Defending-Data-Smartly WHPDDS WHP Eng 0822

Download as pdf or txt
Download as pdf or txt
You are on page 1of 15

Defending Data Smartly

Security
2 DEFENDING DATA SMARTLY

CONTENTS

4 Introduction
4 Reactive DLP Misses Security Target
5 / Pretty Good Privacy
5 / Information Rights Management
5 / DLP Advances
6 Compliant Does Not Equal Secure
9 Privacy and Security Must Align
10 Security Strategy Can Be Smarter
13 Conclusion
14 Acknowledgments

© 2022 ISACA. All Rights Reserved.


3 DEFENDING DATA SMARTLY

ABSTRACT
Willie Sutton was a notorious bank robber in the early 1900s, known for his colorful
character and his alleged answer to the question of why he robbed banks.1 His answer 1

was simple and revealing: “That’s where the money is.”

If you asked cybercriminals, nation-state actors or any other nefarious actors in


cyberspace why they attack digital systems, their answer would likely resemble Mr.
Sutton’s: “That’s where the money is.”

In a digitally dependent world, with our collective wealth moving from physical banks to
digital ones, our intellectual and digital value has also moved to an increasingly digital
model. We have become more reliant on a variety of digital data for the furtherance of our
species, yet continue to lose ground in the defense of this critical asset. Billions of dollars
have been spent attempting to better secure our systems, yet we have failed at protecting
our data.

In this white paper, you will learn both why this failure has happened and how we can
move past it by adopting a combination of technical solutions and strategic approaches
in order to successfully defend our data.

1
1
US Federal Bureau of Investigation, “Willie Sutton,” www.fbi.gov/history/famous-cases/willie-sutton

© 2022 ISACA. All Rights Reserved.


4 DEFENDING DATA SMARTLY

Introduction
Despite the billions of dollars spent to secure enterprise mortgaged their mileage programs to raise cash during
data, current solutions continue to fall short. If fully the pandemic.3 2

supported by executive leadership, enterprises can


Understanding why data are considered valuable assets is
combine newer security strategies for the total protection
vital to the data security discussion. Data have several
of their valuable data assets.
characteristics that make them valuable from a business-
In order to address data security issues effectively, focused lens. Data are:
practitioners should understand the volume of data that • Highly reusable
requires protection; some industry watchers estimate that • Omnipresent and boundaryless, i.e., they can be in many places
“[b]y 2025, humanity’s collective data will reach 175 at once
zettabytes—the number 175 followed by 21 zeros.”2 1

• Replicable, e.g., data copying is simple and shareable


Securing all these data grows increasingly difficult, • Instantly transmissible
because newer and more valuable data types are • Generally not subject to taxation
constantly emerging. The dynamic and rapid nature of • Applicable beyond a singular application, providing exponential
new data creation makes the need to replace antiquated benefits
and failed approaches even more pressing.
An enterprise can realize and leverage the value of its data
Data can also be used as collateral. For example, data only if those data are effectively protected. If data are not
from United Airlines and American Airlines mileage defended in a manner that negates their value to an
programs (e.g., customer use trends, seating priorities, attacker, then the strategic approach to security is a
credit card details and other data points) were valued at failure and the business value is at risk.
around $20 billion for each airline in 2020, when they

Reactive DLP Misses Security Target


Data-driven enterprises need to find the most effective technological approach was spam filtering. Spam filtering
security controls to protect their valuable digital currency. removed overt and easily identifiable junk mail and
“Data loss prevention (DLP) is a set of tools and phishing attempts that targeted email exchanges and
processes used to ensure that sensitive data is not lost, employed “data loss” prevention by ensuring that only
misused, or accessed by unauthorized users.” DLP 4 3 “valid” data were allowed to leave the mail servers. While
technology first emerged in the early 1990s in response to well-intentioned, early DLP solutions like spam filtering
scores of email compromises, exploitations and losses of have failed to manage the growing volume of data
personally identifiable information (PII). The first migration that happens over email.

