The "M & M" model of data security (hard shell, soft inside) has been the standard for most enterprises for decades, based on a number of assumptions:
- All our mission-critical and Tier 1 applications are maintained inside our secure network.
- The bad guys are outside the firewall.
- We train our IT organization well, so they minimize mistakes.
Just a quick glance at the recent headlines and analyst reports illustrates how drastically the world has changed.
1) Organizations no longer have a clearly defined perimeter.
Company assets can no longer be fully defended by a firewall, designed to protect discrete physical servers nestled in locked rooms. The growth of virtualization makes servers, applications and data both fluid and mobile. Organizations are running applications and servers the public cloud, taking data completely outside the scope of traditional security methods and putting it out of your immediate control. Even if you don't have an official cloud strategy, it's highly likely that employees are using cloud-based tools for collaboration, file sharing and testing and development, often in direct conflict with corporate security policies.
The reality is that the cloud is here to stay. Consequently, the methods we use to secure data in this complex and dynamic environment must adapt.
2) The Bad Guys are already inside
The poster child for insider-threats, Edward Snowden, made it patently clear that organizations need to have better controls around privileged users. Successful spear-phishing schemes regularly grant malicious outsiders access to trusted networks, resulting in breaches that can take months to uncover and millions of dollars to remediate.According to the Verizon Data Breach Investigations Report, 62% of breaches go undetected for months, significantly increasing the possibility for damage.
Virtualization worsens this problem, because it concentrates risk. Applications and data become co-mingled and administrators have access to virtually everything. Damage or theft can be done in an instant, just by copying or deleting virtual machine files.
Employee training - or lack of it - is also a factor. In a recent Forrester report 'Understand the State of Data Security and Privacy: 2013 To 2014," Heidi Shey noted,
"In Forrester's recent study of information workers in North America and Europe across SMBs and enterprises, only 42% of the workforce indicated that they had received training on how to stay secure at work, and only 57% say they are aware of their organization's current security policies.
At a bare minimum, make sure a) you have a security policy and b) you communicate it to your employees. Go a step further than just sending including these policies in your new employee handbook (they are overwhelmed at that point and even if they sign it, it's unlikely they actually read it). If you don't have the expertise in house, there are numerous companies that can provide training to teach employees how to avoid phishing and other advanced persistent threats.
Sign up for CIO Asia eNewsletters.