Just the other day, in the murky world of data privacy, a computer and a smartphone decided to have...
This blog is part of a series for Cybersecurity Awareness Month 2022. You can find the other blog posts here:
What DOD Agencies Can Learn from Baseball…for Talent Management
The Three Phases of Keeping Burglars and Cybercriminals Away
Best Practices for Passwords and Multi-Factor Authentication within the DOD
If you have read or watched the news recently, you may have been shocked and concerned to read of security breaches at companies like Twitter, T-Mobile, Cisco, Microsoft, and LastPass just to name a few. Each of these security data breaches has exposed user personal data to hackers and potential criminals on the internet. This data has high value and is sold and exchanged on the dark web for many different purposes.
Why does this continue to happen? Is it because of a lack of effort from these companies? I don’t believe so. These companies have highly trained security professionals and invest heavily to protect their enterprise. Not unlike the Secret Service in protecting the President of the United States, enterprise security organizations have to secure everything and be right 100% of the time, while the attackers only have to be right once by finding a vulnerable entry point.
One of the main challenges for enterprises is securing the access points software through credential management systems. The difficulty here is that those credentials are maintained and used by users – humans – who have the potential to fall victim to social engineering schemes to collect their credentials. It’s something even the savviest users can fall prey to making access control in every enterprise a challenge. While the NetIQ solution from MFGS, Inc. offers a strong solution when it comes the account and privileged access management, it’s only one means of defense. What if there is an intruder? What if you relied on a tool like LastPass that had a data breach? The objective of most breaches is to get to the data, so the real solution is to devalue it.
Devaluing the Data
Imagine a jewelry store and all the jewelry it contains, but what’s in the display cases are merely worthless duplicates of real items. The real jewelry is located in a vault in a different part of the store or even a different building altogether. Once a customer is interested in an item they are taken to a secure room and the real item is brought in for them to see. Once done the piece is returned to the vault. If a robbery were to occur only fake jewelry would be lost.
How do we apply this example to make the data of an enterprise have no value? Enterprises must make a commitment and give priority to protecting the data. Unlike Europe that imposes huge fines to companies that compromise user data, no such penalties are impose here in the United States. The responsibility for all data then falls on the companies to secure their customers’ and employees’ data.
There are three requirements that need to be identified in order to protect the data:
- Which data needs protecting? Identify which data needs to be protected and prioritize by level of risk.
- Identify where the data is located. Eliminate duplication of data that is of high value to minimize exposure and control who has access to that data.
- Have strong monitoring procedures in order to be alerted when data is potentially being accessed by non-authorized entities.
Once valuable data has been identified the next step is to make it worthless to a hacker. The easy solution is encryption. Seems easy enough, right? Well with that comes a frequent problem of many data encryption solutions. Retro fitting the enterprise to accommodate encryption information. We at MFGS, Inc. have a simple and elegant solution that addresses these concerns and more. Our Voltage solutions allows your enterprise to encrypt and secure your data – almost overnight – using our format-preserving technologies with encryption and tokenization. This will help devalue your data and reduce data breach risk.
Now that the data has been devalued, it can safely transit your enterprise even if when part of your enterprise is using cloud services. Access to the data (mainly personal identification information (PII)) is restricted to those with the proper credentials and even then, only a portion of the data may be available based on strict access rules. You may be familiar with this in your financial institution relationships when you’re asked to provide the last four digits of your Social Secuirty Number to a customer service agent, who only sees the minimal information required for validation.
The key to protecting enterprise data from attackers is to devalue the data in its three states:
- At Rest: The stored on-premise or cloud PII.
- In Use: When the PII is entered and accessed.
- In Transit: When the PII goes from the stored database and is moving across your enterprise.
Any weakness in this chain can be exploited and result in customer data potentially being obtained by attackers which can result in a tarnished company reputation and erosion of trust.
It’s time to start asking, “Is my agency protecting our sensitive data and the companies and agencies we do business with? What’s their past history and current security posture?
Don’t let your company or agency be the next one in the headlines. Learn more about how are solutions help secure and manage data by reading our whitepaper.
Eric Irizarry
Security Solutions Architect
Eric Irizarry is a security solution architect at MFGS, Inc. specializing in optimal use and integration of ArcSight incident detection and remediation solution.