1
2
Kerner, S.M.; “34 Cybersecurity Statistics to Lose Sleep Over in 2022,” Tech Target, 15 March 2022, www.techtarget.com/whatis/34-Cybersecurity-
Statistics-to-Lose-Sleep-Over-in-2020
2
3
Genter, J.; “How Airlines Make Billions From Monetizing Frequent Flyer Programs,” Forbes, 15 July 2020,
www.forbes.com/sites/advisor/2020/07/15/how-airlines-make-billions-from-monetizing-frequent-flyer-programs/?sh=e99ec7d14e91
3
4
De Groot, J.; “What is Data Loss Prevention (DLP)? A Definition of Data Loss Prevention,” Digital Guardian, 1 October 2020,
https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevention. ISACA defines data loss prevention as detecting and
addressing data breaches, exfiltration or unwanted destruction of data.

© 2022 ISACA. All Rights Reserved.


5 DEFENDING DATA SMARTLY

Pretty Good Privacy IRM security restrictions for each enterprise are based on
a required granular, customized and well-crafted IRM
Pretty Good Privacy (PGP), released in 1991, was another
policy matrix. Therefore, IRM may be too cumbersome,
early technical attempt to standardize data protection
requiring enterprises to apply custom IRM rules at various
strategies for enterprises. PGP uses encryption to render
levels in their organizations.
data useless to anyone who maliciously collects them,
helping to secure the privacy of data within a transaction
and prevent the exposure of sensitive information. DLP Advances
Although PGP works well if users are the only ones As data compromises continued, internet service
accessing the data, its slow and cumbersome key system providers introduced email secure gateway (ESG)
requires users to have intricate knowledge of the system. technology that functions like antivirus and malware-
This makes it difficult to intentionally share data with defense programs and looks for patterns within emails.
others. Also, after PGP encryption keys are shared, the ESGs tag patterns recognized as potentially risky or
original user loses control over the data and the threatening and quarantine or remove them from within
encryption keys. The keys and the responsibility for the the content. The first iterations of email security gateways
data within an exchange are shared by all parties involved and pattern recognition were relatively effective, focusing
in the communication. This is antithetical to good security mainly on searching email files for common terms that
practice and, as a result, PGP is unable to truly scale at the might lead to data-breach activity. With the explosion of
enterprise or infrastructure level. digital content, the exponential growth of data exchange
across a variety of mediums and the ever-increasing

Information Rights volume being generated, the approach of finding and


tagging content that might be shared within
Management communications exchanges cannot keep up.
Information rights management (IRM) is a legacy attempt
at enterprise data protection. However, it is limited to
With the explosion of digital content, the exponential
Microsoft® applications. IRM protects Microsoft growth of data exchange across a variety of mediums and
documents, PDFs, spreadsheets and emails containing the ever-increasing volume being generated, the approach
of finding and tagging content that might be shared within
sensitive information from unauthorized access—copying,
communications exchanges cannot keep up.
viewing, printing, forwarding, deleting and editing.5 IRM is 4

often used to protect highly sensitive information in


Additionally, enterprises often find legacy DLP technology
compliance with Health Insurance Portability and
to be more cumbersome and restrictive than beneficial.
Accountability Act (HIPAA) and Health Information Trust
Users do not like the controls levied on them by an
Alliance (HITECH) protection requirements. IRM
enterprise security group.
“protections persist even when files are shared with third
parties.”6 However, workarounds do exist, like taking a
5
Increased compliance regulations and new data security
photo of the screen or using third-party, screen-capture controls for standardized enterprise data further
software. IRM restrictions and granular requirements can complicate the implementation and use of DLP
be frustrating for users. For example, IRM requires that technology. Compliance requirements and standards,
each user’s computer be installed with specialized IRM such as PCI DSS, HIPAA and HITRUST, continue to
software to enable the user to open files with IRM challenge technology’s ability to address the continuous
protections.7 6
onslaught of new and transitional data imperatives.

4
5
Musarubra®, “What Is Information Rights Management (IRM)?,” www.trellix.com/en-us/security-awareness/cybersecurity/what-is-information-rights-
management-irm.html
5
6
Ibid.
6
7
Ibid.

© 2022 ISACA. All Rights Reserved.


