Peak Security

April 3, 2013

How would you feel if your bank told you that only half of your money was safe?  At any given time, 50% of your total assets are subject to theft or loss.

That would be unacceptable. Unfathomable, right?  Banks couldn’t possibly operate with that level of uncertainty and risk.

What about data?  I hate to be a doomsayer, but the findings from our research on data protection is bolstered by IDC’s latest Digital Universe study, which purports that approximately half of the data that needs protection has protection [1].

Some of you are inevitably thinking: “Well, yeah, but that’s data, not money.”

Ahh, young grasshopper. You have much to learn.

A digital society

Like it or not, we’re living in a digital society. In many US cities, I can operate for weeks, months, possibly even years without touching physical currency or, tragically, without interacting with other human beings. Amazon Prime, Square, PayPal, Seamless, Uber, Google Glass, Bitcoin. The analog world has officially been disrupted.

At the core of this societal transformation is one axiomatic thing: data. Hopefully you’ve begun to alter your mindset and will start to treat data as an asset class—one that is constantly appreciating and warrants the same protection as money.

It isn’t paranoia if they’re really out to get you

I can hear it now: “Rob, you’re being too paranoid! Treating data like money? Pfffft. Too extreme. Companies know what they’re doing. My data is safe because I’m careful.”

Please do me a favor: go to Google News, type “hacked”, and press enter. Here’s what I get see right now, at 9:06PM on March, 21st 2013:

Google News results for

A steady stream of data leaks, security fumbles, insider theft, malware, hacktivsm, APTs, and state-sponsored attacks are frightfully now the norm. Java has a paradoxically long 14-day streakwithout a 0-day exploit.  The Ruby on Rails, MySQL, and WordPress core teams are playing the same game of whack-a-mole these days. The success and pervasiveness of a platform is often correlated with the size of the target on its back. It must feel like a constant full-court press.

Have we reached “Peak Security”?

So, have we reached “Peak Security”?  Have we reached a point where we’re producing so much data that our ability to protect it will only degrade further and further over time?

The answer, in my humble opinion, is “no”.  The horse is not out of the barn…yet.  If our research has taught me anything, it’s that the dearth of basic controls means there is enormous room for improvement.  By doing basic “blocking and tackling”, individuals and businesses can make substantial inroads.  If you can master the fundamentals (the 4 As: authentication, authorization, auditing, and alerting) you can guard against all but perhaps the most sophisticated and nuanced APTs.  You can separate yourself from the pack and become a target that simply isn’t worth hitting.

In the coming week, we’ll take a deeper dive into the 4 As and provide some tactical advice for strengthening your security posture.

[1]: http://www.emc.com/leadership/digital-universe/iview/information-security-2020.htm

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Bring Your Own Demise [INFOGRAPHIC]

March 6, 2013

Bring Your Own Device (BYOD) is certainly not new, but its effects on security and employee behavior are still largely undetermined.  To quantify the impact of personal devices in corporate settings, Varonis conducted a short survey and compiled the results in a new research report.

The results may surprise you — more than half of respondents reported someone in their companylost a device with important company data on it, and 22% of lost devices had security implications for the company.  Moreover, 86% of employees admit to being “device obsessed,” working on their mobile device around the clock.

Enjoy, share, embed our infographic and download the full report to learn which data protection activities truly matter.

Bring Your Own Demise: A Report of the Impact of BYOD

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Data Stewardship in 13 Minutes a Week

February 14, 2013

Andrew White, Research VP at Gartner, has a great thesis on data stewardship:

“13 minutes a week – that is how much work your data stewards should be doing.”

That is, in order for data stewardship (or data ownership) to be truly adopted by the business—marketing, HR, finance—the work we require them to do should amount to no more than 13 minutes per week.

This is a terrific goal and it is what we strive for withDataPrivilege.  How do we do it?

