With the novel coronavirus known as Covid-19 ushering in orders to work from home, it’s not just the workforce that has been hastily distributed. Sensitive data now exists outside of the corporate office – in worker’s homes, traversing untrusted networks, on personal devices, and in unsanctioned cloud services. Enterprise policies designed to protect security and privacy were designed for the physical, social, and technical safeguards that exist within the enterprise – not the minimum-security environment of worker’s homes.
It’s time to address what for many will be the “new normal” of work-from-home and the sensitive data exposure that goes with it. Among the security perils of remote work:
- Upon providing valid credentials, savvy workers can cut, copy, paste, save, print, and otherwise exfiltrate sensitive data in most environments. Often, this is done to facilitate working outside of overly-restrictive corporate boundaries.
- Poor-quality and slow networks lead to local copies. Sensitive data may be hoarded by workers preparing to leave their jobs.
- Malicious actors, bots, and malware leverage overly-permissive access by spying, phishing, recording, copying -- and, with ransomware, encrypting and extorting!
Here are the areas where current policies, practices and operational controls desperately need review, update and coordination:
Left unchecked, the spread of sensitive enterprise data and the increasing exposure to loss vectors threaten the enterprise in meaningful ways, from financial to personal to regulatory to reputational risk.
To address the problem, organisations must evolve their capabilities beyond the current model of controlling sensitive data distribution that’s heavily dependent on access rights, worker actions (or inactions) and flagging compliance-impacting events after they’ve happened. And with IoT and analytics expanding our concept of sensitive data (by volume, depth and meaning), the time to act is now.
Controlling access to - and the usage of - sensitive information requires vigilance and deliberate protective measures to assure (and audit) confidentiality, integrity, availability and safety.
Polices and corresponding operational controls must be continuously situationally aware and contextually risk-appropriate across the lifecycle of sensitive data. And policies and operational controls must work synchronously to enforce controls, since policies or technology operating alone will not provide meaningful and repeatable protection.
Stakeholders and the sphere of influence for sensitive data have expanded beyond IT custodians to include data privacy officers, line-of-business leaders, auditors, legal, M&A teams and strategic third-parties. A good litmus test is to include those with formal obligations including strategy, regulatory, contractual, governance and ethical oversight.
Carefully consider what logs are needed, who needs access, how long they’re kept, and whether there are privacy issues. Orchestrate the lifetime security of logs to support audit and eDiscovery.
Utilise analytics to determine true vs. perceived ownership and accountability of applications, workflows, relationships and data. Analytics will provide insights on effective vs. intended usage, highlighting stakeholders that were not previously considered. And be sure to clearly define the shared responsibility model, including succession planning and approval-embedded workflows.
The familiar sensitive data types that include PII, PHI, PCI and IP have expanded outside of traditional files and relational databases to streaming, multimedia, multi-party, IoT and increasingly unstructured content.
Assign identities and personas to data to facilitate multi-party and multi-jurisdictional control and visibility. The goal is to embrace the Identity of Everything – and today’s actions need to move our ability to control data closer to that long-term goal.
Analytics and DLP should be configured to work together in identifying and protecting evolving data sets, as well as mapping sensitive data flows.
Correlations and combinations of data must be continually assessed to assure they match the objectives of security and privacy policies.
Data lifecycle management
Automate protections, resilience and assurance so they are native capabilities – and never an afterthought.
The data lifecycle must govern both access to and appropriate usage of sensitive data from inception to expiration and verified disposal.
Include directives for operationalising the control environment such as enclaves, distributed ledgers (e.g. blockchain), and virtualisation. Map the operational environment to stakeholders and data types to assure the least privilege, defined boundaries, location specificity and visibility that is tailored to the stakeholder.
Provide specific visibility to data provenance, migrations and sovereignty of sensitive data to support classification and controls on movement, access and usage.
Privacy controls including expiry, consent – and the right to deletion and rectification must be respected and recorded in detailed auditable records with access limitations.
Design to be continuously audit ready.
Continuous learning and adapting
Visualise gaps matched to risk in a collection of heat maps, organised around the interest of each stakeholder – and measure stakeholder effectiveness. The goal is to map the effectiveness of different stakeholders in meeting their data stewardship responsibilities and help them make more effective decisions.
Learn from attempts to bypass controls. Non-malicious attempts often point out flaws or needed optimisation of procedures or technologies. Malicious attempts point out the need for new investments and priorities. (In other words, never waste a crisis.)
Highlight trends – especially evolving loss vectors and an expanding attack surface.
Major disruptions often require revisiting “break-glass” procedures and workflows, approvals, exceptions and escalations.
A culture of compliance
The global shift to remote work has significantly expanded the attack surface that companies must defend. In adapting their policies to accommodate the new model – which likely isn’t going away anytime soon - security and privacy leaders can help to secure the enterprise and ensure their systems, data, and workforce remain safe.
Define “culture as code” so it can be assessed, expressed, consumed and audited by automated processes.
Build on a foundation of Zero Trust.
Focus on the continuous evolution of policies, procedures and technical measures to defensively protect sensitive enterprise data against damaging loss or compromise.
Organise, guide and automate a data protection culture that’s embedded in the fabric of the modern workspace.
Peter Lefkowitz, Chief Privacy & Digital Risk Officer, Citrix Systems
Kurt Roemer, Chief Security Strategist, Citrix Systems