6 DEFENDING DATA SMARTLY

Generally, modern DLP solutions are based on one of two expensive to integrate and maintain, and a hindrance to
technical approaches: necessary information sharing across enterprises.
• Traditional—Provides coverage for data across components,

including the cloud, endpoints, network gateways and storage, Strategically, DLP technology fits well into the paradigms
of effective enterprise security strategy, but DLP and the
which requires powerful processing and computing capability. technologies that followed it are severely lacking because
Every transaction and exchange of data on an enterprise they are typically cumbersome for users, difficult and
expensive to integrate and maintain, and a hindrance to
system must be analyzed in real time, which is a herculean task.
necessary information sharing across enterprises.
• Agent—Uses kernel-level agents on endpoints to monitor

network traffic. These agents detect policy breaches, report


DLP strategically relies on an organization’s ability to
suspicious activity through notifications/alerts and enforce
classify data and apply protections that are appropriate to
policy restrictions. However, agents are often slow and
the classification, both at the speed of business and the
resource-intensive on endpoints and applying blocks and
scale of a modern enterprise. As DLP grows in popularity,
denials from the DLP endpoint solution on end-user machines is
vendors optimize their solutions to help enterprises
dependent on a well-crafted policy back end that is difficult to
manage those tasks. Nevertheless, in most instances,
maintain and expensive to implement. New data types and
DLP technology does not yield the expected data-security
changes to data requirements and sharing are ever-increasing,
results. The reason for this is that DLP is a reactive, rather
so the endpoint agents must be updated, and their policies
than proactive, technology, detecting losses as they are
adapted constantly, which is difficult and reliant on a focused
leaving an enterprise and then reacting based on a crafted
maintenance effort.
configuration that forces the entity to act. Alternatively,
Strategically, DLP technology fits well into the paradigms proactive solutions provide just-in-time user feedback
of effective enterprise security strategy, but DLP and the before the data export is allowed, but does not harm the
technologies that followed it are severely lacking because user experience or stop users from doing their legitimate
they are typically cumbersome for users, difficult and work.

Compliant Does Not Equal Secure


Any organization conducting business today generally none of those compliance requirements mean that
must comply with laws and regulations. Compliance is “nothing can go wrong,” as is the common thinking for
required but should not be confused with effective risk- digital compliance. Digital businesses must adhere to a
based security. In theory, compliance indicates that an number of compliance requirements across a variety of
enterprise has achieved the minimum standards required verticals that may or may not be in line with the needs or
to safely conduct business in the digital space. There exist security practices of an enterprise, and hackers and
a variety of different compliance mandates for an adversaries are not threatened by compliant networks,
assortment of different organizations and different ever. In many cases, the never-ending battle to achieve
businesses. Airplanes must be adhere to strict compliance is derailing the enterprise approach to
requirements to fly. Water systems must be compliant to strategic defensive positioning.

pump water safely to homes. Oil and gas systems must Nearly every major enterprise throughout the world has
be certified and compliant for them to deliver fuel. But had some form of data breach in the last decade, despite

© 2022 ISACA. All Rights Reserved.


7 DEFENDING DATA SMARTLY

having one or more compliance mandates. Far too many compliance scope around that specific information and
enterprises have multiple forms of compliance applied to those specific data should be a first-instance requirement.
their infrastructure, their personnel, their data, their Additionally, organizations should seek to gain visibility
business and their digital presence at a variety of points, and control over all payment channels that could result in
yet they are still breached. The number of breaches is up the compromise of cardholder information, should a
27 percent from just a year ago, and the costs of breaches malevolent actor breach the system.
are the highest they have ever been. Privacy stipulations
8 7

and legal justification for privacy requirements on


Some organizations apply a point-in-time compliance
enterprises increase the weight of compliance, yet approach to long-term security strategies. Notably, most
breaches continue. of those organizations fail to follow some of the best
practices and basic approaches that are noted by
For example, the PCI compliance requirement for practitioners of security strategy.
businesses to hold credit card information was introduced
in 2013, yet financial data remains the most targeted and Organizations should have the ability to monitor the
exfiltrated type of data for any organization. Credit card 9 8 entirety of their system, as well as a good baseline, so
and financial information comprise nearly 80 percent of they can determine when an anomaly does occur.
breach material in 2022. Due to the nature of business Although these things are noted within compliance
and the way that enterprises are continually growing and documents and the PCI guide, the necessarily broad and
evolving their infrastructure, less than 30 percent of strategic best practices are only in scope during the
enterprises remain PCI compliant one year after compliance audit. After the audit, practices may go back
certification.10 9 to business as usual.

