Last updated: 16 May 2016
In our last post, “Securing the Breach – Accept It, Then Protect It,” we reviewed the challenges facing companies fighting against data security breaches. Breaches are an inevitable reality today, and the sooner you accept this, the sooner you can put a plan into action that truly protects your data.
There are three steps that every company should take to mitigate the overall cost and adverse consequences that result from a security breach: encrypt all sensitive data at rest and in motion, securely manage and store all of your keys, and control access and authentication of users. By implementing each of these three steps into your IT infrastructure, companies can effectively prepare for a breach, and avoid many of the unsavory consequences.
Step #1: Encrypt All Sensitive Data at Rest and in Motion
- Data at Rest Encryption: Determine where the sensitive data resides by searching your storage and file servers, applications and data bases, wherever they are located – on premise or in the cloud. By encrypting both the structured and unstructured data, you can ensure that when a hacker penetrates your network perimeter and finds a way into your data center, whether it’s in your physical or virtualized data center, or in the private or public cloud, the information they gain access to is encrypted and useless to an unauthorized user.
- Data in Motion Encryption: Not only is encryption of the data in your data center important, but equally critical is the encryption of your network traffic. Without encrypting your network, hackers could monitor the network traffic looking for large spikes and find patterns in your data transfers. Maybe you send all back up data to your disaster recovery site every Thursday at 2 p.m. Wouldn’t it be detrimental if they penetrated your network at that time and extracted your transfer? By encrypting data as it moves across the network, even the traffic spikes and the metadata can be made invisible to a hacker, they would not know when this data was transferred or have access to it even if they tried.
Step #2: Securely Manage and Store Your Encryption Keys
- Key Management: Key management and storage of your encryption keys is paramount in the overall health and security of your encryption operation. A comprehensive key management solution that works across your different applications can not only ease your management headaches but ensure better security throughout. Streamline encryption silos and enforce separation of duties by using a centralized key repository. Grant administrators access only to the areas that make sense.
- Storage and Security: Size and strength of the keys and the frequency of your key rotation matter as well. The stronger the encryption key, the more protected the data. .To further strengthen security, you should also consider safeguarding the key storage container. Software key wrappers do not protect the encryption keys as well as hardware-based options, therefore vaulting your keys in a hardware security module (HSM) will give you an added layer of protection.
Step #3: Control Access and Authentication of Users
- Strong Authentication: Usernames and passwords have never been enough, and multi-factor authentication has moved beyond employees alone. You now need to think of partners and customers who need system access. Strong authentication is the only way to ensure only authorized users have access to the systems and applications they are entitled to. Luckily this area of technology has evolved over time and there are now authentication options that are frictionless to the user—allowing them to have strong-authentication without having to manage a physical token.
- Policy and Role-Based Access Management: Additionally, within any infrastructure, IT needs to ensure the encryption solutions they implement have the appropriate level of access for each job function. For instance, the data access for a contractor may be different than a permanent employee. Or, someone in Human Resources may need access to different sensitive employee data that should not be accessible by someone in Marketing. Paying attention to the policies and access controls surrounding the applications and data is imperative to protecting your sensitive data.
With the evolving threat model and changes to IT systems and infrastructure cited in Part 1 of this series, “Accept It, Then Protect It,” it is difficult to keep up. The steps outlined above are not an easy task—they require a change in habit and an ‘acceptance of the breach’ mentality. Implementing this program will take time, resources, and additional IT funding, but, it is the only way to keep your organization out of the headlines – protecting your brand, your IP, your customers, citizens, employees, partners and most of all, your data! Remember, when it comes to breaches, it is not if, it is when.
Join us next time, as we take a closer look at step #1 of this three-part strategy, encrypting all sensitive data at rest and in motion.
Download the Secure the Breach Research Kit to learn how to use authentication, encryption, and key management to prepare for a breach effectively.
The kit includes access to the Secure the Breach manifesto, white paper, and other helpful resources.