The days when company data was restricted to the company network are long gone. Today, it can be found practically everywhere: on the web, in the cloud and on a wide variety of end devices – including private ones. How can data security be implemented reliably and efficiently in such a world?
Security specialist Forcepoint lists the five most important steps.
For a company to function, employees must be able to easily access all the data they need in their day-to-day work – at any time, from any location and using the device of their choice. This results in countless data flows that are difficult to control. Companies are increasingly losing track of what data they actually have, where it is stored and who is accessing it. This makes it difficult for them to monitor data flows across all channels and consistently enforce security guidelines. However, it is possible – in Forcepoint’s experience, the five most important steps for an approach that provides data security everywhere are as follows:
1. Define central policies for cloud and end devices:
Almost all companies store at least some of their data in the cloud, and some even pursue a cloud-first approach. As employees access this data with notebooks, smartphones and tablets and the devices are not always company devices but can also be personal devices, many new ways of leaking sensitive data are emerging. The traditional approach of enforcing security policies on end devices and in the cloud with different solutions that each manage their own policies therefore no longer works reliably. The separate tools offer little transparency, cause a great deal of effort due to the parallel maintenance of multiple rule sets – and the policies quickly become inconsistent, resulting in gaps in protection. Companies therefore need tools that access a central set of policies to monitor data flows and prevent the unwanted copying or sharing of sensitive information.
2. Standardize web and DLP policies:
For employees, the web is no longer just a source of information from which data is retrieved. Many web applications and SaaS services ensure that data flows in the other direction – from the company to the web. This is why it is no longer enough just to defend against web-based attacks; it is also necessary to control the company’s own data on the web. Especially as there are numerous regulatory requirements according to which certain data may not be stored and processed outside the company or outside the EU. So far, however, companies have mostly only used Secure Web Gateways (SWG) to control incoming data traffic and have not used Data Loss Prevention (DLP) to control outgoing traffic. However, even where DLP solutions are used, they are usually independent of the SWG – with the well-known problem of inconsistent policies. Better protection is offered by platforms that combine data security with SSE (Secure Service Edge) technologies such as Secure Web Gateway, Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA) and use a uniform set of guidelines.
3. Protect data in emails:
Email is the channel through which sensitive company data is most frequently leaked – not always intentionally, as many data breaches happen accidentally, for example when employees send a document to the wrong recipient during the hectic working day. As email continues to be one of the most important tools in everyday working life, companies urgently need to address this issue. The solution deployed should use the same guidelines as the security solutions that monitor the other channels. However, it should also work regardless of whether companies use their own mail server or cloud-based mail services such as Exchange Online or Gmail for Business, and regardless of whether employees access their emails using company or private devices. Endpoint-based solutions are therefore unsuitable; instead, the solutions must control the data at the network level. Ideally, they should also offer extended functions for encryption and approval processes.
4. React to risks in an adapted and real-time manner:
Consistent policies are important, but they are not enough because they also need to be applied automatically according to the situation so as not to hinder employees at work by blocking them too strictly or overburdening security teams with too many manual approvals. Security solutions that apply policies based on risk provide a remedy: they identify risky user behavior such as the upload of confidential information to the cloud and calculate a risk value depending on the specific data, the cloud service and other contextual information, which triggers certain protective measures – such as a notice to encrypt the data, a release request or a block on the upload. Activities are monitored and the appropriate guidelines are enforced in real time so that all risks are minimized quickly and efficiently.
5. Classify, cleanse and protect dark data:
Up to 80 percent of company data is dark data, i.e. unknown or unused data. There is a high probability that this flood of data contains data worth protecting that is beyond any control. Until now, classification involved a great deal of manual effort, but modern solutions use AI and machine learning to detect data in a wide variety of storage locations and classify it largely automatically. Companies can then not only reliably protect sensitive data, but also clean up the usually large amount of ROT data – i.e. all the redundant, obsolete and trivial information that unnecessarily increases the attack surface.
“The value of centralized policies for all security solutions cannot be overestimated. If security teams only have to maintain a single set of rules, it saves time and money and reduces the risks associated with inconsistent policies to zero,” emphasizes Frank Limberger, Data & Insider Threat Security Specialist at Forcepoint. “In our experience, such a centralized policy set for cloud applications and endpoints is a sensible first step on the way to ‘Data Security Everywhere’, but companies can also start with other steps and vary the sequence. The important thing is that they ultimately implement all steps in order to really detect, classify and protect all sensitive data across all channels – cloud, web, email, company applications, file servers and end devices.”
(pd/Forcepoint)