Security Models Should be Simple to Make Them Easier to Implement
Brian Chappell, Director – Product Management, BeyondTrust, speaks about best-practice standards for data security and compliance
How has the need for data security and compliance changed over the past year?
The move to remote working has radically expanded the arena in which organisations need to address and maintain data security and with that comes greater complexity in satisfying compliance requirements. The number of devices needing securing has grown exponentially while the attack surface has grown geometrically.
Also, more remote workers, often in environments that are far beyond any control of the organisation — i.e., not just home but, as lock down’s ease, coffee shops, etc. — leads to the need to increase controls on the endpoint without, as far as possible, impacting productivity and flexibility. We are looking at unprecedented increases in the challenges to maintaining an effective and appropriate data security practice. Too stringent a control suite and we’ll see a resurgence of shadow IT. Too open, and we risk easy dissemination of sensitive company information and/or easy entry into the environment.
What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance?
Frameworks tend to be collections of best practices that commonly address specific industry regulatory requirements — we see many of those best practices repeated across the various frameworks such as NIST Cybersecurity Framework, HIPAA, FISMA, etc.
For me, the most important activity is to focus initially on the basics. I visualise the attack surface like desert sands — constantly shifting with dunes rising up and sinking away. Trying to build anything complex on top of that risks the structure tipping and toppling to the ground at, what might be, the slightest change.
We need to harden our cybersecurity strategy with foundational piles that hold steady and give us a platform on which to build. Those foundational elements include Privileged Password Management, Privileged Elevation and Delegation Management, Privileged Session Management, Vulnerability Management and Identity Management. These are the basics that organisations continue to not get right and, as a result, provide the most common areas of exploit.
Getting these right means focusing on them, working to ensure the security models are simple, which makes them easier to design, implement, manage, maintain and respond to when something bad is happening. By simple, I don’t mean basic, I mean avoiding unnecessary complexity — something that’s very difficult for many in cybersecurity.
As Steve Jobs put it: “Simple can be harder than complex. You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.” Get the basics right and the rest gets easier and that’s vital with the additional complexity in today’s data security world.
What according to you are the five tips that companies need to follow to comply with data security regulations?
Tip #1: You cannot abdicate or pass on responsibility for your data to another organisation. Even if you empower them to manage access, implement controls, or provide the infrastructure in which it’s stored and/or processed, it’s your data and you are ultimately responsible for it. That’s a guiding principle that any data security specialist should have pinned to their wall.
Tip #2: Get control over privileged access. This doesn’t mean just lock the environment down but rather implement controls that move you from a restricting approach — i.e., trying to control what someone can do with privilege — and onto an enabling approach where you can explicitly and granularly allow an unprivileged user to do more. It’s so much easier to understand and manage.
Tip #3: With #1 in place, you can know who has access to sensitive data. Next is to control that access through password and session management. This gives you visibility into when they accessed it and what they did with it.
Tip #4: Don’t ignore the external accesses into your environment by vendors supporting their systems in your infrastructure. Bring those accesses under the same controls as your own teams. Avoid VPN access. It doesn’t matter how well you think you have that entry point controlled, it’s likely to provide access to systems that are necessary for that access, but the engineer shouldn’t have visibility to. Find an access technology that doesn’t provide a direct TCP/IP path to the target system(s).
Tip #5: Know the regulations. This seems obvious but everyone involved in data security should read and understand the regulations they need to comply with. Many rely on what others tell them and that’s subject to interpretation. The number of times I hear requirements quoted that I know come from other, often unrelated, regulations, only because that’s what the person has been told or assumed. This is often the result of being asked a question about an area that the regulations applying to the organisation don’t cover, so people coop requirements from other regulations because they ‘make sense’. This complicates the compliance and often results is multiple solutions for the same problem and friction from each and every one. Be compliant, be a little more than compliant but make sure you understand where compliance is and knowingly step over the line — don’t try and ‘control’ your way out of that situation. Sometimes the answer is to remove controls.
Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant?
BeyondTrust is focused on the most pivotal, foundational aspect of cybersecurity — Privileged Access Management. It’s impossible to secure data and stay compliant without good controls around privileged access, as access to sensitive data is privileged and compliance is very much focused on ensuring you know who has access to what and when and where and how they exercised those accesses.
Helping customers put together the foundations for their cybersecurity/data security solutions not only addresses the most common mechanisms for data loss but also reduces the noise in the system. There are no longer events that need monitoring around what someone is doing with their privileged account — they don’t have one and we know exactly what they are doing with the accesses they’ve been given, and they cannot do any more than that. So now, those other tools in the system have cleaner signals for when bad things do happen, and the organisation gets more value from them as well.
Do you believe the line between data security and data privacy has started blurring?
I don’t believe there is a line between data security and data privacy. You cannot have data privacy without good, effective, appropriate data security. While the concerns may be different conceptually, data privacy compliance relies on good controls to ensure that only appropriate people have access to data, that we know when they accessed the data and how they used that data. Data privacy also defines controls around how data is processed and for what purposes along with how long it can be retained. But in all aspects of that, the data must be secured to ensure that controls are effective.
Data Security teams may not be concerned with the larger data privacy requirements and regulations, but it would benefit them and their organisations if they became familiar with these, so that they can help ensure the controls stay simple yet appropriate. That will yield better data security as complexity really is a real and present danger in any system.