Jonathan Fischbein, CISO, Check Point Software Technologies, speaks about how data security and compliance has changed over the past year
How has the need for data security and compliance changed over the past year?
Over the past year, the “new norm” workspace expanded the organization’s perimeter. Going forward into 2021, remote work and distributed workspaces are a new reality. The need for data security and compliance was predominant as organizations had to recalibrate their cybersecurity approach around securing their corporate networks and data centers, cloud environments, and employees wherever they are. With remote work as the new standard and organisations working on multi-cloud environments, we had to make sure that all the developers and teams accessing very confidential assets such as source codes for customer PII (Personally Identifiable Information), ERP systems or financial information, etc. did not go out of the organization.
Technologies such as VDI (virtual desktop Infrastructure) together with several other security solutions are adopted to make sure that the exchange of data and information from home is secured. The use of collaboration tools has also escalated rapidly. Organizations have switched to using collaboration tools such as Zoom, Teams, and Slack more than ever before. These collaboration platforms which are an extension of an organisation on-premise infrastructure, are completely in the public cloud.
To make sure that the confidential information is secured and protected from being exposed in these environments, we had to implement SASE security or extend the CASB solutions to make sure that only the relevant people with Multi-Factor Authentication are logging in and are able to access the information.
What are the best practice standards and frameworks that can help companies achieve and maintain data security and compliance?
There are plenty of best practices, but the question is first of all how can we implement a best practice that is going to scale and be unified across the entire organization. It is not feasible to implement best practice standards and frameworks separately for each different sector within an organisation. It has to be simple. If a security policy or a solution framework is not easy to follow, it will become a major obstacle. Cyber attackers will find ways to elude and bypass it which is a very big problem.
Adopting the Data loss protection (DLP) best practice is extremely important in making sure that all information going out is filtered. Secondly, making sure that all files by default are encrypted in ways such that any member of the organization can access it, but if unwittingly that information is sent to an external 3rd party, they should not be able to access it. There are many different ways by which important data can fall into the wrong hands.
For instance, what about USB keys, are we blocking or encrypting USB keys by default? This is something very necessary that many people are improvident about. All of this together will add compliance and if someone is not compliant, they need to be held responsible. The security policy within an organisation should be respected and followed by everyone. To ensure this, there should be regular monitoring and audits conducted, and if something is not right, a root cause analysis should be conducted to find out the cause and prevent it from happening in the future.
Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow?
Every country has its own legislation and set of regulations which are dynamic and are reformed through continuous efforts to improve it. There are many data protection laws and legislations that are put in place to secure and safeguard the protection of data and privacy within the country. Besides the regional regulations and compliance, there are also several other well-known certifications and frameworks that cybersecurity vendors or organizations operating in the cloud or other security-specific areas have to comply with.
For instance, for delivering SaaS services, we have to comply with SOC 2 framework which is a specific certification for organizations to ensure that such services are as secure as they should be. There are other standards and frameworks such as NIST, ISO 27001 or 27015, etc. which help organisation to increase the reliability of their security systems and make sure that they comply with the best practices. Talking about the public cloud, we use it as an extension of our data center.
We need to have compliance checks on this process of digitalization and adoption of the cloud. As we move the information and important data into the public cloud, we need to also add to the security to ensure that this environment is secured. There is also a necessity to maintain compliance checks and monitor it on a regular basis. This is an important part of our daily operations at Check Point Software Technologies which requires us to focus on compliance checks on GRC and infosec best practices internally as well.
What according to you are the five tips that companies need to follow to comply with data security regulations.
First of all, I would say map the challenge right. If the mapping is done in the right way then you will know exactly what is where and will be able to tackle the problem. This is very significant on the public cloud when it is not sure how dynamic or extending it is, in that case, the battle will be lost before it even starts. The second one is to make sure to understand the security controls that are already in place. As cyber-attacks become increasingly evasive, more controls are added, making security more complicated and tedious.
The next important thing is to implement the security policies that are relevant and can be met. For example, it is not possible to implement security controls of military-grade to a regular organisation, it has to be relevant and there should be a balance. Other than this, there is also a need to make sure that the security policy does not become an obstacle and allows people to work successfully, knowing that security is present on the side but does not cause an obstruction.
And lastly, it is very important to make sure that all of the regulations such as SOC 2 and PCI, etc., and many other such certifications and regulations are updated. We know that in every country legislation and regulations are changing so it is necessary to make sure that the security teams are up to date with this.
Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing the data and staying compliant?
In every country or every region, there are different data protection acts and laws which are evolving and improving with time. For securing the data and staying compliant, we need to go back and see how the platforms are built. Almost every organization has adopted cloud computing to varying degrees within their business. However, with this adoption of the cloud comes the need to ensure that the organization’s cloud security strategy is capable of protecting against the top threats to cloud security.
The most challenging thing that we are dealing with in the public cloud. We have to make sure that all the important information and confidential customer data are secured and protected. The customer also has the right to be forgotten after a certain period of time, for example after a given duration of time the customer data is no longer used and is omitted or deleted. For things like opt-out or opt-in, for instance, a customer does not want anyone on the SaaS service to be able to access their data, they can opt-out. These are things that are the key drivers for making sure that the services are compliant and they also dictate its security.
At Check Point Software, a major part of our focus is around securing this environment and making sure that we comply with all the standards and frameworks and also the regional regulations with respect to the different countries.
Do you believe the line between data security and data privacy has started to blur?
The security teams within an organisation are eligible for accessing certain information and data when there is a need for a necessary investigation to be carried out or if there is something really suspicious, only when such information is accessed after the permission of the legal team. In the last six months or since covid there is a huge awakening of ransomware attacks. Besides backup as mitigation, there are also certain security solutions such as the Check Point Endpoint Detection and Response (EDR), which is an endpoint detection and remediation tool and especially an anti-ransomware solution that detects if there is a ransomware attack going on.
Such technology checks everything that is happening on the endpoint and the security teams can see the logs and processes on the endpoint device. So there is a certain area that it’s getting into privacy but on the other hand, we also need to be able to ensure security against ransomware attacks, so there is a huge challenge here. We need to be very gentle and very transparent about what we do and how we do it and keep the trust of our users, customers, partners, and employees, by taking special care about their privacy and communicating with the teams and customers, because trust is something that can be lost very easily in the data privacy and security world. Therefore the answer is yes, the area is very grey and the security practitioners work towards preserving the user’s privacy as much as possible.