How to Protect Data in a Hostile World

welcome to the KuppingerCole Analyst chat. I will be your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. We will focus today on specific and hopefully interesting topics that we as analysts encounter in our daily work.

This work that we do is mainly focused on the topic areas of cyber security, identity and access management, AI, and much more here we do in depth research, but also advisory work with vendors and end users like as clients alike in each edition, I will have one guest joining me, often a fellow analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics. My guest today is John Tolbert. He is lead advisor with KuppingerCole. He is located in Seattle. So this is a long distance podcast. And let's try to find out how this works.

We will talk about how to protect data in a hostile world. And I now would like to welcome John.

Hi, John, how you doing? Good. How are you? I'm Fine.

So, so this long distance calls seems to work out our topic today is how to protect data in a hostile world. And I assume that is an increasingly important topic just right now.

Maybe we, we started with with one interesting question. Why do we need to do better at protecting data in today's world? So we are failing currently. Yeah.

You know, it's a very difficult game. Being a defender in the cybersecurity world. It's much easier. I think as everyone knows to be an attacker and the attackers are just wildly escalating, we see an increase daily and the number and types of malware malware is off on a vector for getting in and gaining access to either personal machines or your work devices, you know, with the goal of being able to steal their credentials. Oftentimes unfortunately it's, it's username and password rather than some strong method of authentication.

And then the goal is to take some sort of data, whatever they can find lots of different kinds of data. So yeah, we see that there's an increasing number of attacks. Increasing sophistication changes in the types of malware that are out there.

You know, ransomware was really big a couple of years ago. That's when it first broke in the news, but ransomware continues to be a problem to this day. And there have even been variations in that in the last year kind of looked like ransomware, but they actually are designed to destroy your data. So just another example of the wildly different kinds of malware and threats that we all face today. Okay. So It's just only vandalism left, not, not no longer this ransom approach, but really just destroying.

I just heard about a hospital that really shut down in the current situation because the, the complete it was infected with ransomware. And that is really something that needs to be prevented just right now.

Yes, absolutely. Yeah. Traditional ransomware is still active too.

You know, like you said, hospitals, public services, state and local governments around the world are finding that ransomware perpetrators are still actively pursuing them even in these dangerous times. So yeah, there's, there's still traditional ransomware as well as these wiper where we're now calling them that may or may not have some sort of political motivation behind them as well. Okay. Okay. Got it. So I I've learned that that malware in general is always or candy, at least the entry point of a, of a longer running attack.

So malware is the, the, the, the first step into an organization's network or onto the Target's computer. But what is, what is the target then of these longer running attacks when this is just the entry point?

Well, yeah, I think you're right. I think if you consider the motives of attackers, generally they want something in malware is, is often unfortunately a very good way of getting it. If you can take remote control of somebody's machine, then you can get access to the files that they have on their machines or in their connected network drives or access to their cloud resources.

But, you know, it doesn't even have to be involving malware. That's why I always see lots and lots of social engineering, fishing, anything to try to get information from someone that someone else might consider valuable.

So yeah, multiple entry points, malware being a very big one because it's, it's so prolific today, there are many different kinds of malware. Unfortunately, there are malware as a service vendors where you can have some randomized encrypted, custom malware that you can go on the dark web and buy and then distribute yourself. So you don't even really need the, the skills programming that you once did in order to be able to launch based attacks.

Yeah, that's, that's really still something that, that, that strikes me that this is really a proper business model to provide this, this malware to be on the other side of the stuff that we're doing. But on the other hand, as you've mentioned, there are, there are not only the on premises networks anymore. Important information for today's industries is spread across many platforms. This cloud first hybrid first approach means that data can be anywhere from AWS to Azure, to on-prem to hybrid hosted by an MSP. How do I make sure that, that I keep track of all my data? Where is it?

Where can I deal with it and how do I deal with it? You know, I think as a security practitioner, you've hit upon problem. Number one is just knowing where the data is.

You know, there, there fortunately some tools around now that can help with that. There are things that will allow a company, administrators to discover all the pertinent data and then classify it. And then by classified, I mean, sign some sort of value that allows for better protection within an organization. And then on the cloud side, there are cloud access security brokers, which it's kind of an interesting subject in itself, but it's a way of utilizing the services to discover your company or organizations other use of cloud services.

So finding out where your users are storing their data, if it's not on your own networks and your own devices and servers and shares and whatnot. So yeah, it's a very, it's a very difficult problem to get around, but it's not impossible. There are tools like DLP data leakage prevention tools that can help with this discovery and classification. And then also being able to enforce some of those classifications, like let's say you've got, you know, data of different types or information of different values that you want to be able to protect.

The DLP can allow you to prevent users from say copying it to a thumb drive or sending it to their personal web mail service, you know, and scanning it with it from the company in other words. And, and let's take for just a moment about the different kinds of data that need to be protected too. Not just where is it located, but there's PII. We're probably all familiar with that. Especially in the, after GDPR personally identifiable information information about people, things that they, they do, and by their biometrics, things like that are considered highly sensitive in most jurisdictions.

And for many different reasons, companies or different organizations may be storing that kind of information. So they need to protect it wherever it happens to be found. And in line with GDPR, there are data privacy impact assessment tools that are out there now that can also help with the discovery and classification phases. Okay. And if I think of the, of these standard way of organizations dealing with data, if I think of something just in this as an example, like teams or SharePoint online, where we just throw in data, apply a bit of, of access control.

