How a Common Corporate Policy Promotes Data Theft

Securing your data requires a new way of thinking about your data.

CEOs: I'm going to tell you what you want, and then I'm going to punch you in the gut.

Ready?

What You Want: Data Ubiquity.

Data Ubiquity may be described as,

"I want access to all of my data, at any time, on any device, from any location."

The Gut Punch: It's impossible to secure it.

I know, I know. Your Head of Security, whatever title you gave him or her, is giving you all kinds of assurances. But all of those assurances are couched in heavily conditional language, aren’t they?

“No data is ever one hundred percent secure.”

“The data is stored securely, but there’s always the possibility of an insider attack.”

“I can secure the data, but I can’t vouch for the security of the operating system, because someone else provided it. And I can’t vouch for the security of the applications, because somebody else provided them. And I can’t vouch for the security of the network hardware, because somebody else provided the routers and switches. And I can’t vouch for the security of our ISP. And I can’t vouch for the security of the Internet. And I can’t vouch for the security of our cloud service provider’s architecture.”

“BUT – I assure you – our data is as secure as we can make it, using industry-accepted best practice, and within the budgetary constraints you gave me.”

The reality is, because you insisted on Data Ubiquity, you now live with two unyielding truths.

Unyielding Truth #1: Your attack surface is infinite. All of your data can be attacked from anywhere, at any time, by anyone using any device. Wait, what? You think I slipped something in there? “Anyone” wasn’t part of the definition of Data Ubiquity, was it? Ah, yes, but – “anyone” is indeed part of your current attack surface, because of the second pesky, unyielding truth...

Unyielding Truth #2: User authentication will inevitably be compromised. Yes, inevitably. Look at the number of breaches that cripple large, supposedly secure companies every year, and face the statistical reality. But, what does that mean, to say that user authentication will be compromised? User authentication is compromised whenever Jane Smith logs in using John Doe’s credentials. And it will happen. There are so many ways it can happen! Let’s say you leave your laptop in the car while you stop at the grocery store on the way home. And let’s say your laptop is stolen out of your car while you’re sniffing melons in the produce aisle. The rest is easy; way easier than you think. But that’s just one of dozens, hundreds, or thousands of ways for a malicious actor to login to your network.

If all of your data is available at any time, from any location, on any device, then the simple truth is that any one of the planet’s 7.5 billion people (give or take) may be the successful malicious actor who ruins your day.

The Solution

The solution to reducing your attack surface and securing your data is to develop a different, more secure Data Management Plan. Here are some practical examples.

1. Give up the “any device” requirement.

If the only device that can access certain data is a company-provided laptop/tablet/smartphone with hardware authentication, you’ve reduced your attack surface a lot. Now, even if someone in another country has obtained the username and password of one of your employees, it won’t do them any good. Your attack surface is now limited to people who can actually come in contact with an employee and steal the approved device.

2. Give up the “all data” requirement.

It’s hard to sort and classify your data. It’s hard to figure out who needs access to this financial data, but not these personnel records. It’s hard to figure out what departments use what data to effectively and efficiently manage their employees, their inventory, their time, and their customers’ needs. And, once the data is sorted and classified, it’s hard to store it on separate servers, in separate VLANs, or even in separate parts of the country. But, once again, this sorting and separating reduces the attack surface, so that even if a villain steals one employee’s laptop, they only have access to a subset of all of your valuable data.

3. Give up the “any time” requirement.

There are a couple of good reasons to set authorized access hours on your data. Here’s the least obvious reason, first in line: your employees need a personal life. Making your sales data available twenty-four hours a day may help someone prepare a report for the board meeting at 7 o’clock in the evening, but maybe it would be better if they were playing video games with the kids, or helping with homework, or going to a school play. A second good reason for limiting access hours to your data is the unwritten Criminal Time Schedule. A lot of unauthorized access occurs during the hours, in whatever time zone you’re in, when the building and server room are unoccupied and the activity is least likely to be noticed. Sure, some data needs to be available twenty-four hours a day – but, all of it? This is why you need to sort and classify your data.

4. Give up the “anywhere” requirement.

Restrict the IP address ranges that are authorized to access the data. IP address ranges are assigned to companies, and the information is publicly available. For example, 201.23.163.0 - 201.23.163.255 is an IP address range owned by Claro S/A and located in Brazil. Do you have any employees in Brazil? Does anyone in Brazil need access to your data? If not, then you should restrict addresses in this range from accessing your data. I know, I know... next year, you might want to take a vacation in Brazil – and that’s why you want Data Ubiquity. After all, you might have a sudden urge to come out of that nice, warm ocean, and walk across the golden sandy beach to your towel, and login with the hotel Wi-Fi to check today’s sales figures, right? Well, you can do without this luxury. Restrict geographic access as much as possible. Ask yourself: “Do I really need access from Minnesota?”

5. Stop thinking you are the exception.

So maybe HR people can only get into the HR data. Maybe Sales can only access the Sales data. But you’re the Boss-with-a-capital-B, right? Shouldn’t you have remote access to all of the data?

No. You shouldn’t. Not when you’re at home, or on vacation, or after hours, or whatever your exception-of-the-day is. Because Data Ubiquity for just one person opens the attack surface to 7.5 billion people (give or take).

Summary

Consider asking someone to help you develop a more realistic Data Management Plan. Give up Data Ubiquity as a default policy.

Your entire IT Department will thank you.

***

Bob Young consults on cybersecurity, information security, IT management, and policy. His clients include public utilities, city governments, hospitals, retail and manufacturing, and state and federal agencies.