it shouldn’t be a surprising or outrageous concept. Cybersecurity needs to work for the people it protects. If it starts to stymie their productivity, their passion and their drive, IT teams have a problem on their hands. Some questions IT teams should consider when evaluating exactly what might stand in the way of meeting these goals include:
- Does the implementation include support for effective central management of data security policies and implementations?
- Does it involve new, complex hardware or increasing operational burdens?
- Is there a performance impact on transactions?
- Can you transform data to a protected state without long shut down times, and undue demand on infrastructure?
- Will employees experience major changes in how they work?
- Will it allow for flexibility in changing architecture and implementation without putting data at risk?
- Can the solution support both internal needs, as well as enable use of new technologies like SaaS solutions, IaaS/PaaS, Big Data and others?
If the answer to too many of these questions is “no”, then it’s time to go back to the drawing board. It’s time to consider what needs to be done differently.
Here at Vormetric, we believe we help enterprise IT teams bridge the tension between security and productivity every day. These teams not only get the chance to be heroes by using the latest technology (safely, I might add), and make their internal data more secure, but they do it in ways that don’t compel people to go “over to the dark side” of Shadow IT.
Now that’s something we can all get behind.