Data security: the devil is in the detail

The modern IT network is an entanglement of complex software, each purchased with the main intent of solving a specific business problem. Understandably the focus has always been on the functional benefits of each software product, rather than how the products themselves work.

This practice is becoming evermore prevalent with the concept of cloud-based consumable services that enable companies to pick and choose what they need without having to concern themselves with where the data is stored and how it is being processed.

While offering convenience, companies who have adopted this approach are now finding themselves with a lot more to do to meet the European Union’s General Data Protection Regulation (GDPR) requirements.

GDPR brings the same level of scrutiny and pressure to protect personal data that has until now been more commonly associated with specific industry regulations, such as US Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) security compliance. Buyers are now being forced, rightfully so, to take into consideration how the technology they are purchasing works and how the data is being protected.

Importantly, as a user of a product, the detachment from how it works inhibits the ability rationally to identify and weigh the risks associated with its use and deployment. Take for example the case where an email server is placed on the internet to enable users to access it via webmail. While incredibly useful to the business, often the administrators do not accurately weigh the risk of this approach until they see the millions of login attempts each week coming from automated bots on the internet.

More than ever, it is necessary to delve beneath the surface of software applications and the network as a whole, and look at the ways components are interacting

Enterprises have on average been better in this sense, applying many controls during procurement to try to identify and manage the risk described. Controls like penetration testing, vulnerability scanning and log management, to name a few, have been used, although now even these are beginning to show their age and reduced effectiveness. These controls are not able to provide an accurate picture of how a technology is actually being used over time, and the threats and vulnerabilities that naturally emerge from that usage.

More than ever, it is necessary to delve beneath the surface of software applications and the network as a whole, and look at the ways components are interacting. Only at this level can you start to see critical risks that could have a severe impact on the business and its compliance and legal footing.

One approach to get this visibility is monitoring traffic on the network directly. From here it is possible to see the weaknesses that may lead to greater impact later, as well as the active threats, those who know of the weaknesses and are exploiting them for some gain.

Risks come in many forms: personal data being uploaded to a cloud-based service unencrypted, weak application programming that allows records to be retrieved without proper authentication of the user to name just a couple. With a little technical knowledge, these types of flaws can easily be used to steal or destroy data, leading to significant disruption and financial penalties.

The risks themselves change over time as the organisation using products itself changes form, whether that be a migration to the cloud, a change of offices or a change in the way applications are delivered.

And the risks are not stationary, even if the company itself doesn’t change. The appetite for information and the abundance of threat actors looking to achieve personal gain means that the risk is forever increasing. It is important to keep monitoring to ensure it is accurately measured and to give the business an opportunity to mitigate the risks before they exceed an acceptable threshold.

GDPR will come into force this May. It recognises and protects the privacy and rights of individuals. Another good side effect though is that it is encouraging businesses more than ever to stop, pause and take stock of the risks that have always been there. Overall this will make business safer, which is another positive step forward.

Learn more at threatspike.com