This is the second blog in a three-part series on defensible security. Last week, we spoke about the epic failure of Equifax and the reasons why their actions (and inactions) were not defensible in the 2017 hack. This week we get into more details about some steps you can take on the road to creating a security program that’s defensible to your stakeholders.
As we mentioned in last week’s post, the question we’re ultimately trying to answer is, “Is the organization doing enough to protect its data and information resources and can we defend our choices in the event of an incident?”
Can It Be Done?
There are two aspects that should be considered regarding defensible security and defensible audit: 1) technology best practices and 2) business best practices. Today’s post will focus on technology best practices and how VERA can help. Not so coincidently, these are tightly aligned with supporting compliance initiatives and risk management efforts.
Technology Best Practices: Dynamic Data Protection
Encrypt all non-public information that is stored or shared inside or outside the company
It’s important to apply encryption to sensitive files at rest, but also anywhere your data is transmitted — whether that’s through email, Box, Dropbox, Sharepoint, or other collaboration tools. VERA encrypts your data with strong AES-256 bit encryption and goes further to prevent unwanted viewers to your information anywhere that information moves and applies data-in-use protections that control and limit what recipients can/cannot do with your firm’s nonpublic data.
Restrict Access Privileges to the Data Itself
In a complex technology ecosystem, it’s no longer feasible to only define access at the system, device, or perimeter level. You must define and restrict access privileges at the file level, helping your team maintain strict data governance requirements anywhere files travel. You can think of VERA as enforcing a guest list on each piece of your non-public content. Only approved parties can access your nonpublic information, no matter where that file is stored, travels, or if it’s forwarded.
Implement an Audit Trail to Reconstruct Transactions and Log Access Privileges
In the past, requirements for an audit trail on data access was seen as an add-on or even an afterthought. Now, some regulatory mandates call for improved visibility into data use, which highlights the need for an automated way to track and log access privileges and reconstruct transactions. VERA provides granular 360-degree visibility into all access attempts of your nonpublic information (both authorized and unauthorized attempts) with a full audit trail of who, where, and how your firm’s data was accessed to help you build a better picture of your data use. You can also export VERA’s audit log into your favorite SIEM/BI tools for further monitoring and detailed analysis.
Real-Time Access Control
Simple encryption and common security tools like Data Loss Prevention (DLP) are great technologies, but they cannot remotely destroy nonpublic information once it’s sent beyond the organization. VERA gives you control of your data through its entire life cycle, as it moves beyond your systems, through the proverbial “last mile” to another partner’s desktop, phone, or cloud application. It offers flexible, customizable policies, including the ability to 1) automatically expire information after a defined period (time-bomb); 2) easily create rules that provide for data retention; and 3) revoke access to any user, at any time, at the click of a button.
Next week, we’ll conclude with some business best practices to help round out your program. In the meantime, we highly recommend you check out the full whitepaper, Building a Defensible Security Program”, for a deep dive into how to get started.