Lock Down Your Sensitive Enterprise Content to Prevent a Data Leak
Your enterprise content is everywhere. Literally everywhere. On laptops, phones, in on premise servers, and in the cloud. Employees can access content – much of it sensitive – from any location, allowing them to work from any location at any time. But content that’s easily available is also easily susceptible to a data leak. Without comprehensive data encryption and secure data access at all levels, from physical data storage to network communications, a data breach is practically a foregone conclusion.
The modern enterprise spends millions of dollars on cyber security, yet the modern CISO can’t say in any specific detail what information is entering and leaving the firm. If you can’t see it, you can’t defend it. Everyday workflows where employees exchange sensitive information with external parties expose the firm to constant threats, including leaks, phishing, malicious files, and compliance violations. These external workflow threats have a common theme: a user is the actor, and a file is the agent. Complete protection requires a defense that spans the full breadth of the associated threat surface: the collective paths of all files entering and leaving your organization.
In my last blog post, I discussed shrinking the threat surface by constructing secure external and internal perimeters. Today, I’ll discuss hardening the threat surface to prevent unauthorized access to sensitive data.
Harden the Threat Surface
Every point along the external workflow threat surface should be hardened to protect against a data breach. The first order of business should be to lock down access to the entrances and exits that let files in and out of your organization. External file sharing should only be allowed through approved end user applications and content repositories secured by enterprise content access. Access should be tightly controlled via security integrations with standard SSO and LDAP implementations, and multi-factor authentication for the most sensitive content. All enterprise content repositories should be encrypted. All file transfers should be encrypted from origin to destination. Systems managing external file transfers should be hardened as well and have severely restricted access.
CISOs protect their organizations against a data breach when they restrict access to sensitive content. Now, every point along the external workflow threat surface is hardened. [source: Accellion secure file sharing and governance platform]
Choose Wisely When Storing Data in the Cloud
Public cloud storage presents a significant risk for storing truly sensitive content, such as legal documents, health records and proprietary IP. It not only exposes data to unauthorized access by unknown third parties, but the consolidation of data creates a honey pot for attackers and increases the risk of a large-scale breach.
Depending on jurisdiction, that honey pot can even attract the government. For example, the US Federal Cloud Act of 2018 allows US law enforcement to compel technology companies via subpoena to provide data stored on their servers, regardless of whether the data is stored in the U.S. or on foreign soil. In plain English, your sensitive data can be collected in bulk without your knowledge or approval. As a result, an on-premise, private cloud, or a hybrid cloud deployment for content repositories should be the standard for truly sensitive information and IP.
In the next post, I’ll discuss defending the threat surface against internal threats by employing tight governance over file transfers to prevent data breaches. Unless you ensure that all sensitive files are stored in the appropriate content repository where access can be tightly managed and monitored, sensitive files can leak out undetected. Future posts will cover concepts like blocking malicious attacks and building a holistic, proactive defense that spans the entire threat surface.
Protecting Sensitive Content in a Dangerously Connected World