A great example of this is the Target® breach, wherein Another example of how easy it is to undermine the
Target was certified as PCI compliant weeks before the posture of a compliant organization is that of Sally Beauty
breach occurred. 11 10
Another example is Heartland Supply® system compromises. Sally Beauty Supply
Payment Systems®, which was certified as PCI compliant system administrators were using a Microsoft Visual
for six consecutive years before its breach. 12 11
Compliance Basic® script that allowed their network administrator to
does not equal security, although some organizations log in to an administrative system with default credentials.
believe that being compliant means being secure. Most The administrator was using a script that contained the
enterprises that have a compliance program focus solely administrator username and password to log in to an
on achieving compliance to conduct business, i.e., they administrative system.13 During the compliance audit, the
12

achieve compliance annually with an annual assessment Visual Basic script was not checked for stored
®

and are certified. Some organizations apply a point-in-time usernames and passwords. However, the adversaries
compliance approach to long-term security strategies. looked at the script and were able to leverage that to
Notably, most of those organizations fail to follow some cause a breach.
of the best practices and basic approaches that are noted
A further flaw with a singular focus on compliance when
by practitioners of security strategy.
conducting digital business, is that many organizations
Identifying and localizing the data and information where are continually working to reduce the scope of their
cardholder information is stored and defining the compliance needs in order to expedite the compliance

7
8
Lohrman, D.; “Data Breach Numbers, Costs and Impacts All Rise in 2021,” 10 October 2021, https://www.govtech.com/blogs/lohrmann-on-
cybersecurity/data-breach-numbers-costs-and-impacts-all-rise-in-2021
8
9
Verizon, “2022 Verizon Data Breach Investigations Report,” 24 May 2022, https://www.verizon.com/business/resources/reports/dbir/
9
10
Ibid.
10
11
Moldes, C.; “Compliant but Not Secure: Why PCI-Certified Companies are Being Breached,” 9 May 2019, CSIAC, https://csiac.org/articles/compliant-but-
not-secure-why-pci-certified-companies-are-being-breached/
11
12
Ibid.
12
13
Ibid.

© 2022 ISACA. All Rights Reserved.


8 DEFENDING DATA SMARTLY

audit.14 Although an enterprise wants to get back to work


13 certification should mean that an organization has, at the
and not be constantly mired in conducting compliance very least, the basic security controls in place to withstand
audits, this practice fails to understand the collective attacks on and exfiltration of customer data.
workings of the enterprise’s digital infrastructure. A much
better way to reduce the scope of an audit is to implement Unfortunately, data breach security and enforcement laws
basic practices so that: have not had much impact. For example, “In 2021, there
• Enterprise data are completely understood and localized with were more data compromises reported in the U.S. than in
correct controls any year since the first state data breach notification law
• Localized data form inherently or natively more auditable areas became effective in 2003.”15 When sensitive data do get
14

of focus for compliance purposes exposed, they are most often a person’s name, followed
Trying to be compliant with everything, all the time, does by Social Security number, date of birth, current home
not work. It only adds to the complexity, which hurts an address and medical information.16 If the laws in place for
15

organization’s security posture. Trying to shoehorn nearly 20 years made a difference to data security,
compliance in terms of basic premises needs, without an breaches would not be increasing. Figure 1 depicts that
understanding of organizational risk (e.g., adversary the vertical markets that are the most regulated, with the
targets), complicates compliance initiatives because it highest legal and financial penalties for a breach, are also
skews the scope. A compliance audit and compliance the most-compromised vertical markets.

