Achieve Data Security with Strong Internal and External Perimeters
Securing your organization’s most sensitive content is analogous to securing a busy office building. If you’re in charge of security in an office building, you must protect your tenants amid a constant flux of employees and visitors. You must keep the building, its employees, and their physical assets safe, but you can’t lock everyone out. You also can’t monitor every person, every moment.
You can, however, protect the entrances and exits to establish a secure external perimeter. And, you can lock the doors to your valuables to establish a secure internal perimeter. You can also shrink the overall threat surface by reducing the number of doors.
User apps, such as email, are the entrances and exits for files entering and leaving your organization. Enterprise apps and file stores, especially those where you keep sensitive content, are the doorways to your valuables. To protect your intellectual property, you must consolidate and secure these checkpoints. Restrict and secure the number of ways users can exchange files externally. And, restrict and secure the number of content repositories where valuable files are stored internally.
The modern enterprise spends millions of dollars on cyber security, yet the modern CISO can’t say in any specific detail what information is entering and leaving the firm. If you can’t see it, you can’t defend it. Everyday workflows where employees exchange sensitive information with external parties expose the firm to constant threats, including leaks, phishing, malicious files, and compliance violations. These external workflow threats have a common theme: a user is the actor, and a file is the agent. Complete protection requires a defense that spans the full breadth of the associated threat surface: the collective paths of all files entering and leaving your organization.
In my last blog post, I explored the importance of a CISO Dashboard for visualizing the threat surface and monitoring all sensitive content and IP that enters or leaves your organization. Today, I’ll discuss shrinking the threat surface by constructing secure external and internal perimeters.
Shrink the Threat Surface
Users share files from a wide array of endpoints: email, Web browsers, office apps, mobile apps, and enterprise apps. To shrink the threat surface, you must restrict these applications by controlling unauthorized software installation and deploying a cloud access security broker (CASB) to block unauthorized cloud services.
After reducing the number of entrances and exits, you need to funnel file traffic through security checkpoints, so each file can be efficiently inspected and secured—this can be achieved with simple enterprise app plugins for each endpoint. Plugins should make sending, receiving, saving and retrieving files very simple, otherwise users will attempt easier routes to complete their daily workflows, such as insecure consumer file sharing services. Unless you shine a light on shadow IT with strong cloud storage compliance, you can’t cover all your exits.
To further reduce the threat surface, you must establish a secure internal perimeter around your confidential documents with enterprise content integration, namely unifying access to all enterprise content stores. Otherwise, sensitive files can leak out undetected and malicious files can worm their way into your core content repositories.
Consolidate Content Access
Most organizations face many obstacles and trade-offs that limit their ability to unify content access. For example, legacy content stores may be too expensive to migrate to a consolidated repository. Highly sensitive content might need to be segregated from less sensitive content. Regulatory requirements, such as data sovereignty rules, may prohibit the consolidation of content across international boundaries.
It is less important that you consolidate the actual content, than it is that you consolidate access to the content—the doors. The fewer doors and security checkpoints, the smaller the threat surface.
In the next post, I’ll discuss shrinking the threat surface by constructing a secure external perimeter around file sharing applications and a secure internal perimeter around your sensitive data repositories. Otherwise, sensitive files can leak out undetected and malicious files can worm their way into your most sensitive content. Future posts will cover concepts like hardening the threat surface with data encryption in transit and rest, and advanced security tools like ATP and DLP.
Protecting Sensitive Content in a Dangerously Connected World