Preserve IP and PII With Dynamic Governance Over External Workflows
Internal file threats entail a breach of sensitive information from secure content stores to unauthorized third parties. To prevent them, you must ensure that all sensitive files are saved to the correct repository, and then tightly control who, when and how files can be retrieved. Assuming you have shrunk the threat surface with enterprise content integration, making it safe and easy for users to save and retrieve files, then the next step is to inspect every attempted retrieval and block unauthorized requests.
The modern enterprise spends millions of dollars on cyber security, yet the modern CISO can’t say in any specific detail what information is entering and leaving the firm. If you can’t see it, you can’t defend it. Everyday workflows where employees exchange sensitive information with external parties expose the firm to constant threats, including leaks, phishing, malicious files, and compliance violations. These external workflow threats have a common theme: a user is the actor, and a file is the agent. Complete protection requires a defense that spans the full breadth of the associated threat surface: the collective paths of all files entering and leaving your organization.
In my last blog post, we discussed hardening the threat surface by restricting access to sensitive data. Today, I’ll discuss defending the threat surface against data breaches by employing tight governance over all file transfers.
Limit Content Access and Analyze File Transfer Metadata
Enterprise content access should be tightly governed with highly granular user-level permissions that ensures data privacy. The most sensitive content should be segregated, so that additional security measures can be easily applied, such as multi-factor authentication. This is all standard best practice. However, a CISO dashboard that monitors the entire file transfer path—the end-to-end threat surface—enables real-time application of stronger security measures based on transfer metadata, such as sender, receiver, origin, destination, and time of transfer.
Granular permissions and content scans ensure that only authorized files are retrieved and sent externally. [source: Accellion secure file sharing and governance platform]
Deploy Data Loss Prevention as an Additional Line of Defense
On a file-by-file basis, DLP can be deployed to deny unauthorized requests based on the content. This process can be accelerated by implementing a data classification standard that allows DLP scans to be performed offline and requests for sensitive content to be processed in real-time. This type of context-aware, content aware dynamic security and governance can only be applied along the natural threat surface of external workflows: users, applications and files. It is impossible to apply it at the network and physical layers, because the relevant data is either unavailable or encrypted.
In the next post, I’ll discuss defending the threat surface against external threats by inspecting every file to block malicious attacks. Future posts will cover concepts like building a holistic, proactive defense that spans the entire threat surface.
Protecting Sensitive Content in a Dangerously Connected World