One of the challenges we face when talking to clients about achieving a secure workplace is being able to define the components at a level which makes sense. All the pieces need to connect in a way which is easy to understand and relate to.
To address this and provide some context, we should think about the secure workplace as the following areas:
- People– Identity, user credentials, access control, multifactor authentication
- Devices– Device security, biometrics, encryption, Endpoint Detection & Response
- Cloud Services– Cloud App Security – Building the business case for information protection
- Information Protection – Classification and labelling of information to prevent data leakage
- Governance – Policy enforcement, compliance, and the ability to prove who has access to what information, and more importantly, why?
Before you can begin to secure the workplace, the people who interact with it must be considered, understood, measured, and secured. The starting point for any individual is their identity, followed naturally by the locations they use to interact with the workplace, and how they manage their critical credentials like passwords and or tokens etc. and access to business information, applications, and collaboration platforms. Once there is an understanding of the people, then behaviours are learnt, from which personas can be defined making it easy to create groups or teams for which security policy can be applied.
It is important to take the learnings and invest the time to educate individuals and groups within the business to drive security, governance, and risk awareness. Often, individuals understand risk as applied to their personal life, however, do not always apply the same constraint when in a business environment. Ask a random group of individuals across the business “What in your opinion, constitutes a breach” and you will get a very diverse set of answers. Cyber Education is critical to get commitment and understanding across the business.
With people secured and personas understood we can now ensure the relevant level of security controls exist for each persona on assigned devices. For example, in the case of high-risk personas, the device type may include biometrics and have enforced encryption and full policy management with centralised control. Information Protection rules would prevent accidental sharing of sensitive information or the use of external devices to move data, or even the use of software as Service (SaaS) platforms like DropBox, OneDrive or GoogleDrive etc. For another persona type, maybe low risk there would be a different device type with different rules, however, maintaining control over where data can reside is still crucial.
At the base level, ensuring devices are secured against next-generation malware and advanced threats is critical, so each endpoint should leverage Endpoint Detection and Response (EDR) capabilities allowing automatic investigation of alerts and remediate options for complex threats in minutes with industry best practices and intelligent decision-making algorithms to determine whether a threat is active and more importantly, what action to take.
With people and devices secured, it is now crucial to understand any areas outside of the workplace which present a potential risk. Some of these areas will be in use by people in the business right now and you will have heard of (and most likely use) most of them. Services like Box, for example, present avenues for individuals to willingly, or unwillingly share information (sensitive or otherwise) to be efficient, or access later from another location. This is commonly referred to as ShadowIT or Shadow Data.
Knowing which of these services are being used by which individuals allow for validation of the persona groups created earlier, risk-based policies can then be applied to control which groups can leverage these services and more importantly, what types of information can be stored there if the service is sanctioned (allowed). It is astounding how many of these services are being used in businesses right now! Understanding this risk is one of the most important steps required in building a business case for Information protection and data loss prevention.
Cloud Data Secured!
Once you understand how information is moving outside of the organisation, new behaviours are learnt (good or bad), from which the learnings can be applied to the underlying policies behind each persona. For example, if during the cloud services discovery individuals were found to be sharing information through an external service, let’s assume Google Drive, and they were doing so to collaborate, and the information being collaborated on is sensitive and introduces potential risk, you are now aware of this, and as a result, there is the ability to remove the risk by blocking, or marking Google Drive as “unsanctioned”.
This stops the external problem immediately, however, the sensitivity of the information which was available to be shared should be understood to ensure data inside the organisation is protected, and classifications put in place with labels to prevent any such breach in policy moving forward. With classification and labelling in place, information protection policies are applied as information flows through the organisation, once the policy is in place, and the same sharing scenario is attempted, access to google drive is denied, and alerts are created back to the user letting them know they are in breach of a classification policy which in itself will drive a shift in behaviour from individuals and help the business achieve and maintain compliance requirements or standards.
Achieving effective information protection policy goes a long way to meeting compliance standards and with people, devices, cloud data, and information secured, it is often assumed all bases are covered. However, not quite yet, to retain compliance, you must pass through an Audit, which could be planned or random. One of the biggest challenges with being “Audit Ready” is being able to get access to the information requested by the auditor in a timely fashion, or worst case, not being able to get the information requested at all.
One of the hottest areas for auditors is information governance, or who has access to what information and why. In most cases, file access is granted based on membership to certain security groups and is an action performed by individuals in IT. The challenge with this approach is the individuals involved are making decisions based on the request from the business, and the security groups available to them. IT individuals are not across the business functions and processes or more importantly the information created within each business unit, its sensitivity, and who “should” have access to it.
To satisfy an auditor, the key is to exhibit the ability to quickly show who has access to certain information, and the reason “why” they have access. Typically, IT attempts to respond to these requests with lists of Active Directory security groups and memberships, or with metadata tools which an auditor must trawl through. Information governance needs to be delivered in a manner where the “reason” and “duration” for access is captured at the time the information is shared. More importantly, the power to manage access needs to be back in the hands of the information owners who know best the sensitivity required and can apply classifications or labels and know exactly who has access to what and why.
Now when an auditor request comes in, it is easy to provide a report showing the data owner, location, individuals who have access, the reason why, and the duration for which access has been granted.
Secure workplace achieved!
In part two, I explore Why and How to implement a secure workplace.