The “M & M” model of data security (hard shell, soft inside) has been the standard for most enterprises for decades, based on a number of assumptions:
- All our mission-critical and Tier 1 applications are maintained inside our secure network.
- The bad guys are outside the firewall.
- We train our IT organization well, so they minimize mistakes.
Just a quick glance at the recent headlines and analyst reports illustrates how drastically the world has changed.
1) Organizations no longer have a clearly defined perimeter.
Company assets can no longer be fully defended by a firewall, designed to protect discrete physical servers nestled in locked rooms. The growth of virtualization makes servers, applications and data both fluid and mobile. Organizations are running applications and servers the public cloud, taking data completely outside the scope of traditional security methods and putting it out of your immediate control. Even if you don’t have an official cloud strategy, it’s highly likely that employees are using cloud-based tools for collaboration, file sharing and testing and development, often in direct conflict with corporate security policies.
The reality is that the cloud is here to stay. Consequently, the methods we use to secure data in this complex and dynamic environment must adapt.
2) The Bad Guys are already inside: The poster child for insider-threats, Edward Snowden, made it patently clear that organizations need to have better controls around privileged users. Successful spear-phishing schemes regularly grant malicious outsiders access to trusted networks, resulting in breaches that can take months to uncover and millions of dollars to remediate. According to the Verizon Data Breach Investigations Report, 62% of breaches go undetected for months, significantly increasing the possibility for damage.
Virtualization worsens this problem, because it concentrates risk. Applications and data become co-mingled and administrators have access to virtually everything. Damage or theft can be done in an instant, just by copying or deleting virtual machine files.
Employee training – or lack of it - is also a factor. In a recent Forrester report ‘Understand the State of Data Security and Privacy: 2013 To 2014,” Heidi Shey noted,
“In Forrester’s recent study of information workers in North America and Europe across SMBs and enterprises, only 42% of the workforce indicated that they had received training on how to stay secure at work, and only 57% say they are aware of their organization’s current security policies.
At a bare minimum, make sure a) you have a security policy and b) you communicate it to your employees. Go a step further than just sending including these policies in your new employee handbook (they are overwhelmed at that point and even if they sign it, it’s unlikely they actually read it). If you don’t have the expertise in house, there are numerous companies that can provide training to teach employees how to avoid phishing and other advanced persistent threats.
3) Simple mistakes create more security breaches than malicious attacks. Even the most well-trained IT staff are human. While most organizations rightly worry about assaults on their data from hackers stealing data for profit, there is also the reality that a simple misconfiguration can also expose sensitive or regulated data. The breach notification laws don’t care about who is at fault: if it’s your unencrypted data that was exposed, you bear the cost and responsibility for notifying your customers or clients.
Again – the potential for bigger breaches or catastrophic datacenter disasters is much higher in virtualized environments. The cloud is built for agility, which means entire applications can be spun up, cloned, paused, or deleted in a matter of seconds. It is crucial that you implement controls and policies to ensure that privileged users – or those who gain their credentials – are prevented from doing damage.
The cost of breaches is increasing
Research by the Ponemon Institute about the cost and volume of data breaches noted that the 56 companies they surveyed experienced 102 successful attacks per week, with a median annualized cost of $8.9 million. Both the number of attacks, and the cost, continue to trend upward each year.
The definition of a breach is also changing. Judges who determine the cause for class action lawsuits have also broadened their definition of how damages are defined. InfoSecurity Magazine commented on about the skyrocketing costs of legal damages and attorney’s fees associated with data breaches, and the impact this is having on companies.
So, as you look forward to next year, what does your 2014 ‘perimeter’ look like? If it looks more like lacey Swiss cheese than a concrete fortress, then it's time to evolve your organization’s approach to security.