  • We make reviews devoid of noise – stewards only see data they care about
  • We make reviews differential – if it hasn’t changed since last review, it doesn’t show up
  • We make reviews inline with normal workflow – a timely email appears in the steward’s inbox with a big link that takes them right to the review; no separate reminders or TODOs needed
  • We make reviews actionable – exceptional items are highlighted and a suggested action is given along with the ability to take the action without leaving the review screen

A significant portion of our operational plan is devoted to finding, assigning, and involving data owners.  But without buy-in from the people who will be doing the work, the plan can’t be executed.  Andrew cuts right to the core of why many businesses have failed at implementing information governance programs: they have effectively dumped an unreasonable and unnecessaryamount of work on their stewards’ desks and walked away.

What do you think? Could you sell 13 minutes of work per week in exchange for true information governance, accountability, and data protection?

1 Comment | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Clash of Compliance Cultures: Old vs. New World

February 11, 2013

In the last few years, US companies have not been shy about expressing their feelings on the EU’s Data Protection Directive (DPD). There’s a major social media player, for example, with a European HQ in Ireland that’s been publicly critical of a proposed “right to be forgotten” rule for letting consumers delete their online data. There’s also a search engine service that, while not openly objecting, is instead suggesting it’s already doing a darn good job of meeting the DPD’s rules.

US companies have begun to learn that the data privacy rules and expectations they’re accustomed to in the US are viewed differently on the other side of the Atlantic. The EU Charter–the European constitution—explicitly lists data protection as a fundamental right. That’s roughly like having a US amendment devoted to encryption, which, at this time, there isn’t.

This is not to say there’s a complete privacy compliance chasm between the US and EU.

Healthcare companies have long had extensive regulatory obligations under HIPAA for securing health information, alerting consumers about breaches, and gaining consent on information transfers. US companies in the banking and credit sectors could point to parallels in Gramm-Leach-Bliley and the Fair Credit Reporting Act.

While US medical and financial companies have had to deal with privacy and security legal burdens, that’s not been the case with the social media players. Because the Data Protection Directive covers all companies collecting data—not just ones in select, albeit important, industries—and through its Safe Harbor treaty it snags US firms as well, it’s not surprising that US Internet-based companies face the most culture shock when conducting business in the EU.

The ultimate issue is that in the new information economy data is revenue, and so deleting it is like, well, burning legacy paper currency.

Besides the right to data erasure differences, another sticking point between US social media companies and the EU is on rules for reasonable data retention limits. But this again reflects mostly differences between old and new economies.  After all, outside the social media world, it’s generally considered good security policy—limiting data breach liabilities—to keep PII data to a minimum and erase it when it’s no longer necessary. For example, the credit card vendors, through their PCI industry standard, emphatically remind corporations with regard to credit card numbers that “if you don’t need it, don’t store it! ”

But new regulatory forces along with changes in consumer attitudes may tilt social media companies towards a European view.

The FTC’s new privacy framework that was published earlier last year—and that I always come back to—calls for minimizing data collection of consumer data and sensible retention limits. There’s a (stalled) bill in the Senate, revealingly entitled “The Commercial Bill of Rights”, which will implement some EU-style data and privacy protections. The bill’s scope, by the way,  covers anycompany that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals.”

Good data protection and privacy best practices may one day become as American as espressos and lattes.

2 Comments | Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Oops, we lost a few terabytes! NBD!

December 11, 2012

Earlier this week, Swiss intelligence agency (NBD) warned US and UK counterparts that they might have lost terabytes of top secret data due to insider theft by a disgruntled IT admin.  Reminds me of this xckd:

Chain of Command

We emphasize insider threats and the importance of zero trust all the time at Varonis.  Yes, it’s extremely important to secure the perimeter walls and use data loss prevention to protect endpoints.  But perimeter defense is far more straightforward, if nothing else, than defending against those who appear to be on your team – Kingslayers.

Inside jobs happen over and over again because they’re so hard to stop. According to a Forrester survey in 2010 [1], 43% of data breaches were caused by “trusted” insiders.  Just a few months ago, I wrote about the Zynga employee who, upon leaving the company, felt compelled to take 763 documents—including business plans and other IP—along with him.

So what do we do about it?  The answer is actually in Varonis’ mission statement: we ensure that that only the right users have access to the right data at all times from any device, all use is monitored, abuse is flagged.