FIGURE 1: Number of Breaches by Economic Sector (2021)

Source: Risk Based Security - Flashpoint. (2021). 2021 Year End Data Breach QuickView Report, https://pages.riskbasedsecurity.com/2021-year-end-data-breach-report

13
14
Johnson, B.; “Top 3 Audit Challenges and How to Overcome Them,” Netwrix, 13 January 2022, https://blog.netwrix.com/2019/01/16/top-3-audit-
challenges-and-how-to-overcome-them/
14
15
Identity Theft Resource Center, “2021 Annual Data Breach Report,” 1 January 2022, https://www.idtheftcenter.org/publication/2021-annual-data-breach-
report-2/
15
16
Ibid.

© 2022 ISACA. All Rights Reserved.


9 DEFENDING DATA SMARTLY

Figure 2 shows a sampling of the most recent enterprise easily in most instances, and in some cases repeatedly.
breach victims. Every breached enterprise in figure 2 had Sadly, compliance provides many organizations with a
either a well-funded multimillion-dollar compliance false sense of security. To best address their security,
program or, at the very least, had achieved a level of enterprises must concentrate on a risk-based approach
compliance for its business but was still breached. that aligns risk mitigations with the organization’s
Despite maturity of compliance programs or objectives and goals.17 16

achievements, these organizations were breached rather

FIGURE 2: Enterprises Breached By Year

Number of Compliance
Breached Enterprise Year Industry
Incidents Regulation
Iberdrola® 2022 1,300,000 Energy PII Data
International Committee of the Red Cross (ICRC®) 2022 515,000 Humanitarian PII–HIPPA
IKEA® 2022 95,000 Retail PII–PCI
Ancestry® 2021 300,000 Web PII–HIPPA
Ankle & Foot Center of Tampa Bay, Inc. 2021 156,000 Healthcare PII–HIPPA
AOL® 2021 20,000,000 Web PII
Apple, Inc.®/BlueToad™ 2021 12,367,232 Tech, retail PII
Apple® 2021 275,000 Tech PII–PCI
Apple Health Medicaid 2021 91,000 Healthcare PII–HIPPA
CyberServe® 2021 1,107,034 Hosting provider PII
NEC Networks, LLC 2021 1,6000,000 Healthcare PII–HIPPA
T-Mobile® 2021 45,000,000 Telecom PII–PCI

Privacy and Security Must Align


For data to be private, they must first be secure. Just as it Cookies” notification on their websites. However, typical
is impossible to have a private conversation without a users do not spend their time reading through the terms
door to shut, it is impossible to have privacy without first of service for those notifications. Even if they do, users
having security. In the digital space, the door is some form have little choice over scope or terms of access. Most
of technical control applied around the transaction, the users want quick and easy access to the information they
entity, the user, the data or something in that digital space need in order to conduct their online business and
to keep the conversation within particular interaction or transactions, and are willing to trade a piece of their
transaction private. There must be technical controls privacy to complete that operation.18 17

applied to enable privacy. Without these controls, privacy


Coupled with this is the problem of privacy laws being
does not exist in the digital space.
introduced globally by leaders who do not appear to
Given the nature of the Internet, online users are understand how electronic communications and the
constantly sharing their data with a variety of entities, Internet work. In the United States, 46 states have
across a variety of planes, with little to no privacy inherent different privacy requirements for different types of data,
in those communications and transactions. A few years across a variety of systems and the Internet. The
ago, enterprises were required to put an “Accept All continued increase of these privacy requirements and

16
17
ISACA, CISM Review Manual 16th Edition, USA, 2021, https://www.isaca.org/bookstore/cism-exam-resources/cm16ed
17
18
Lomas, N.; “Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds,” 10 August 2019, TechCrunch,
https://techcrunch.com/2019/08/10/most-eu-cookie-consent-notices-are-meaningless-or-manipulative-study-finds/

© 2022 ISACA. All Rights Reserved.


