Security Experts:

A History of Defense-in-Depth; and the Evolution of Data Sharing

We need a new way to manage access to data. No, not because the “good guys” are losing to Advanced Persistent Threats, nation-state attackers, or whatever term we use to describe the cybersecurity boogey-man du jour. We need a new way to manage access to data because the old ways don’t work in the cloud. The cloud is not evil from a security standpoint, but cloud adoption has introduced two critical shifts to enterprise computing:

- An environment that is totally accessed and managed from anywhere in the world

- Empowering users to choose and administer IT solutions, also known as Shadow IT

Ye Ole Defense in Depth

Back when businesses had data centers, access to a departmental file share required an employee badge to get into the building, an Active Directory account, a laptop computer that belonged to the corporate domain, and permissions to the folder. If the permissions on the folder were incorrect the data might accidentally get exposed to another employee. Instead of Bill Smith from Human Resources, maybe it was William Smythe from accounting but William would have to almost accidentally access the folder to create an issue.

e-Defense-in-Depth.com

In the late 90s, companies started exposing some infrastructure and data to the Internet as we put a lower case “e” in front of everything and sold dogfood online. We had cloud computing back then but we called it Application Service Providers or Managed Service Providers. ASPs and MSPs were niche and expensive. Most attacks came in the form of Worms - malware designed to spread itself and cause disruption instead of steal data. Sensitive data was still only available if you had a remote access account (e.g. Virtual Private Network) and only certain resources were available to users connected remotely.

Defense in Depth as a Service

Today, businesses of all sizes are and should be embracing cloud services. We can deploy software with the swipe of a credit card and no one needs to learn how to install, configure or administer it. Reputable cloud providers like Microsoft, Google, and Amazon have massive security budgets, top-notch security personnel, and a level of standardization that legacy businesses cannot achieve. Brilliant. 

But these clouds are only as secure as your users. The problem is we’re still using Ye Ole Defense in Depth to control access to environments that aren’t buried behind multiple layers of corporate controls. An Amazon S3 bucket or a OneDrive for Business folder can be accessed by anyone on the Internet. No employee badge, no AD account, no managed device, no VPN credentials required. The user just has to make it so. And users make it so – either through social engineering (e.g. phishing) or convenience. Setting permissions on an Amazon S3 bucket can be confusing and sometimes the easiest way to share data is to make it public.

When we’re in the cloud, public means something very different than when we’re in the data center. Now instead of Bill from HR or William from Accounting it’s HackrSklz13 from the Tor Network. Instead of accidentally exposing HR data to a trusted employee that will most likely report the issue, we’re exposing data to criminals who are constantly looking for things to steal and monetize.

Cake: Have it. Eat it.

User empowerment is a good thing and so is rapid adoption of technology. Agile companies are more successful than their lethargic competitors. But we need to transform our security models as we transform our businesses. Users need to use the cloud but the business needs to make sure they do it safely. It’s kind of like letting your kids wander the neighborhood but only if they have a friend and are home before dark. We need a way to allow users to manage their own information but only to the extent that they don’t violate corporate policies for handling sensitive data. Otherwise put, we need proactive and automated checks and balances on cloud access management and information sharing. Accomplishing this requires a few basic steps.

1. Understand which cloud services users are accessing: This is sometimes called Cloud App Discovery and many companies, including Microsoft, offer it for free.

2. Understand what data is stored in those cloud services: You can do very basic data discovery using an Internet search engine and keywords, but you’ll need specialized data discovery software for anything more advanced or for data repositories that are not indexed.

3. Triage the data based on risk tolerance: Use the results from the data discovery to discuss which information is overly exposed based on your acceptance of risk.

4. Enforce boundaries: The security teams must define and enforce acceptable use of information so users are able to work efficiently provided they’re within the boundaries of enterprise policy.

Information security is often a cat and mouse game between the organization and its users. When security teams make it difficult for the users to work, the users will find ways to circumvent security and restore their productivity. Enforcing boundaries is about setting up a “swim lane” for information (we appreciate that the use of information isn’t linear like swimming from one edge of the pool to the other but bear with us). Picture someone learning how to swim in a crowded pool. The swim lane helps him or her stay the course and not run into other swimmers; it gives them something to grab onto and stay afloat. Within the protective area of the swim lane he or she can swim fast or slow, freestyle or butterfly, with confidence that the lifeguard will respond to emergencies.

In the digital work, we need two layers of permissions to create this swim lane. The first layer is the permissions management included in the technology. All the cloud file storage solutions like OneDrive for Business and Box allow the file owner to set permissions. The second layer needs to be some separate enterprise system that centrally defines the boundaries for what the user can do with the first layer. Consider a spreadsheet containing pre-release financials for a publicly traded company. This spreadsheet is stored in the Chief Financial Officer’s OneDrive for Business account. Permissions in OneDrive for Business are such that the CFO could share this file with literally anyone in the world. There are no boundaries on this capability. A second layer of permissions, however, would recognize that the access policy for this spreadsheet means that only executives and members of the finance team can access it. If the CFO uses the first layer to grant access to someone outside the company our second layer will proactively block that access from occurring. 

This approach creates balance between the enterprise need to centrally enforce policies and the users’ need to perform their jobs. Empowering the information owners to make ad-hoc decisions for granting access is a great way to increase efficiency but, without proactive oversight, it creates too much risk – especially as businesses adopt different clouds. The answer is not to take away the user empowerment but rather to enforce the boundaries for it. Another positive outcome of this approach is it will force corporate policies to keep pace with the business processes they are intended to secure. Bad things happen when security policies evolve slower than the business.

view counter
Mike Fleck is VP of Identity Protection at 4IQ. He previously served as VP of Security Covata Limited (ASX: CVT), where he was responsible for managing and directing US operations and brand awareness, credibility, and thought leadership related to data security and privacy. In 2010, he co-founded CipherPoint Software and has since served as its CEO. With nearly 15 years of experience in data security and encryption, Mike holds patents for transparent encryption and automated encryption key management. His experience with complex Fortune 500 and Federal Government environments includes leadership roles at Vormetric (acquired by Thales), High Tower Software (acquired by NetForensics), Predictive Systems, and Lockheed Martin.