This blog was originally published in May 2022 on ThreatPost.com
Compromised credentials and identities, third-party breaches, API attacks, and application exploits are all foundational entry points for today’s hackers.
Recent months have brought many high-profile breaches from Samsung and Nvidia to Okta and the continued aftermath of Log4j. Still, ultimately, these attacks are all symptoms of the same problem: organizations do not have visibility into how their data objects are protected and used.
Until security teams can answer in real-time what data they have, who has access to it, and how it is being used, organizations will continue to fail in rapidly communicating the extent of breaches within the cloud.
When Samsung confirmed the Lapsus$ hacking group had obtained and leaked almost 200 gigabytes of confidential data, the first question for customers was whether or not their customers’ data was a part of that statistic or if Samsung had safeguards in place to protect them.
Fortunately, Samsung said that no customers’ personal information was compromised. However, when Okta was breached by the same hacking group just a few weeks later, their security team had difficulty communicating the blast radius because they could not seamlessly pinpoint the location and privileges of all the data within their ecosystem. This kind of delay can lead to growing distrust within the broader enterprise community as security teams scramble to identify the full scope of the breach.
With so much at stake, an increasing number of organizations are choosing the Zero Trust Security model, which assumes that untrusted users exist on both sides of an organization’s computing perimeter.
Zero Trust principles – whether applied to identities, network, or data objects – help organizations systematically improve security risks throughout each of visibility, detection, response, and protection. However, in the modern enterprise, implementing Zero Trust for data without breaking business logic is a new direction that requires a careful shift from Posture Management to Detection-Response to Protection to avoid creating business risk or outage.
As the concept of Zero Trust continues to evolve, there are a few practical ways that organizations can begin eliminating risk once they have improved visibility and found a solution that works within their cloud or on-prem environment. The United States’ National Institute of Regulations and Technology (NIST), which has released a number of cloud security standards that take into account overlapping federal regulations, including HIPAA and the Federal Information Security Management Act (FISMA), is also a great reference point. It provides supplemental materials and details that update organizations about how the controls coincide and collaborate with other widely accepted standards and frameworks. The NIST model incorporates the following framework:
Visibility into Security Posture:
When companies have visibility into their data security posture, they are able to determine and set policies for enhanced data protection across cloud-based organizations to help them better determine how data objects should be treated. Data Security Posture Management (DSPM) tools are a good starting point for your Zero Trust journey.
Many critical identities and service roles necessarily need permissions to large swaths of data to do their job – privileged identities, applications that are fronts for databases or data lakes, and even CI/CD etc. supply chain software are all examples of these. Placing detection and response seat-belts around crown jewel data objects protects them from such identities being mis-used through phishing or app-sec faults.
Organizations should create permissions and entitlements, issue cleanup campaigns, and set up governance models to be set up to proactively prepare to respond to detected cybersecurity incidents. These are longer term campaigns with major strategic value and hence are informed by the fine-grained visibility into how data objects are used across different business functions.
Simply put, data is valuable and an organization’s most persistent asset. It is critical for organizations to completely understand where their secrets (IP) lie across their entire cloud and on-prem environment. Where is your data? Who has access to it, and is this access monitored? Does your organization maintain authority over this data so excessive or dormant privileges can be revoked when necessary?
Answering these questions is foundational to a modern cloud data security strategy, especially when faced with the challenge of operationalizing access control or data security without breaking business logic. If left unanswered, organizations will continue to invest time and resources in tangential protections around networks and applications that leave significant gaps for data to be exploited or taken for ransom.