Building and executing a cybersecurity strategy rooted in identity and data access governance, argues Harry Wang, Senior Manager, PricewaterhouseCoopers Consulting, will help companies devise effective means to protect data, detect threats and ultimately reduce the risk of data breaches.
Whether it’s intellectual property, client lists, personal information or behavioural analytics, data is oftentimes a company’s most valuable asset. However, it’s not just the companies who find it valuable; 'threat actors', both from outside and within, may also be looking to gain at the company’s expense. The latest PricewaterhouseCoopers (PwC) 21st CEO Survey finds that the most common concern for respondents (comprising 1,293 CEOs from around the world) is the cyber threat to their businesses. Despite increasing cyber awareness and the investments companies are making in their security programmes, threat actors are continuing to find ways into networks and extracting sensitive data. Also, changes in how we use data, the adoption of cloud-based services and the increased sophistication of threat actors all contribute to the rising number of attacks.
Behind nearly every data breach is an identity that commits them, regardless of whether it is an insider within the network or an external party who has gained unauthorised access, or even due to employee negligence. Companies are now finding the need to shift from a perimeter or 'endpoint' defence approach to 'data-centric' security with a focus on identity – this means not only monitoring and securing data directly, but also understanding who and how users are interacting with data.
The rise of massive data breaches
According to PwC’s
Global State of Information Security Survey (GSISS) 2018, an annual report which draws on the responses of 9,500 executives in 122 countries and more than 75 industries, 75% of respondents from China and Hong Kong experienced cyber attacks in 2017.
Last year (2017) saw some of the most significant data breaches in history. Nearly 145 million records were compromised in a single incident, where personally identifiable information, such as social security numbers, birth dates, addresses and driver’s licenses of nearly every American adult were compromised. Movies, TV shows and scripts at a major entertainment company were breached prior to release and held ransom by hackers. Millions of healthcare records were breached at a major insurance company. Even security firms have been breached. The list goes on.
Regulators are weighing in
Regulators from around the globe are recognising the changing security landscape by enforcing new industry-sweeping cybersecurity and privacy regulations and fining companies along the way. A large US-based insurance company was ordered to pay US$115 million for a data breach that occurred in 2015, where they compromised nearly 80 million personal records including birthdays, medical IDs/social security numbers, street addresses, email addresses, employment information and income data. Regulations such as Europe’s General Data Privacy Protection Regulation has fines of up to 4% of global annual turnover while China’s Cybersecurity Law and the Philippines’ Personal Data Protection Act include not only hefty fines, but hold operators personally liable and could result in jail time.
Data breaches have real consequences
Data breaches are impacting organisations in a big way, including loss of trust, brand degradation and impacting the company’s bottom line. Of the GSISS 2018 respondents from Hong Kong and China who experienced cyber attacks, 35% reported brand reputation compromise and 38% experienced financial losses.
Customer records were the most compromised according to the survey. Compromised data such as government-issued identification numbers, physical and email addresses, health records, and personal analytical data is especially damaging as it is unlikely to change over time. Victims of these types of breaches are continually at risk of identity theft or fraud due to the nature of data.
The relationship between user and data has changed
In the past, IT security programmes focused primarily on the perimeter – network firewalls, intrusion detection systems and antivirus software – were designed to keep attackers out of the network. When the typical IT infrastructure consisted of laptops, desktops, central critical applications, and the network traffic in between them, this was a manageable approach. Within the enterprise and purview of IT teams, enterprise applications, such as enterprise resource planning and customer relationship management systems, stored most of a company’s most sensitive information in databases. Data stored in databases is often referred to as structured data, as it is formatted in a relational and predictable model.
Today, endpoints extend to mobile devices, Internet of Things (IoT) and other interconnected devices and services, including third-party vendors. The enterprise has struggled to keep up, as mobile device exploits were the most common causes of security incidents. Furthermore, now more than ever, information is being extracted from critical systems and stored across the enterprise as unstructured data. Unstructured data includes any form of data that does not fit a structured model and can exist as documents, spreadsheets, presentations and reports, and are typically stored in individual files.
Research and advisory firm Gartner estimates that unstructured data accounts for over 80% of all data within an enterprise and that this proportion is growing. Users are storing the data where it can be accessed most conveniently and, oftentimes, this may not be the most secure location. Monthly financial reports, strategic roadmaps and client lists can be extracted from critical systems and shared with users through cloud-shared drives, SharePoint team sites and emails. With threat actors increasingly targeting unstructured data as low-hanging fruit, this introduces a new set of challenges and questions, including:
- Where is my data, especially my sensitive data? Many companies don’t have control over their unstructured data. They do not know where data is stored or what data is sensitive.
- Who owns the data and what are they doing with the data? Companies do not have visibility into who the data owners are, who is accessing the data or what are they doing with the data.
- Who is responsible for unstructured data? Sensitive data is stored within and beyond the enterprise and users are now the ones who own unstructured data.
Given so many file storage options and data owners, securing data can become an unmanageable task.
A changing of the IT guard
With an increasingly complex web of endpoints, the proliferation of unstructured data and attack vectors, acknowledging a cyber attack will likely occur is perhaps the first step to becoming more cyber resilient. Just because an attack occurs doesn’t mean it will result in a data breach and companies are deploying security enforcement tools to better protect their data.
Encryption. Encryption, the process of encoding information in such a way as to keep unauthorised users out, is a highly effective security mechanism. Data owners are able to identify how and where sensitive data are stored within databases, and encryption can be applied to sensitive fields and databases where only authorised users are able to view the data. Although encryption has been around for decades, the headlining of data breaches has spurred companies to action. Also, real-time encryption across formats was impractical given the processing power required at the time was not readily available. Today, power is less of an issue and encryption is becoming more prevalent, extending to applications, hard drives and file shares to include unstructured data.