Where do you stand in the battle against insider threats?

Are you alerted when statistical deviations in file system and email activity occur?

We jokingly call this our early resignation detection system since, sometimes, when someone is about to resign, they copy everything they’ve ever worked on.  But the alerting system in DatAdvantage was primarily designed to detect suspicious and potentially harmful behavior.

Are you alerted any time someone is granted admin-level access?

One of the top use cases for DatAdvantage for Directory Services is to always know exactly when someone is given super user rights, who granted it, when, and why.  And perhaps even more importantly, we can see what they’re doing with that access.

Do you know when IT administrators can, and do, access business data?

There’s likely no good reason for an IT admin to be rifling through customer records, changing the contents of business data, or deleting files without justification.  If you can say for certain that this isn’t even possible, you’ll be able to prevent a situation like NBD’s.  Incidentally, one of the core reasons businesses cite for not wanting to move corporate data to the cloud is that they lack visibility into what the cloud provider’s IT admin are doing with their sensitive business data at any point in time.

If you’d like a free data protection assessment to find out if your environment is at risk, sign up here.

[1] Source:Forrester, Forrsights Security Survey, Q3 2010

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Top 5 Things IT Should Be Doing, But Isn’t

December 7, 2012

Posted on December 5, 2012 by 

A clear path to effective information governance.

1. Audit Data Access

Effective management of any data set is impossible without a record of access. Unless one can reliably observe data use, one cannot observe its non-use, misuse, or abuse. Without a record of data usage, one cannot answer critical questions—from the most basic ones, like “who deleted my files, what data does this person or people use, and what data isn’t used?” to more complex questions, “like who owns a data set, which data sets support this business unit, and how can I lock down data without disrupting workflows?”

2. Inventory Permissions and Directory Services Group Objects

Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, “Who has access to a data set?” and “What data sets does a user or group have access to?” Answers to these questions must be accurate and accessible for data protection and management projects to succeed.

3. Prioritize Which Data Should Be Addressed

While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.

Access our FREE Full Report, including the complete list of IT Must Do’s.

4. Remove Global Access Groups from ACLs (like “Everyone”) – especially where sensitive data is located

It is not uncommon for folders on file shares to have access control permissions allowing “Everyone,” or all “domain users” (nearly Everyone) to access the data contained therein. SharePoint has the same problem ( especially with authenticated users). Exchange has these, as well as “Anonymous User” access. This creates a significant security risk; for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like PII, credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.

5. Identify Data Owners

IT should keep track of data business owners and the folders and SharePoint sites under their responsibility. By involving data owners, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.

Access our FREE Full Report including the complete list of IT Must Do’s.

Related articles

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

7 Recommendations for Data Protection by Forrester’s Andras Cser

November 27, 2012

by David Gibson

Last week Varonis hosted a webinar on using strong identify context to help protect data, where I was joined by Andras Cser of Forrester. Andras shared really interesting insights on the impact of data breaches, what got stolen, how they happened, and what you can do to better protect yourself.

On topic of entitlement reviews, Andras shared, “You have to get into a fairly rigid and rigorous structure of attestations, and basically that means you would want to have a campaign that runs every quarter, clearly understand the mappings between people, groups and resources that they’re accessing, and have managers look at their employees’ access rights, data elements, data access, and also application users should be granted some way of overseeing who has access to the data their application actually generates.”

Andras also shared illuminating key case studies from organizations that are protecting hundreds of terabytes to petabytes of data that are growing at 1-2.5% per week. It was fun for me to hear a fresh perspective on what works and what doesn’t when you’re trying to manage and protect data at scale.

Some of Andras’ recommendations were:

To see all seven of Andras’ recommendations, register to download and watch the full data protection webinar here.

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

The State of Data Protection [INFOGRAPHIC]

September 28, 2012

In the age of big data, businesses are creating, processing, storing, and sharing information at an alarming rate. A significant amount of the data is highly sensitive or confidential and should be properly safeguarded. It’s unnerving to think about the possibility of our own personal information sitting on servers, possibly unencrypted and open to everyone.

