It's your data: how to protect it now
It seems as if every week there’s another breaking story about an exploited network vulnerability that resulted in a security breach. The penetrations vary: Some are wide-scale orchestrated attacks, a la the Home Depot hack. Some hack events are less sensational, accompanied merely by the announcement that vast amounts of personal information were exposed -- or compromised -- because trusted technology providers offered lax security measures.
In some cases, we learn that passwords to accounts (that often hold vital personal information) have been leaking for some time before the security flaw was discovered and patched.
A Public Numbed to Poor Security
Thus in various ways do major companies join the "Data Breach of the Week Club". With the sheer abundance of these types of stories, it’s easy to become numb to how serious they are -- even to feel as if the breaches were inevitable. Certainly, when any data reside in a provider’s solution or data center, it is the duty of that provider to secure the information at every step. That’s how it works in an ideal Web-based world, at least.
But realistically, we, the information technology professionals, must now also arm ourselves. We must always be prepared to combat future security threats to protect our colleagues, and the public we serve. This stance applies especially while we use consumer-grade data sharing software, which is quickly becoming an attractive target for hackers.
IT Professionals Hit Security Roadblocks
But even corporate security experts need to bring their game up. We recently conducted (with the Ponemon Institute) a survey of 1,000 IT professionals, and learned about half of the respondents felt they couldn’t see how file sharing applications were used in their networks.
They also felt unable to control user access to sensitive information. More sobering, more than 60 percent of respondents confessed they’ve "often" forwarded documents to the wrong people -- and even used their personal file sharing apps at work.
Weapons for the IT Security Arsenal
This calls for a response. To harden our networks, I suggest, for starters, we consider the following technologies (and their related procedures). Some measures may seem obvious, others esoteric. None should be ignored.
It’s hard to be over-cautious, so here are our recommendations:
Two-factor authentication: Businesses should always use two-factor authentication (2FA) for an extra layer of security protection. Two-factor authentication uses two of three security vectors:
- Something you know (password or PIN)
- Something you have (work ID badge or bank card)
- Something you are (fingerprints or biometrics)
This approach erects a barrier to protect personal data from a wide-scale attack or breach. It’s possible that someone could break into a database and steal your password, possibly without your knowledge. But such a hacker can’t get too far with those passwords without a corresponding factor -- one that you keep safely on your person -- or that is your person.
I’ll cite the recent high-profile iCloud hack (which compromised personal celebrity photos) as an example of the need for two-factor authentication. That hack was probably achieved by a simple method: The perpetrators just kept guessing at the passwords until they gained access to these accounts.
Apple immediately responded by putting up a 2FA wall on iCloud accounts. Regrettably, this was just a little too late to help the victims of the hack -- but at least Apple knows 2FA will go a long ways to prevent such a breach from reoccurring.
Unique, complex passwords: While we’re on the topic of hardened security, let’s discuss passwords. Strange to say, but the password is one of the biggest security threats ever. Why? Because, for a malicious actor, it’s the easiest method to walk into an enterprise and, unhindered, take anything of value. So when a password must be used, length and complexity are absolute requirements. Short (and weak) passwords can be cracked via brute force in a matter of hours, perhaps even minutes.
Additionally, the reuse of passwords across different accounts is a common and rather dangerous practice. Nothing makes a hacker’s life easier. Let’s say vendor A does its part to securely protect a password. If the customer reuses that password for, say, a consumer file sharing service that doesn’t preserve user confidentiality, then vendor A’s precautions are for naught. (Single-sign on tools help reduce this risk -- combine them with identity and access management tools, and you reduce the risk still further.)
Risk-based authentication: This takes 2FA to the next level, by classifying each individual login attempt according to a specific risk score. This allows malicious activity to be detected early -- without placing any burden or inconvenience on the rightful owner of an account.
The scoring is done based on the characteristics of the attempt. For example, an organization’s employee who logs into a Salesforce.com account, using the same laptop, at roughly the same time each day, from the same IP address, is likely to have a low risk score. But an attempt to access a finance system from an individual’s tablet, from an unknown IP address (in the middle of the night from Beijing) is likely to earn a higher risk score.
Risk-based authentication is a proven set of technologies and practices. It replicates the tools now used by banks to detect the fraudulent use of stolen credit cards. Other companies looking to boost security can also leverage risk-based authentication.
Information rights management (IRM): This allows document-level security to remain with a document wherever that document resides. That applies inside or outside the corporate boundary, on mobile or desktop devices, as well as with on-premise apps or in the cloud. IRM has evolved document security to new levels of usability through plug-in-free technology.
Customer managed keys (CMKs): Putting the keys used to encrypt content in the user’s hands protects this content, wherever it resides. Not even a cloud provider hosting the customer’s content can decrypt that content without the CMK. While CMK is still in its early stages of adoption, as time goes on, I believe it will be a key factor (no pun intended) to enable us to adhere to evolving data sovereignty regulations.
At the end of the day, the burden to protect our data falls on us and our colleagues. Combine ironclad security with best practices and training and make the hackers earn their money -- or better yet, let’s put them out of business completely.
Image Credit: Maksim Kabakou / Shutterstock
Daren Glenister is the field chief technology officer for Intralinks, a global provider of secure collaboration tools for highly-regulated industries. Glenister interacts with the company’s enterprise customers across the Americas, gathering valuable feedback that helps steer the direction of the company’s award-winning secure collaboration solution, Intralinks VIA. Glenister has 20 years of experience in security, software and customer relationships. Prior to joining the Intralinks team, he was vice president of technical sales of the security division at CA Technologies.