Access management. Requiring authentication methods such as username/passwords and multi-factor authentication (one-time passwords, biometrics, etc) help control and limit access to encrypted data. Rights are granted through a series of access requests and approvals.
Data loss prevention (DLP). These technologies typically monitor the network and prevent sensitive data from leaving the premises. They have been around for years and are effective in establishing rules to prevent certain file types and files containing key words from leaving the network.
Privileged access management (PAM) tools. Managing privileged user access is a critical part of keeping data secure. With elevated rights, attackers can more quickly gain access to critical systems, compromise additional accounts and also hide their tracks more easily. PAM tools include capabilities such as the ability to enforce segregation of duties, track and monitor each command executed by the user, and a check-in/check-out password management system where the password can be changed with each login.
The insider threat
While security enforcement tools lessen the risk of unauthorised access, these mechanisms alone are not enough. Applications are still susceptible to other attacks, such as insider and insider-related threats. Insiders are difficult to detect and can go unnoticed for months because these attacks typically use legitimate accounts to access data, and can cause some of the most harm to a company. For example, current or former employees have legitimate access to sensitive data and can abuse this privilege by downloading terabytes of structured and unstructured data before their termination date.
Insider-related incidents in China and Hong Kong are the highest in the world, where 42% of respondents reported former employees as a source of incidents.
Insider-related threats also include external threat actors who have compromised legitimate accounts. External attackers can use accounts to gain access to critical applications. Despite securing the database, once authenticated, attackers can view data through the application unencrypted, rendering encryption useless. A global travel technology company experienced such a breach when attackers compromised an account, which ultimately compromised thousands of records containing payment card information, reservation details and personal customer information.
Establishing a governance-based approach to securing data
At its core, there are only two actors to every data breach: (1) the sensitive data and (2) the identity used to access them. Establishing governance for both identities and data access just makes sense. Identity governance adds insight to security risks through the constant monitoring and management of users and their activities and helps companies answer the following questions.
- Who currently has access?
- Who should have access?
- How are people getting access?
Understanding who has access to applications and files, whether they should have access, and how individuals obtain access greatly reduces the attack vectors and the time attackers have at their disposal. These solutions, when properly deployed, can accomplish this via the following routes.
- Automating provisioning/deprovisioning. Without identity solutions, creation, updates and removal of accounts can be highly manual, error prone and delayed. Attackers can compromise old or unused accounts, or even create new accounts undetected within the network. These accounts are often not linked to any active user and are regarded as ‘orphaned’ accounts. Identity governance solutions constantly monitor active accounts and can automatically remove accounts when an employee leaves, or flag accounts without ultimate owners.
- Managing access rights. During employees' tenure, they accrue access rights over time when they change job functions, which can lay the foundation for an effective insider ex-filtration of data. Also, a common tactic for hackers who have already infiltrated the network is to escalate their privileges. Deploying identity governance solutions gives visibility to whether these rights make sense, simplifies the recertification process and automates remediation.
- Managing privileged users. PAM tools manage user activity, but do not manage the users themselves. Leaving a company’s most powerful user accounts unmanaged greatly increases the risk of a compromise going undetected. Identity governance compliments PAM in this regard.
Similar to managing identities, data access governance solutions are designed to extend identity governance tactics to govern unstructured data through a number of different mechanisms.
- Finding your data. Discovery of unstructured data is vital to minimising security risks and regulatory compliance. This can help companies identify where unstructured data is stored on file stores and team sites across the enterprise, both on-premises and in the cloud.
- Taking action on sensitive data. Once sensitive data is found, companies can immediately perform remediating activities, moving these files to secure locations or removing them from the network
- Identifying data owners. One of the biggest challenges for unstructured data is identifying who the owners are. Empowering data owners to self-govern access to files encourages a security-aware work culture.
- Using identity context to manage data access. Combining identity governance and identity governance for files under a single pane of glass provides a holistic picture of how the identity and the data relate and whether data abuse is occurring.
By supplementing governance across identities and data with the likes of DLP and access management, companies will find these security tools to be more effective in the long run. In fact, Gartner has stated that 'by 2021, organisations with complimentary/integrated identity governance and data access governance capabilities will suffer 60% fewer data breaches'.
Concluding thoughts
As we continue the shift into a more interconnected world, companies have a duty to protect their client, stakeholder, and business data and should view security as a business transformation enabler if they are to build and maintain consumer trust. In this new reality, where companies must assume a constant state of compromise from external and internal forces, visibility into where data is and the ability to identify relationships between users and data will be critical to creating a more cyber-resilient organisation. While there is no single technology or suite of technology solutions that can guarantee the prevention of a cyber attack, building and executing a cybersecurity strategy rooted in identity and data access governance will help companies devise effective means to protect data, detect threats and ultimately reduce the risk of data breaches.
Harry Wang, Senior Manager
PricewaterhouseCoopers Consulting
SIDEBAR: Meet the author
Harry Wang is a Cybersecurity professional at PwC and has over 10 years of experience helping large corporations and government agencies manage cybersecurity risks, addressing issues around enterprise identity governance, access control, privileged management, and insider threat. Working in both public and private sectors, he has developed and led enterprise security strategy and security-focused technology implementations to over a dozen Global 500, Fortune 100, and US federal agencies across banking, insurance, manufacturing, entertainment, hospitality, information technology, military, health and intelligence sectors.