10 DEFENDING DATA SMARTLY

legislation is introducing new flaws into the digital data Facebook did not need to ask for users’ specific consent
security approach and strategy that organizations must to target them with ads, because every user already
address. Borders that are ethereal lines on a map cannot signed a contract with Facebook when they agreed to its
stop a digital transition from one space to another. The lengthy terms and conditions. Other countries in the EU
ability to enforce the controls needed for this type of noted that this draft was out of line with their
privacy legislation does not technically exist. requirements for GDPR and were willing to fine Facebook
for this approach. When Facebook did the math and
Borders that are ethereal lines on a map cannot stop a realized how much revenue it would lose by allowing
digital transition from one space to another.
GDPR requirements to stymie its approach, Facebook said
it would pay the fine. The fine for those GDPR violations
Enterprises usually try to address these unenforceable
would total about $36 million, which, based on financial
privacy requirements first, instead of applying technical
numbers published by Facebook, equals about three
controls that can keep data more secure while allowing
hours of revenue.20 After the draft publication became law
those data to be used for whatever transactional purpose
19

in Ireland, Facebook moved many of its data centers to


is needed.
Ireland so that when transactions go through those data
Some websites are working to invalidate privacy centers, Facebook can do whatever it wants with the data.
regulations because they degrade the ability of websites The privacy regulations did not stand up to the business
to do business and grow. When Europe introduced the needs and legal actions.
General Data Protection Regulation (GDPR) in 2018, it was
considered the gold standard for protecting consumer Facebook helped to get a draft ruling published by the
data on any website and was going to be the arbiter of Ireland data protection committee that allowed Facebook
to bypass GDPR requirements entirely and collect all user
better things to come for privacy across the EU. However, data without their explicit consent.
the lawyers at Facebook® quickly found a way to
circumvent that control and invalidate GDPR in its entirety. It is often argued that businesses should be able to
By working with a court in Ireland, Facebook helped to get unilaterally decide how to run their business and while
a draft ruling published by the Ireland data protection generally true for many, the ongoing challenge is the
committee that allowed Facebook to bypass GDPR absence of universal robust safeguarding requirements
requirements entirely and collect all user data without for data that is rarely created, processed, or transmitted in
their explicit consent. 19 18
That draft ruling said that legally, a single geographic location.

Security Strategy Can Be Smarter


High-profile breaches of large enterprises with hundreds Ultimately, these attacks reveal the real problem—
of millions of dollars invested in cybersecurity tooling and organizations do not see how their data are protected and
services continue unabated in 2022. Giant enterprises, like used. Therefore, instead of applying focused and effective
Samsung , Nvidia , Okta and others show that dollars
® ® ® security controls, far too many organizations invest
invested do not equal security realized. massive resources focused on vendor solutions rather
than effectively curbing cybersecurity incidents.

18
19
Greig, J.; “Irish regulators support Facebook’s ‘consent bypass’ legal maneuver, suggest $42 million fine for GDPR violations,” ZDNET, 13 October 2021,
https://www.zdnet.com/article/irish-regulators-support-facebooks-consent-bypass-legal-maneuver-suggest-42-million-fine-for-gdpr-violations/
19
20
Privay Affairs, “GDPR Fines Tracker and Statistics,” 2022, https://www.privacyaffairs.com/gdpr-fines/

© 2022 ISACA. All Rights Reserved.


11 DEFENDING DATA SMARTLY

Until security teams can know in real time who has approaches. As Zero Trust continues to evolve, and as the
access to their data, how they are using them, and why market’s defensive technologies enable that evolution,
those data are necessarily available to those users from a enterprises that have done the work of improving visibility
business perspective, enterprise data security will and understanding their valuable data assets can begin
continue to fail. Principles of need-to-know and least evolving their security posture.
privilege are imperative. Once enterprises have improved
Without having accurate inventory and data
visibility and understanding of their valuable data assets,
understanding first, an enterprise should not move into a
they can begin evolving their security posture.
Zero Trust initiative. In order to employ the correct
controls, an enterprise must know the following:
Principles of need-to-know and least privilege are
imperative. • What it is protecting

