How the pandemic has influenced CISO thinking
Enterprises across the globe are disrupting the way we work in their own small ways, affecting a bigger shift in the traditional work set up. Microsoft recently spoke about digital empathy, an ideology that acknowledges that a huge workforce is working in unprecedented times from wherever they are and need the best user experience to take the edge off connecting remotely. Security has emerged as possibly the single biggest factor that influences how well enterprises digitally empathize with their workforce.
With employees no longer working in an office set-up and working on devices they have the fastest access to; organizations have no control over the networks the employees can access and the devices they use. Digital transformation has left traditional perimeter security models in the dust as it leaps into people’s homes. VPN systems are being challenged to take on the burden of virtual meeting rooms as they strain to handle traffic loads that they were never designed to. The loss of control has left many IT managers in a lurch as they grapple with the fear of malware entering the organization’s network through employees’ unauthorized networks and devices.
A savior seems to have emerged in the form of the Zero Trust model and organizations have been quick to take notice and starting to adapt to this model. Zero Trust isn’t new, but has certainly gained visibility in the current climate. As the name suggests, the zero-trust model is an approach that relies on confirming identity at all times for any transaction. Any attempt at access is, by default, viewed as a breach and it trusts no network, device or user – unless correctly authenticated.
In the context of secure data backup, securing your backed-up data wherever it resides, be it on your server, on your SaaS platform or on-premise. The zero-trust model has three principles that ensure your data stays secure –
- Verify explicitly–
Identity is a key to all users. Verifying users wherever they are, inside the perimeter or coming in from Timbuktu; is the core value of this principle. The model expects that you have one single centralized source of truth when it comes to admitting users into your network. Azure Active Directory is a great example on how to implement elements of identity verification like – single name-space and single authentication scheme.
- Principle of Least Privilege –
The principle simply means that every user gets access to only what they need and only for time they need it to get the work done. Some ways to ensure this is to track and secure every privileged account, implementing access controls, record the movement of privileged activity and to operationalize all the privileged tasks to reduce the job for IT admins.
- Assume breach
The shift from prevent breach to assume breach couldn’t have had a better brand ambassador than remote work. It works on the principle that if someone has malcontent they want to proliferate, they will do it through any channels, even your trusted users. Hence, you validate access no matter who it is. How do you implement this validation? Azure active directory, like we mentioned earlier, Okta, Google MFA; there are several options.
Zero trust is great in that it ensures the right behaivior for users and devices. But, what happens to data? Ensuring that data is safe and protected – is important for businesses for several reasons not least of which is regulatory compliance. Data backup solutions which are designed to make redundant copies of all user data are also an important defense against ransomware and from malicious insider deletion. Protecting data becomes especially critical when users are working from home.
A recent survey that Microsoft undertook showed CISO’s changing priorities as the pandemic took over the world. Endpoint data protection is now the top priority in CISO’s minds, tied for first place with multi-factor authentication solutions.
But data being backed up needs to be safe both during transfer and at rest. Using secure transfer protocols like https, TLS 1.2 and strong ciphers are critical. Data at rest in the backup vault should be protected with world-class encryption.
I am sure many of you have followed the recent developments in the EU with considerable interest. The EU courts threw out the US-EU Privacy Shield which is actually a re-worked version of Safe Harbor agreement from earlier years – which basically defines how US firms will safeguard EU data. Essentially, EU courts have decided that the privacy laws in the United States are not sufficiently strong to protect the rights of individual EU citizens. Clearly, this is not the last we’ll hear of this topic and the struggle between the primacy of citizen rights versus the rights of governments to access citizen data for the larger good of society – will continue for some time.
But while these tussles get sorted out by regulators and governments in courts of law, businesses need to ensure that their choices are not constrained. Businesses should still be able to pick the most cost-effective data center for their needs, no matter which geography, without worrying about regulators and laws.
And that’s where Segregation of Duties comes in. Strong encryption when combined with a strict enforcement of Segregation (or Separation) of Duties (SoD) is an effective way for businesses to ensure privacy for their data – no matter which geography they choose their data center to be in. Basically, SoD puts control over encryption in the hands of the business – instead of in the hands of the SaaS vendor or the cloud infrastructure provider.
So, when implementing a data protection strategy – don’t forget to think about strong encryption for data at rest, and even more importantly – SoD.
According to Gartner “by 2022, 90% organizations will recognize that mitigation of privilege access management is risk is a fundamental security control”
At Parablu, we have been helping customers protect their user data no matter where those users are. And we’ve continued to do so during the pandemic even as employees started to work from home in increasing numbers. In fact, we’ve seen a surge of interest in secure, remote data backup due to the current situation – which is one of the reasons we decided to put out this blog post.
To summarize, here are a few things to keep in mind:
- Identity Management is a key component of Zero Trust. Think of integration with Azure Active Directory with the added ability to implement multifactor authentication. Parablu’s products work with Azure AD, Okta, Google etc.
- Encrypt your data to ensure nobody apart from whoever you intend the data be available to, can access it. AES-256 encrytion with strong keys and a strict segregation of duties. That’s the recipe for success here.
- Ensure that your data is vaulted in secure and compliant data centers. All data transfers should be on https via port 443, using TLS 1.2 with strong ciphers so that your data isn’t sniffed when in transit.
Don’t be overwhelmed by the weight of it all. All this may seem like a ton of additional things to do on top of the challenges the pandemic already poses. We are here to help.
We talk about data protection and privacy issues on our blogs, in our webinars, and in our case studies. We try to let our readers in on how we tackle day-to-day challenges in these areas with our customers, Access them all here and if you need help with your data protection strategy with your users now working from home, and want an expert opinion, contact our experts for an unbiased opinion.