If you’re like us, you might have been tempted to roll your eyes when you read the Office of Personnel Management’s post-mortem on its enormous breach last summer, which said that it had so much trouble controlling its data because employees simply couldn’t keep track of it all. It turns out that an incomplete inventory of all of OPM’s servers, databases, and network devices—let alone the files stored there—led to the drastically diminished effectiveness of the organization’s security measures. It also led to the breach of 22 million people’s records. It’s unacceptable. But let’s face it: This problem isn’t unique to OPM, and the cloud is only exacerbating these visibility problems. Organizations are migrating their businesses to the cloud, but there seems to be an increasing level of panic over the current state of affairs. There are some things savvy security professionals must keep in mind to prevent this problem from getting out of control. Here are a few of these security tips.
Don’t fool yourself: Data is everywhere.
Today’s companies and their employees store an enormous amount of information in the cloud. So given the rampant proliferation of files being stored—nevermind just those that need to be secured—keeping data organized is a genuine challenge.
Could you really locate with certainty every file that contains information like your Social Security number or tax returns? And if you’re responsible for protecting the information of an entire organization, it’s a nearly impossible task—particularly given the fact that very few cloud services offer enterprise-ready security controls out of the box. Or, if they do, they’re confusing or only work for specific services.
It’s an embarrassing thing to admit, but if you don’t even know where all your business-critical information is stored, you’re not alone. The OPM’s situation perfectly illustrates how visibility has become one of the biggest problems facing businesses today.
TIP: Regain control of your information by implementing a data loss prevention solution that will let you customize search terms based on your company’s own sensitive data. Then, locate with certainty all documents across your organization that contain, for example, a Social Security number or the name of a high-profile client.
More panes = more pain.
When you have a couple dozen cloud services being used by various departments across your organization, the visibility problem only becomes greater.
You might think the way to fix it is with a bunch of specialty tools. After all, what’s better than the solution that was tailor-made to the software your sales team loves? On the other hand, can you realistically expect to manage permissions, prevent data loss, and stay organized across dozens of services, all with their own UX paradigms and logins?
If we’ve learned anything, it’s that complexity is the enemy of security. Using too many tools can hurt you and can make things too clunky to be worth it. Instead, figure out what your company really needs—whether it’s flagging risks, identifying sharing activity, or providing an easy way to take action in real time—and compare tools before deploying one. Increasingly, tech companies are developing all-in-one solutions that can be tailored to companies’ needs.
TIP: Adopt a cloud access security broker (CASB) solution, which gives you a single view of all your accounts and data—and won’t let anything slip through the cracks.
Leave complex data classification out of it.
Many IT leaders are moving their businesses to the cloud but face a crossroads. They’re not in a position to classify the sensitivity of specific corporate data and apply appropriate controls. But they don’t want employees to have to make that judgment call, either. That’s how mistakes get made.
Technology can help a lot with that, by detecting sensitive keywords or patterns to identify data that really shouldn’t be unencrypted on the cloud. But education can help, too. One of the best approaches we’ve heard placed data into four categories: Corporate public information, company private information, intellectual property, and customer data. If it’s customer data? Easy. It’s got to be encrypted, and access to it heavily restricted.
TIP: Find a data classification tool that will help you categorize the information that’s important to your company. Use it to create simple classification levels and set simple policies for each data category. For example, anything that contains customer data gets labeled as “top secret,” anything that contains business data as “secret,” and anything that can be released publicly as neither. Employees would know that top secret data cannot be shared externally and cannot be downloaded unencrypted.
Throwing money at problems won’t do the trick.
Often, business leaders think that the risks of a data breach are remote—and the costs of security are too high. And no wonder. Enterprises collectively spend around $830 million each year on data loss prevention (DLP) tools, and big enterprises have traditionally spent upwards of $350,000 for a DLP deal.
Still, as we saw with Anthem, Target, Home Depot, and other corporate behemoths, having a lot of money to spend on IT doesn’t make you immune from a data breach. It’s allocating resources smartly and securely that does.
You don’t need to bankrupt your business simply in the name of protecting it. It requires some strategic planning, but as long as you’re aware of the risks and know exactly what you’re protecting, you’re already miles ahead, and won’t waste your money or your time.
TIP: Do your research. Technology changes in the blink of an eye, so a solution that may have seemed out of reach two years ago may no longer be. Additionally, adopt SaaS security tools, which tend to be easier to deploy and allow you to pay for functionalities as you use them, rather than making a multi-year budget commitment.