Enable Employee Workflows While Preventing Costly Data Breaches
User apps, such as email and file sharing, define an external perimeter where content enters and exits your organization. Enterprise apps and storage repositories define an internal perimeter around your most sensitive and valuable content. Access through these perimeters should be both simple and secure to ensure seamless workflows across your extended enterprise. Given the variety of applications and user workflows, however, providing simple access is actually a very complex challenge. Users can range from internal senior executives to trusted suppliers to external consumers and workflows can range from distributing a board of directors’ presentation to signing customer contracts. Preventing breaches while enabling workflows requires the implementation of strong data privacy controls: very complex access rights and privileges across many user roles. Therefore, consolidating access management through single sign-on and a directory service should be high on the list of requirements for building out a secure content sharing channel.
CISOs must enable secure online collaboration that balances the protection of sensitive content with the overwhelming need to share it, easing access while preventing breaches, ensuring privacy alongside transparency, and adhering to complex regulations without getting in the way of efficient communication. Each trade-off entails risks. This blog series explores these trade-offs and offers six guiding principles for creating a secure content sharing channel that enables work across the extended enterprise and protects your most sensitive digital assets.
In my last blog post, I shared how CISOs can protect their most prized digital assets by controlling and monitoring every file that enters or leaves their firm. Today, I’ll explore the pitfalls associated with providing simple, seamless access to content.
Securing IP Must Go Beyond Granular Policy Controls for Authorized Insiders
Securing authorized access, however, is just the first step. Just as much attention must be given to preventing unauthorized access, especially to your most sensitive content. All content sharing should be encrypted from origin to destination. Sensitive enterprise content should also be encrypted in storage and access should be further restricted with multi-factor authentication. In addition to comprehensive data encryption, your most sensitive content, such as legal documents, health records and proprietary IP should only be stored on premise. Public cloud storage not only exposes data to unauthorized access by unknown third parties, but the consolidation of data creates a honey pot for attackers and increases the risk of a large-scale breach. In addition, the US Federal Cloud Act of 2018 allows US law enforcement to compel technology companies via subpoena to provide data stored on their servers, regardless of whether the data is stored in the U.S. or on foreign soil. In plain English, your sensitive data can be collected in bulk without our knowledge or approval. On-premise or a hybrid cloud deployment should be the standard for truly sensitive information and IP. If on-premise storage is not possible and cloud storage must be used, then encryption keys should be unique to your organization and stored in a separate, secure location.
Securing authorized access is only the first step. Just as much attention should be given to preventing unauthorized access from malicious outsiders. [source: Accellion secure file sharing and governance platform]
Analyze Every Inbound and Outbound File for Added Security
Access controls can lock out unauthorized users, but they can’t protect you against unauthorized content, such as incoming malicious email attachments or outgoing leaks of proprietary IP. Therefore, your security architecture must extend beyond securing users to securing content. At a minimum, every inbound file should be cleared by anti-virus software prior to storage in an enterprise content repository. Outbound files should be scanned using data loss prevention (DLP) software to block leaks of sensitive content. Both inbound and outbound content scans can be accelerated to ease access by taking a stratified approach. More suspicious files can be queued for advanced threat protection (ATP) processing to isolate and execute them in a secure environment. By implementing a data classification standard, DLP scans can be performed offline while sharing requests can be processed in real-time.
In the next post, I’ll discuss the challenge in balancing privacy with transparency. While users across your extended enterprise expect easy access to sensitive content, they also expect complete confidentiality.
Don’t want to wait? Download the eBook now!
The Risky Business of Online Collaboration