In the era of the public cloud, when employees (aka insiders) are frequently using consumerized applications such as Dropbox, Box and Google Drive to share and store data, security and risk professionals are at a tipping point. It is time for them to adopt a new security thought paradigm that focuses on the insider threat that employees create, not solely on protecting data itself.
Before the public cloud, if you had suggested to corporate security heads that business-unit leaders would one day allow employees to move sensitive corporate data out from behind locked doors and into open lobbies, they would have scoffed. If you had gone a step further and suggested that when this happens, business leaders would also expect security heads to come up with ways to protect the information, the security heads would have had heart attacks. Fast forward to today — this exact scenario is reality. No wonder the average tenure for a CISO these days seems to be brief.
There is much talk about the different approaches and strategies that cybersecurity folks should be using to keep data protected in the era of the public cloud; so much talk that now, several years into the fray, protecting data in the cloud still leads discussions and keynotes at major security trade shows. Lost in the conversation though, has been any real substance about how organizations can better restrict employees from putting sensitive data into the public cloud in the first place. After all, if employees did not share and exchange sensitive files via consumerized cloud technologies, then the risk of cloud-driven data breaches would certainly be greatly reduced.
Why don’t security and risk professionals think about the employee more when it comes to data security and the cloud? Could it be that they are so focused on traditional defensive strategies that they have not had time to think about the most dangerous threat to their organizations, their employee? Have they not yet connected the dots between cloud risks and insider activities?
When it comes to protecting data in the cloud era, security and risk professionals are at a tipping point. And as the acclaimed author Steven Covey likes to point out, the only way to respond to a critical juncture successfully is through a “thought paradigm shift.”
In the case of data security and public cloud applications, what should that paradigm shift look like? Great minds are pondering this, but as strange as it may sound, a shift is really not that difficult to imagine. It simply requires cybersecurity practitioners to think about the problem in terms not only of protecting data itself through technology but also on focusing on employee created risks. To protect data against insider threats in the era of the public cloud, organizations’ security leaders must think about how to establish visibility into employee digital activities and behaviors through strategies that incorporate employee monitoring. This type of monitoring should be able to view employee behaviors and activities at a very granular level that reveals precisely what the employee does while using business computing assets.
Pushing this kind of strategy isn’t just vendor hype. In addition to what Sholtz advocates in recent reports, leading federal law enforcement agencies are advocating for more focus on the employee. During RSA Conference 2013, the FBI revealed that “authorized users,” not hackers, are the most significant threat to data security and that insider threats are a people-centric problem that requires a people-centric solution.
When it comes to data security and the public cloud, it remains critical for cybersecurity departments to identify and classify data that is sensitive and at risk; to even restrict certain data types from being accessed via the Internet; and to deploy solutions that monitor data, technology and applications. However, and this is where the shift comes in, it is now equally important for these departments to start identifying their high-risk employees, as well as those who have access to corporate data and the ability to distribute it outward via consumerized cloud applications, and to start monitoring their digital activities. In short, as Gartner analyst Tom Sholtz likes to point out, security staff needs to start taking a “people-centric approach” that strikes a balance between conventional and progressive security strategies.
This all sounds great in theory, but how do you actually implement a people-centric strategy that can stop highly mobile salespeople from sidestepping corporate policies on information sharing, halt HR executives from uploading regulated information into consumerized file shares, and deter malicious employees from doing bad things? Without fail, it has been proven time and time again that neither corporate policies, nor user agreements, nor even technologies can stop any of these insider threats.
As you review the information and evidence at hand, take into consideration the emerging people-centric or, in other words, employee-focused trend, it is easy to surmise that the only way to keep pace with cloud-related data risks is to adopt strategies that include people-centric monitoring solutions.
There are of course many monitoring options available, they include everything from homegrown solutions to mainstream enterprise technologies. Before choosing a monitoring solution though, an organization should ask itself a few things. To start, it should determine if it is at risk of data theft, data loss and employee fraud via cloud applications. If the answer is yes, the personnel in charge of security should look for solutions that provide the following:
• Recordings of all employee computer activity and continuous scans for threats
• Real-time alerts that include activity details
• Multi-level activity views that include individuals and departments as well as the entire company
• Video-style recordings that provide date, time and user details of all employee activities
• Advanced search capability across aggregate company recordings
• Support for multiple operating systems and flexibility to interoperate within various IT environments
Monitoring should, in effect, be the equivalent of putting a video camera behind the employee from the moment he or she sits down and logs into the corporate network to the moment he or she logs out. It should record activity concerning every application used, data set accessed, website visited, file copied and key typed.
By taking action and putting such solutions in place, organizations can support the paradigm shift necessary to protect data wherever it may be, whether in house or in the cloud.
