What Should IT Leaders Know About Data Security?

We all recognize that data security is one of the key areas in which IT must focus, as efforts to mine data for various nefarious purposes continue to rise in frequency. There are many reasons individuals, corporations and foreign governments are found to be involved in data theft, among them:

  • Theft of personal identifying information or credit card data so it can be sold
  • Ability to know what a competitor is working on, or challenges they are having in an attempt to gain advantages over them 
  • Identifying travelers that are in the country to bring information back to their own country and preventing them from doing so
  • Meddling in elections, up to and including illegal voting or theft of votes from certain areas

With these examples current in our minds and yet representing only the tip of the iceberg, IT resources will be spending significant time working on security and prevention of data theft, but are they working effectively?

Things IT Leaders Should Know

The best way to fight data theft is to understand it and have an appropriate response to the common types of data theft typically seen. Here are some critical threats to consider:

Threat #1: Employees Are the Weakest Link

Most IT leaders know that employees are the weakest link, but there may be opportunities to improve the ways in which this is addressed. First, many IT leaders reading this statement will immediately think of end-users and implement training programs to address the issue, then think they’re done. This is only the first aspect of addressing this threat. Training people will not stop them from clicking on the link that enables the threat of thousands of personal records (or other data).  

The Fix: Don’t rely on end-users to listen to the advice from training. In addition to training them, invest in systems that prevent them from getting that email in the first place or which can pull malicious emails out of email boxes as soon as they are identified by a threat management tool.

The Service Desk and IT administrators are just as much a threat as end-user. Leaving out of box passwords in place, sharing of passwords and disgruntled employees put data at risk too. Ensure all access methods are considered, both end-user and IT.

Threat #2: There are many different ways to gain access

The Fix: Awareness campaigns and tight security oversight along with automation are the keys to improved system lock-down, but there are other ways to gain access to systems beyond end-user passwords. Action to consider:

  • Ensure appropriate validation steps are required before Service Desk personnel reset a caller’s password or implement an automated password reset solution to avoid issues caused by hackers using social engineering to obtain access to accounts
  • Ensure the security team is included in all implementations of new operating systems and software and that they are charged with changing system passwords after deployment
  • Require analysts performing maintenance or deploying new code to request and be provided with a temporary password to make the authorized change and change the password when the change is complete
  • Automate as many maintenance and deployment activities as possible and encrypt passwords stored within the programs that execute these changes 
  • Ensure best practices for security are followed for each and every system by the people responsible for maintaining those systems
  • Build an effective vulnerability response program to mitigate known risks like access through firewall defects and other operating system and application issues that could expose data

Threat #3: Data Security is not a “One and Done”

The Fix: Get serious about vulnerability response management and ensure that staff has the resources they need to mitigate potential vulnerabilities. There are sufficient vulnerability management applications available that can help identify threats and these can be integrated with security applications contained in service management tools. Understand this is a critical ongoing practice that needs to be included in the daily work of all areas within IT.

Threat #4: Fast Response is Critical

Even when vulnerability management has matured in an organization, breaches will still occur as hackers are continuing to find new and creative ways to breach security. The best way to address this continues to be a rapid and effective response.

The Fix: Ensure there is a security incident management team and process for major security incident management. This needs to include automation of runbooks or workflows that assist the security team in automating the execution of as many steps as possible, depending on the type of breach that has occurred. Many service management tools offer these capabilities.

Technology Required for Data Security

While people and processes are key, as seen in some of the fixes listed, they also need the technology to help them address the threats posed daily. With thousands of vulnerabilities possible at any point in time, this is not something IT organizations can address without the use of technology. There are several types of tools to consider:

  • Identify management platforms: The ability to deploy new IDs and provide role-based access as peoples’ roles change is available in identity management solutions. The best of the breed will also offer password reset utilities and enhanced capabilities to manage password dissemination for authorized changes. 
  • Automated Deployment Tools: Moving change execution behind a wall of automation helps take the human factor out of the equation. The more automated maintenance activities and deployments become, the less likely root level passwords will be known and able to be exploited.
  • Cloud Management Systems: Typically cloud services are thought to have better overall security, but they are still vulnerable to the same password issues and hacking attempts as locally managed systems. Cloud management systems have utilities to address security which should not be overlooked.
  • Vulnerability Scanning Systems and Data Bases: There effective security management tools on the market, which enable the organization to download known vulnerabilities from national databases and scan internal systems, logging vulnerabilities to be addressed by IT. These are critical to any long-term security management program.
  • Service Management Platforms: Above and beyond these tools, it’s worth looking at the security management capabilities now built into many service management platforms. Benefits include:
  • Adoption: most security tools are used by security teams, but vulnerability response management requires work to be done by infrastructure and application teams. These teams already use the service management platform as a place to manage their daily work and may balk if asked to manage tickets in external tools. 
  • The Configuration Management Data Base (CMDB): Organizations with a fairly large technology footprint will realize very quickly that there are more vulnerabilities than they can manage. For this reason, it’s critical not only to know the vulnerabilities that exist in the enterprise but also their criticality from a business perspective, ensuring the vulnerabilities impacting the most critical services are addressed first. The only way to know this is by having a well-build, mature CMDB, with service relationships mapped for at least the critical services. The CMDB is critical from several perspectives:
    • Understanding the services that could be affected by a vulnerability
    • Ability to identify reasons the mitigation strategy could cause failure (for example, if a system patch will cause an older application to fail)
    • Ability to identify the team responsible for implementing the fix 
    • The ability of discovery to find new hardware and/or software that could put the enterprise at risk
  • Security Incident Management: To enable rapid response, security teams need to be able to manage incidents from two perspectives: response and investigation. The ability to generate an incident to be worked by IT supports the rapid response, but security also needs a related incident record, to which only they have access, to capture all of the confidential investigation activities that are part of the recovery effort.

Ultimately, IT leadership needs to understand that data protection requires investment in the technology needed to support a proactive approach to data theft prevention, but that it also needs an educated, competent workforce that has the resources it needs (time, money and people) to be effective in establishing an ongoing and effective security operations practice.

Cover Image by Swetha Kanithi