• Why it has value contextually to its business


With so much value at stake, more enterprises are • Who in (or outside) the enterprise is accessing that information
choosing the Zero Trust security strategic approach, via which means
which assumes that untrustworthy users are a given in
infrastructure and requires an enterprise to employ Zero Trust strategic principles—whether applied to
focused controls, starting with the data within their identities, networks, or data objects—help enterprises to
network and moving outward to the Internet. better understand an adversary’s ability to target and
exploit their infrastructure, and apply focused controls
throughout each area of visibility, detection, response and
Zero Trust strategic principles—whether applied to
protection specific to those vectors.
identities, networks, or data objects—help enterprises to
better understand an adversary’s ability to target and Many critical users have service roles that require them to
exploit their infrastructure, and apply focused controls access large volumes of data to do their jobs—
throughout each area of visibility, detection, response and administrators are the most indicated, as well as
protection specific to those vectors.21 20
developers in some instances. Managed Service Providers
(MSPs) and Managed Security Service Providers (MSSPs)
With so much value at stake, more enterprises are are also likely to have administrative access to necessary
choosing the Zero Trust security strategic approach,
information across an infrastructure. In a Zero Trust-
which assumes that untrustworthy users are a given in
infrastructure and requires an enterprise to employ based approach, external users should have access
focused controls, starting with the data within their specifically to the data that are necessary for them to
network and moving outward to the Internet.
perform their job. . As those accesses are provided, they

Implementing Zero Trust for data without breaking should have a deadline applied to them to either re-

business logic requires a careful shift away from legacy instantiate the access or at the very least revalidate the

defense-in-depth and hedge-your-bets security request.

20
21
ISACA, Zero Trust: How to Beat Adversaries At Their Own Game, 2022, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000005DtLZEA0

© 2022 ISACA. All Rights Reserved.


12 DEFENDING DATA SMARTLY

The Zero Trust (ZT) paradigm should look like the wise. Anomaly detection and automated remediation are
following path (illustrated in figure 3), all bounded with an helpful means to power an effective response at scale
ephemeral control (token, etc.). when a threat is indicated. Bounding the access flow with
• Entity—Anything with an identity some time restriction further limits the potential spread of
• Device—Something that is connected a compromise when one occurs.
• Network—Any network
Enterprises can tie in newer approaches to data security,
• ZT Policy Engine
such as real time redaction of data that should not be
• Resource—Workload, app, asset inside an enterprise boundary
viewable by a user or entity, based on the policy engine
• Data—Only data needed for that entity to perform its task
control. Most data security compromises are not on an
Placing detection and response control and capabilities individual email or one-off communication; they are via
around the most valuable data objects and stores data stores and databases. Because DLP fails to address
protects them from the identities being misused through these issues, data redaction can be applied to those data
phishing or application security faults. This is strategically stores and the data within them.

FIGURE 3: Zero Trust

Applications Phones Public


Services Laptops Azure
Employees Tablets AWS
SCOPE

On premises
Partners Servers Google SaaS
Customers Workloads Private PaaS
Robots IoT Managed IaaS
Zero Trust
Policy

ENTITIES TOOLS NETWORK CONTEXT CONTROL RESOURCES

Role Type Corp Publisher


Risk Block
Task Agent Geo Scope
Threat Strong
Type Version Familiar intelligence authentication Classification
and tagging
VERIFY

Joined Anonymized Habits Attest


Sensitivity
Managed Botnet Compliance Audit
Version
Secure Attacking Time Encrypt
Regulation
Anomalies Accept terms
Geography

© 2022 ISACA. All Rights Reserved.


13 DEFENDING DATA SMARTLY

Conclusion
In conclusion, it is critical to realize that compliant does users. An intelligent Zero Trust policy control paradigm
not equal secure and that privacy, while necessary, cannot that is tied to data security where data are most likely to
be achieved in an insecure infrastructure. Organizations be targeted—in the data stores—can finally realize an
should employ risk-based approaches to their defense, effective security strategy without applying the kinds of
evaluating their approach to data security from the blocks and sledgehammer controls that disable business
perspective of an adversary before systematically and and disempower users. In order to defend their proverbial
strategically removing that adversary’s route to victory. crown jewels (data), enterprises need to know what they
Doing so shifts the balance of power back to the are protecting and why.
defenders and ultimately will benefit the customers and

© 2022 ISACA. All Rights Reserved.