We hope that companies are complying with SOX, HIPAA, PCI, and other regulations but, as we know, hope is not a strategy – so we decided to take a hard look at the current state of data protection.

In March of 2012 we surveyed over 200 individuals in the IT community, asking about their current data protection practices and confidence levels, and how data protection practices correlate with data protection activities.

The results may surprise you. While over 80% reported that they store data belonging to customers, vendors, and other business partners, only 26% reported being very confident that data stored within their organization is protected.

Enjoy, share, embed our infographic and download the full report to learn which data protection activities truly matter.

The State of Data Protection

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

The Healthcare Market Opportunityy

August 31, 2012

Over the past 6 months there have been a number of data breaches within the healthcare market. With data security breaches costing the U.S. healthcare industry about $6.5 billion a year1 and even with the recognition of these breaches, 50% of respondents to RedSpin’s (an IT security audit firm) say nothing is being done to protect data2, the healthcare market represents a huge opportunity for managed service provider’s to provide cloud backup and recovery services to address this growing issue.

Market Opportunity Abound

With the size and frequency of data breaches alarming the health care industry, now is the time to capitalize on these unfortunate security concerns by stressing the benefits that cloud backup services offer in terms of keeping records secure as well as ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance. With more than 19 million individuals affected by major healthcare information breaches since September 2009 and data breaches from unencrypted devices having increased 525% in 2011, this represents a huge market opportunity for managed services providers already selling services into the healthcare market, or those looking to sell to the healthcare market. Not just every managed service provider can effectively ensure adequate healthcare clinic / hospital data protection so ensure you can speak their vernacular and understand all the compliances and regulations required. As a managed service provider looking to offer or already offering cloud backup services, in order to go after the healthcare market, you need to ensure you have a HIPAA compliant cloud backup platform in place with a FIPS 140-2 certification being a huge bonus.

Why Healthcare Clinics/Hospitals Should Invest in Cloud Backup Services from Managed Service Providers to Protect Patient Privacy?

Investing in cloud backup services ensures a secure backup system for healthcare clinics/hospitals where BYOD is prevalent (as well as those that are not) – as not all backup can protect endpoint devices such as laptops, tablets and smart phones. Investing in newer technologies improves the reliability and speed of recovery for patient data should there be a disaster and minimizes risk of data theft or loss by utilizing the highest encryption security possible ensuring data is encrypted in flight and at rest and only the healthcare clinic/hospital has the ability to decrypt. It also eliminates the shortcomings of tape backup which includes being expensive, vulnerable to obsolescence, potential inability to recover data due to tape failure or being lost/stolen when transported off-site.

If you’re interested in learning more about how to invest in cloud backup services, please visit www.c24.co.uk

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Lost in the Cloud – Are Businesses Really in Control of Their Data?

June 28, 2012

Managing and protecting corporate data is a major challenge. As the technology evolves, so must our data protection strategies. Unfortunately, as our March 2012 report on “The State of Data Protection” revealed, most organizations aren’t confident about their data protection practices: 80% of respondents said that they store data belonging to customers, vendors, and other business partners, but only 26% were very confident that the data was protected.

Now, with cloud adoption ramping up, IT is charged with solving a whole new set of data protection problems. Which data should go to the cloud and which data should stay? How do I enforce this? How do I provision and manage access to cloud services? How do I prevent everyone from using their own favorite solution in favor of company sanctioned ones? The list goes on.

To see the effect of cloud services on data protection, Varonis recently surveyed IT workers from over 400 organizations to gauge their adoption of cloud-based collaboration, and their perception of its security. The results indicate that organizations need to formulate their data protection strategy for cloud collaboration now– the controls gaps present with cloud-collaboration in the mix are reminiscent of the gaps reported by those that were “not confident at all“ that their data was secure in our data protection survey. Organizations may well be under pressure to better control the data that makes its way into the cloud.

How bad is it? Here is a sneak preview. Be sure to download the full research report here for an in-depth look at IT’s view of cloud adoption.

Enjoy, share, embed our infographic!

Lost in the Cloud - Are Businesses Really in Control of Their Data?

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 751 other followers