Protecting our Infrastructure or Protecting our Data
Ok, it is time for the New Year soapbox and maybe a discussion to provoke some reaction.
We are spending more and more money protecting our networks and generally we are making very good progress but have you ever thought about what you are protecting and for what reasons?
Typically, we invest in the three cores areas of endpoint protection, network defence and monitoring capabilities. The focus of these groups comes from well established and generally good industry standards in protecting information on your network either by prevention of compromise or remediation of events which have until recently been very successful.
So what’s the problem now?
We are seeing an ever increasing trend in the use of cloud services, a term which covers a multitude of scenarios and sins but in all cases, it pushes data to environment where we need to trust other people’s security standards and is by default open to access from the internet. In itself you may not see any particular issue but couple this scenario with your obligations under GDPR and you may think differently.
With a cloud service, it is normal practise to allow access from any device to a cloud provider. Sure, the cloud provider may permit two factor authentication but the fact is that someone with appropriate credentials can log into your environment on a device not controlled by yourself and de facto download and store personally sensitive and proprietary business information on that device. This begs the question, who is responsible for the "breach", the person accessing the data, the cloud service provider, your organisation, YOU????
What can we do?
A number of technologies are emerging to help us to address this problem technically including CASB solutions and technologies which can plug into the cloud like CATO networks. It may be that you decide just to monitor and report using technologies such as Darktrace.
What is absolutely clear is that no matter what the technology, we need to lead and educate our organisations in the selection and deployment of cloud services from a security perspective. This will inevitably be seen as an infringement of business freedoms but failure to achieve this will expose our organisations to damaged reputations and significant financial penalties.
Remember, GDPR is just around the corner.
Cyber Security Programme Manager