Your Weakest Link May Not be Your Employees After All - Securing Your Data Supply Chain
Securing only your employees isn't enough to keep your data safe today - businesses must extend security measures across their entire data supply chain.
When beginning a data protection initiative, most companies begin with local controls; identifying sensitive information and limiting access. This is a logical approach, and addresses areas over which direct control of employees (“insider control”) is possible.
It’s important to remember, however, the “other insiders”: business partners, vendors, customers, and contractors. They are subject to their own companies’ security policies – not yours – but still have access to systems and networks. Aside from monitoring network activity, we need to ensure that these users are not accessing data they don’t require, or introducing malicious software (purposely or inadvertently).
For an example of this, we can look to Edward Snowden. He was a security contractor for Booz Allen Hamilton, working at the NSA. As with many long-term contractors, he was essentially treated as an employee. His role, as well as that of his peers, required elevated user privileges. By all accounts, they shared credentials as a normal course of business, and he used those privileges to copy and steal sensitive documents.
We also can’t assume that we are at only put at risk by malicious users. The effects of this were demonstrated in the Target breach. An employee of an HVAC vendor logged into Target’s network using a device previously infected through a phishing attack. The attack then moved to Target’s systems, reported back to a command and control server, and eventually exfiltrated millions of customer records.
Securing your data supply chain simply means extending data protection policies to those users outside of your control. The simplest method for doing so is to apply security directly to data itself. Here are a couple of examples:
Privileged user management – This is more than a matter of trust. Privileged users, including contractors and system administrators, may possess elevated privileges necessary to administer systems. By default, this provides access to information on those systems. By uncoupling device and data privileges, you can allow those users to perform their jobs without putting sensitive data at risk.
Control how data is shared – Partners, customers, and vendors may require your confidential information in the form of design documents, parts lists, and other data. Once it is on their devices and systems, you lose control. Automatically encrypting that information, based on the data type or classification, provides you with downstream control of who can access or modify that data. External networks – Third parties on your network should not simultaneously be connected to other networks. Understanding the context of what a user is doing (e.g., the class of data, the action, and the user) can prevent accidental or deliberate information sharing.
Unapproved applications – In the Target breach, malicious software was automatically installed from the HVAC contractor’s device. In a data-centric world, organizations can control which users and applications have the privileges necessary to not only access applications, but add or remove applications. In this case, an unknown (or external) device should not have had rights to install new, unknown software.
Sharing sensitive data is a necessary part of business. Protecting that data, inside and outside your network, can be challenging. Looking at the world from a data-centric viewpoint makes solving the challenge easier.