Ripped from the headlines, “___ leaks thousands of your files” - Data Breaches: Part 1

How many letters have you received? You know what I’m talking about. Let’s talk data breaches. Let’s avoid the hype of the headlines and some of the sensationalism of the media coverage. And look at a few facts from recent episodes to see if we can identify the root issue at the heart of the breaches. I’ve already posted a first glance look at the Epsilon breach , but, let’s talk about this in a little more detail. There are three critical elements that need to be addressed here. <!--[if !supportLists]--> 1. <!--[endif]-->The business imperatives that lead to this episode <!--[if !supportLists]--> 2. <!--[endif]-->Why most organizations aren’t currently equipped to prevent such breaches <!--[if !supportLists]--> 3. <!--[endif]-->What companies need to do to protect themselves from third part breaches First, let’s address some of today’s root causes for a data breach. How we do business and, ultimately, create, communicate and consumer content is transforming. The mobility of the workforce, the outsourcing of services and data and the widespread adoption of the cloud are just a few of the issues that have led to the recent spate of data leaks. Today, entire applications, networks, and even security is delivered in the cloud. And our data is there too, free for our employees, customers, partners, and others to access. Third-party solutions, both sanctioned and unsanctioned by IT, are also transforming the enterprise. Blended threats, script-based attacks, APTs ( ugh ) capitalize on the openness of today’s enterprise. Traditional security, however, is meant to solve one problem really well. When the problems and technologies converge (blended threat), the effectiveness of those technologies plummet. That impotence is further exacerbated by the perimeter, or moat-based approach to security, which is challenged by today’s distributed, mobile, social, and cloud-based enterprise. Ever heard of the expression, “never bring a gun to a knife fight?” There are several things that need to be addressed, if you are handing data to a third party. Any service level agreement needs to ensure that the data shared is protected by the strongest measures appropriate to the level of sensitivity of that data. With that, specific criteria for what that protection includes should also be defined as part of the agreement. In the case of some service providers and cloud platforms, like Salesforce.com, for example, you can fingerprint and apply rules to the data that only allow it to be accessed by certain individuals for specific purposes. However, to do that effectively, you need to have the controls in place within your own organization first, to ensure that only the RIGHT data is exported. And you need to have periodic audits and oversight to ensure your security is in effect, and adapting to the changing threat landscape. In my next post, I’ll be examining why it is a little ridiculous to call one recent breach the result of an APT – and why you should think so, too. In the meantime, does anyone else have some best practices to add to protect third party data transfers?...(read more)