So the, the, the layman would suggest that data is secure because I have to log in and I have applied some restriction read only, or, or even hidden for some users. But once this information is in use by the users or opened in word or opened in the web browser, it is subject to any kind of exfiltration. So how can I add additional layers of protection? Because otherwise I don't see the adequate level of protection that you just described when it comes to critical data like PII, or like, I don't know, intellectual property of an organization.

And this is what is usually on these SharePoint drives. Well, let me begin by answering that by saying yes, I think there's an with a caveat. Yes. There are ways that very determined attackers can subvert most of the controls that we put out there, but you know, our job in cybersecurity especially is to make it as difficult as possible for those things to happen. And you make a good point about file shares and SharePoints, and, you know, there's a lot of things that can be done for you.

There's a lot of comfort that you can get by using a, an integrated tool suite like O 365 or SharePoint and what that can buy you in terms of ease of access control. But I think, you know, most of the time administrators really need to take it to the next level in terms of defining those permissions about what's in SharePoint, because yeah, I think too often people will put folders on SharePoint and, and far more inclusive permissions than what are really necessary for actually getting the job done.

So in those cases, you know, we recommend using tools around IGA, access intelligence, maybe data, access governance as well. You know, looking at the data, how users interact with specific information objects and determining what the appropriate level of entitlement permission access control should be on each type of data object as well. That can help us, you know, as security administrators to lock down entitlements, to enforce the principle of least privilege. Okay. Okay.

When, when we talk about encryption, I usually always think of if we, if we encrypt data and put it on SharePoint, it's like, like a big data dump where you have data, which is no longer in an adequate format that all these nice, shiny software as a service solutions can actually work with it and process it and index it and search it. Is it really off of any help in there when, when the data afterwards is not longer usable in the way that you would expect it to be, You know, encryption encryption is great.

I mean, and if we look at the two major forms of encryption in transit encryption at rest, you know, the world has gotten pretty good about encryption in transit. And, and also there are lots of tools that are good for encrypting your stuff inside SharePoint or other kinds of file repositories. But the problem there is really more on the usability side.

Let's say, I need to collaborate with somebody outside my company. How do I, how do I grant them access to that?

Well, maybe one way is to copy it to a new SharePoint, but then, you know, how do you share encryption keys or certificates with somebody else like your company, right? That's where it starts to get a lot more complicated. And the usability usability usually overrule security. And that's why you see things getting decrypted for sharing. Right now, we are in this weird situation. We are all in right now.

So with the Corona crisis, being around at least in a, or in a real tangible way for two weeks or so to anybody around the world, more or less, and that of course has many, it has moved many organizations to, to work from home scenarios. Is this something that, that you expect to be worsening the situation in general and maybe also over challenge, just the typical standards and user? Yes.

I, I think it's brought a whole slew of challenges that many people were really not ready for. I mean, there are some companies that are already adept at large scale telecommuting. They have modern security architectures where they're applying good access controls on, on cloud hosted solutions.

And, you know, they have less, you know, on-premise well, but, you know, unfortunately that's not most companies as of yet. So I think we've all many companies have been on a rapid learning curve about how to do this. And we're aware of instances where companies may have sent everybody home to work and may not even have their own laptops. So they may be sending home desktop. So there may be telling people to use their own devices, the problems get multiplied. When you do those, a BYO D situation there w the D turns into a debacle because you really have no control over the end points then.

So you have machines that are accessing your resources, that you don't control. You don't know if they're properly patched. You don't know if they're running any sort of end point protection.

I, you may or may not have any control over the ways they authenticate. So yeah, this is in extra dangerous time because of the lack of preparedness that the many and in the work from home scenario. Okay. Got it.

So now that we are analysts and advisors, maybe for the final question for that podcast, if you were to provide, say three key recommendations for anybody, for those who are now thrown into this work from home scenario, but also if this is over some times in the future, how to, to, how to mitigate these issues and how to prepare better for working in this more modern way in the 2020s, what would be your three recommendations? Well, I think probably the most important is we know that there are large scale attacks going on against say VPNs.

So a lot of companies sent people home and they're allowing wide unfettered access through their VPNs to all the corporate resources. I would say if possible quickly find a CLA a secure cloud collaboration service that you use and turn on multifactor authentication for that. I think the passwords as a vector for getting into personal machines, as well as corporate resources, it's just too easy. And I think you can get the most, most value security wise by moving to a secure cloud collaboration platform.

That's, Paltz supports multifactor authentication, and that would be number one. And then, and then use CASBY the cloud access security brokers. If your company likely, you know, your, your users are using cloud services now is the time to get a handle on where that data is going. Find it. And then again, turn on multifactor authentication once you've used CASBY to find your data. And then lastly, for data on premise is scenarios. I think DLP is still a really valuable tool for that discovery classification and an enforcement of your security policies.

And really it's the only way to control your, your loose data things that that may be on file shares that users can download to their desktops and then put onto a USB drive or, or move into personal mail or upload somewhere. That is probably one of the bigger concerns I would have right now. Great. Thank you very much, John. I assume that since this topic is so huge and we just had 15 minutes for today that we will follow up on this in further podcasts as well.

And usually I do a summary right now at that point of the podcast, but with your three recommendations being so, so, so that's a good summary in itself. I would like to close it down here. Thank you again, John, for joining me here today, and I look forward to having you as a guest in one future or more future additions of this podcast. Stay safe. Thank you very much. And to the audience. Thank you very much for listening. Bye John. Thank you. Thank you. Bye-bye