14 DEFENDING DATA SMARTLY

Acknowledgments
ISACA would like to recognize:

Lead Developer Board of Directors


Chase. C. Cunningham, Ph.D. Pamela Nigro, Chair Gregory Touhill
Author, Consultant, Host of Dr. Zero Trust CISA, CGEIT, CRISC, CDPSE, CRMA CISM, CISSP
Podcast, USA Vice President, Security, Medecision, USA ISACA Board Chair, 2021-2022
John De Santis, Vice-Chair Director, CERT Center, Carnegie Mellon
Expert Reviewers Former Chairman and Chief Executive University, USA
Adham Etoom Officer, HyTrust, Inc., USA Tracey Dedrick
CISM, CGEIT, CRISC, FAIR, GCIH, PMP Niel Harper ISACA Board Chair, 2020-2021
Government of Jordan, National CISA, CRISC, CDPSE, CISSP Former Chief Risk Officer, Hudson City
Cybersecurity Center, Jordan Bancorp, USA
Chief Information Security Officer, Data
Shamik Kacker Privacy Officer, Doodle GmbH, Germany Brennan P. Baybeck
CISM, CRISC, CDPSE, CCSP, CISSP, TOGAF Gabriela Hernandez-Cardoso CISA, CISM, CRISC, CISSP
9, ITIL Expert ISACA Board Chair, 2019-2020
Independent Board Member, Mexico
Director, Dell Technologies, USA Vice President and Chief Information
Maureen O’Connell
Paul Perry Security Officer for Customer Services,
NACD-DC
Member and Security, Risk and Controls Oracle Corporation, USA
Board Chair, Acacia Research (NASDAQ),
Practice Leader, Warren Averett, USA Rob Clyde
Former Chief Financial Officer and Chief
Linda Tait Administration Officer, Scholastic, Inc., CISM, NACD-DC
CRISC USA ISACA Board Chair, 2018-2019
IT Risk and Policy Manager, Wates, UK Independent Director, Titus, Executive
Veronica Rose
Chair, White Cloud Security, Managing
Goh Ser Yoong CISA, CDPSE
Director, Clyde Consulting LLC, USA
CISA, CISM, CGEIT, CDPSE Senior Information Systems Auditor–
Chief Information Officer, Jewel Advisory Consulting, KPMG Uganda,
Paymentech, Malaysia Founder, Encrypt Africa, Kenya

David Samuelson
Chief Executive Officer, ISACA, USA

Gerrard Schmid
Former President and Chief Executive
Officer, Diebold Nixdorf, USA

Bjorn R. Watne
CISA, CISM, CGEIT, CRISC, CDPSE, CISSP-
ISSMP
Senior Vice President and Chief Security
Officer, Telenor Group, USA

Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
Chief Executive Officer, introSight Ltd.,
Israel

© 2022 ISACA. All Rights Reserved.


15 DEFENDING DATA SMARTLY

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams that effectively drive IT audit, risk management and security
priorities forward. ISACA is a global professional association and learning Fax: +1.847.253.1755
organization that leverages the expertise of more than 150,000 members who
Support: support.isaca.org
work in information security, governance, assurance, risk and privacy to drive
innovation through technology. It has a presence in 188 countries, including Website: www.isaca.org
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.

Provide Feedback:
DISCLAIMER
www.isaca.org/defending-data-
ISACA has designed and created Defending Data Smartly (the “Work”) smartly
primarily as an educational resource for professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work Participate in the ISACA Online
should not be considered inclusive of all proper information, procedures and Forums:
tests or exclusive of other information, procedures and tests that are https://engage.isaca.org/onlineforums

reasonably directed to obtaining the same results. In determining the propriety Twitter:
www.twitter.com/ISACANews
of any specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the LinkedIn:
www.linkedin.com/company/isaca
particular systems or information technology environment.
Facebook:
www.facebook.com/ISACAGlobal
RESERVATION OF RIGHTS
Instagram:
© 2022 ISACA. All rights reserved. www.instagram.com/isacanews/

Defending Data Smartly

© 2022 ISACA. All Rights Reserved.

You might also like