Why enterprises need a data-centric approach to security [Q&A]
Most cybersecurity focuses on keeping out threats, but there's an increasing view that everyone is going to get breached sooner or later and that protecting data is key to keeping a business safe.
We spoke to Kurt Mueffelmann, global chief operating officer of Nucleus Cyber -- which has recently been acquired by Australian access control company archTIS -- to find out more about how this approach works.
BN: Is focusing on data really just another way of looking at zero trust?
KM: We really want to make sure that any given time, no matter who you are, where you are, or what you're trying to access, that we can dynamically validate everything in real time. To do that you need attribute based access controls. Obviously this is easier in your office sitting behind a desktop on a corporate device VPN, but even before COVID people were in transit or they were working at home and they weren't working nine to five. They wanted access in planes, hotels, customer sites, and coffee shops down the street.
So, you analyze what's actually in the document or file itself. You identify, is this document of some value to you, does it contain intellectual property or personally identifiable information? We have an intelligent rules engine that actually can identify that. As an example something that was in the news the other day was the UK Special Forces data breach where information was in a spreadsheet. There's nothing wrong with it being in a spreadsheet provided you know who could have access to this information and in what format. The first thing then is identifying information and determining is this of value or not? And the second thing is actually dynamically controlling who should have access to it and who can share that information in real time.
The third thing is most organizations out there are looking for some sort of control and reporting. What have you done with this document, have you printed it, cut, copied, pasted, have you shared it?
BN: So can this help control shadow IT too?
KM: Yes, the file has to come from someplace, right? Let's use Microsoft Office 365 as an example, anytime a document is created or a modified in Office 365 it’s up into the cloud. By grabbing that document before it's actually finalized we can make sure that we don't violate any sovereignty of that information or where that data is being kept.
The customer's data is their data, so we should not have access to that. What our tech does is intercept that data within their 365 environment, we scan it and then we can basically put instructions or policies around what can you do with that information. So, we could put a policy in to say that you can access that information. Maybe you can download it, but only for certain things. Maybe it's encrypted and every time you access this outside of 365 you actually have to wind up the authenticated back end to make sure it hasn't been corrupted from a malware or ransomware perspective.
BN: Isn't this going to introduce an overhead for people accessing data?
KM: We want to make it very easy to use, so our technology doesn't have any agents, doesn't have to enter a training mode, everything's taking place behind the scenes. So the end user doesn't even know what's taken place during the process. We also wanted to make it very rapidly deployable, so we deploy into the customer instance of Azure and, given our tight relationship with Microsoft, that ties directly into your Office 365 environment.
Because there's no agent it doesn't matter if you're accessing information on a corporate device a personal device, a desktop or a tablet. Today you really shouldn't have to worry about where you're accessing that information from, so that's why you should be protecting the data and not the device itself.
BN: Has the COVID effect meant that companies have left security behind in the rush to remote working?
KM: We saw that people rushed to employ technology like Teams for video and chat, but of course there are other things available around it like exchanging documents. Everyone then said, "Oops, now that we've opened up everything from a collaboration perspective we have to go back and secure it." So I think there's a little bit of a hesitation right now when people are coming back to the office and we're going into a hybrid environment where people are starting to travel again. We need to make it easy for people to access information, we need to make it painless for users. COVID really lit the fuse to what people need from a secure collaboration standpoint, but I think organizations are still playing a little bit of catch up in making sure that things are secure.
BN: Does there need to be a shift in the security issues enterprises focus on?
KM: The breaches you tend to hear about in the press are the ones where consumers have their credit card details or health insurance numbers stolen. But attacks that involve nation state penetration and hacking into government systems for defense and national security, or finding that there's overseas criminal activity or corporate espionage people coming in and taking intellectual property that cost billions of dollars, that's where the true value is, and so that's where the data-centric approach to protection really comes in.
This comes back to the whole aspect around zero trust computing Anytime someone tries to access to a file, or folder, or information, it should be determined at that point in time whether they should have access to it or not, that's something evolving through this process.