I work for a software company whose main product manages access to enterprise file and object data. My colleagues and I often find ourselves talking to our customers’ information security officers (CISO’s), both during the sales process and after our product has been selected. These conversations give us ongoing insight into their most pressing concerns. What follows is a brief discussion of some of the leading issues with which they wrestle.
Ransomware is malicious software that gains access to files and changes them so they can no longer be interpreted by their owners. Once the files have been changed, the perpetrator of the attack demands a fee for restoring the files to their pre-attack state. When ransomware attacks were a new phenomenon the attacks almost exclusively targeted individuals. More recently, however, businesses and public institutions have been among the targets, often with highly disruptive results. Hundreds of millions of dollars are spent each year by ransomware attack victims to recover their data.
Backups are the best mitigation against “conventional” ransomware attacks because they allow the affected files to be restored to their pre-attack state. Some ransomware programs, however, both corrupt the files to which they gain access and send copies of these files to the attackers. In these cases even victims who have backup copies of their data will sometimes pay the ransom to prevent the information in the stolen files from being made public.
2. Data Leakage:
The ability to share information effectively is one of the hallmarks of an effective organisation. From an information security perspective, however, information sharing raises the challenge of preventing the information from being shared with outsiders who should not have access to it, a problem known as “data leakage”.
Enterprises employ a variety of strategies to try to prevent data leakage. Scanning outbound email messages for suspect words or phrases and suppressing messages in which that potentially sensitive information is detected is a popular approach among larger and more security conscious organisations.
For many organisations it is necessary and appropriate to share sensitive information with selected outsiders. That situation raises an even trickier question: How can the sharing of data by its intended recipients be controlled? Although there is no perfect answer to this question, several techniques can be used to reduce the likelihood of unwanted onward sharing and, when it does occur, assist with determining which external party allowed the data to be shared.
The techniques include: using with password protected links, sharing with links that can only be used once or a small number of times, making data viewable but not downloadable and watermarking shared data to identify the party with whom it was shared.
3. Sensitive Data Tracking:
An unintended consequence of the free movement of information within an organization is that digital documents containing sensitive information may become scattered all over the organization’s storage systems. When this occurs, an organization may find it difficult to convince regulators, customers and other stakeholders that the information is being used responsibly and in accordance with privacy retirements such as HIPAA or GDPR.
To prevent this problem from occurring, some organisations have procedures to scan the contents of their storage and flag documents that contain potentially sensitive data. This gives them strong evidence that sensitive data is being handled carefully and allows them to take proactive measures to prevent it from being handled carelessly or used inappropriately.
4. Identity and Access Management:
Identity and Access Management (IAM) is the most fundamental determinant of an information system’s security. Strong IAM keeps unauthorised users out and ensures that authorised users have access only to selected resources. IAM is a vast topic but three high level principles can help make it understandable.
First, gaining access to a system or resource should require that a prospective user of a system provides strong evidence that they are authorised to use that system. Complex passwords, fingerprint recognition, voice recognition and timed one-time passwords (TOTP) are all examples of the kinds of evidence that organisations may require to prevent unauthorised access to and use of their systems and data.
Second, great care should be taken to prevent impostors from successfully impersonating authorised users. Passwords on sticky notes stuck to a user’s monitor may be a thing of the past (we hope!), but the challenge of preventing credentials from being stolen has become even greater as use of third-party systems over the web has become more common.
The risk with these systems is that as more and more of them are adopted by an organisation, the possibility increases of fake login pages being used to harvest credentials. To prevent authorised users from unwittingly entering credentials into bogus authentication pages, many organisations have expanded the scopes of their single sign-on systems to include web-based thirdparty applications
Finally, access controls should make it simple to understand and manage the access rights afforded to each authorized user. Here we are concerned not only with whether a user is allowed to use a system, but also with what actions they can take while using the system. The practical difficulties of achieving this simplicity compound as the number of systems increases.
From our own work at Storage Made Easy we know that storage access controls can be unified in a way that provides this simplicity. Similar methods of unifying the management of access privileges beyond basic login across applications, however, are devilishly difficult to achieve.
5. Access Monitoring and Auditing:
To create a secure information environment the enterprise has to know who is accessing its sensitive data. ‘Who’ logged in to a system, what actions they took or are taking while logged in and whether they remain logged in are fundamental inputs to an effective cybersecurity program. As with other aspects of information security, the difficulty increases as a function of the number of systems used by the enterprise, and the incorporation of web based applications provided by third parties further increases the complexity of the task.
Single sign-on systems, as discussed above, can provide an effective way to obtain information about logins and logouts across systems. Consolidating the information about actions taken by users while they are logged in is a more difficult challenge. Many enterprises try employ a strategy of forwarding records of user actions from disparate systems into a unifying repository to try to meet this challenge. Although a variety of commercial and open source products and components are available to assist with this task, it remains an ongoing issue for information security specialists and the other IT professionals with whom they collaborate.
These are just a few of the many issues that information security professionals wrestle with on a daily basis. For them the great challenge is not just keeping information safe; it is keeping information safe while allowing it to be used as intended in pursuit of the enterprise’s business goals. The Enterprise File Fabric software helps information security professionals meet this challenge across their organizations’ storage systems.
While we recognize that no single piece of software can provide all of the security capabilities needed by a modern enterprise across all of its systems, we try to ensure that ours provides the right mix of features for managing access consistently across the many kinds of storage that companies and enterprises use in their day-to-day business, whether in the office or working from home.