As sensitive data has moved beyond enterprise boundaries, the ability to control this data must transcend traditional enterprise access models.
By Kurt Roemer and Christian Reilly
Controlling the ever-growing amount of data and providing assurance of security, privacy and compliance is a never-ending quest for perfection – and who wouldn’t want to have perfect control over their most sensitive data? The problem is that the goal of achieving security perfectionism has some serious hidden implications and limits. This article explores contextually balancing risk, cost, and user experience to deliver the optimal level of security across highly dynamic access situations.
Data security challenges…
Today’s challenges in controlling data includes traditional enterprise access models, as well as new Consumerization and Industrialization models for access across IoT, cloud, BYO and mobile. The tightly controlled enterprise security model, which required end-to-end ownership and control, has been rendered obsolete by the speed of adoption and disruptive effects of these new paradigms.
Then along came consumerization to further challenge and bypass longstanding enterprise security policies, technologies and practices.
Traditional enterprise access models required a combination of secured endpoints, secured networks, secured datacenters, and all enabling technologies to be working in concert to provide an assumed level of trust. Connecting an “untrusted” endpoint, plugging into to the “wrong” network or moving an application workload to the cloud would obliterate security. In other words – everything had to work near perfectly or enterprise security failed.
Complementing these technology layers is an enterprise authentication model mostly oriented around a login event. If you provide all the credentials requested, including user id, password, passphrase, two-factor token, biometrics, certificates, smartcards, etc. your login is granted. And once you’re in, you’re in. All applications, files system access, rights and privileges, both inherited and shared with you, basically enable an All Access Pass, with few or no further access controls checked beyond those assigned at login. The ability to cut/copy/save/print or otherwise exfiltrate data is not further restricted based on your situation – or how that situation changes throughout your work week.
Similarly, traditional enterprise data control relies on a combination of physical control and encryption. Once the data hits the endpoint, the ability to track data movement is severely limited. Because data has to be unencrypted to be used and consumed, the promise of encryption is not as powerful as it otherwise could be. And, a loss of positive physical control could easily result in data loss, such as when a laptop, tablet, or smartphone is left in a taxi or left on an airplane. The location of sensitive data can only be estimated once data leaves the protection of servers and enterprise storage.
Sensitive business data has a complex and often unpredictable lifecycle. Managing the gap between perfection and reality is an IT responsibility and must not burden the endpoint.
There must be a better way…
Reliance on traditional techniques that are no longer sufficient to address today’s challenges has resulted in all-too-familiar results: weekly reports of data theft, bulk exfiltration, breaches and their impact on business and privacy. There has to be a better model that reflects the reality of today’s dynamic threat landscape and prepares for further consumerization and industrialization of IT. Times have changed – and it’s time the enterprise access model evolves to reflect the way people are working - and how data must be protected at all costs across a broad range of situations.
Controlling enterprise data beyond enterprise boundaries requires new thinking and a new approach that leverages virtualization, containerization and secured networking, along with a contextual access model that is deeply situational aware.
A better user experience…
The user experience is greatly enhanced with contextual access, as controls are applied at the time of need – not at the time of login – simplifying the login process and providing for strong security assurances only when they’re necessary to protect sensitive data and transactions.
Key Directives to protect data in the age of consumerization include the following requirements:
Approaching perfection in the control over sensitive data requires IT to transcend the enterprise access model. We’ve addressed the basics in this article – in future articles, we’ll get into more details of protecting sensitive data from being displayed, controlling email and thwarting screen scrapers and keystroke loggers.
Chief Security Strategist
VP Chief Technology Officer Workspace Services