- Security TWENTY
- Women in Security Awards
It’s the natural next step for organisations to engage with digital transformation (DX) if they are to compete with other companies, writes Neil Correa, security strategist, Micro Focus.
It allows them to meet the needs of their customers whilst making the most of the most of advancements in technology. If managed effectively, DX should be viewed as an opportunity to build an agile and resilient business and even create new revenue streams as a result.
Despite being a topic of interest for several decades, however, DX has arguably never been more important or relevant than it is now. In this Covid-19 world, many businesses have been forced to accelerate their DX processes in order to just stay afloat, let alone compete. It’s therefore imperative that organisations view DX as fundamental change in the business rather than solely as a technology migration.
With this in mind, security and privacy need to be a priority from the start; a factor which has been noticeably missing from the majority of literature on the subject. With the number of data breaches increasing year on year, and hackers becoming increasing intelligent and creative with cyber-attacks and scams, failing to embed security into a DX initiative from the outset leaves organisations dangerously exposed. To execute a DX project securely, and ultimately create a cyber-resilient business, there are a few factors which need to be addressed from the beginning.
Using data analytics
The insights derived from a strong data analytics programme are the driving force behind DX. As such, it’s critical that data is treated with the same value as if it were a physical commodity.
This means that organisations need to be on top of knowing where their data is stored and how it is used and collected in order to minimise potential risks. It’s common that sensitive data might be hiding in both structured or unstructured data sets. In which case, it’s important that organisations implement effective data discovery processes. There are tools on the market to assist with this type of discovery activity, supported by governance frameworks which can be used to appropriately find, classify, secure, as well as maximise the potential impact of, data.
To reduce the threat of external and internal breaches, once sensitive data has been found and classified, it’s essential that it is encrypted. With regulatory restrictions in place, companies need to be careful about what data they collect – for example, under the GDPR regulation there must be a specific purpose for the collection of data and it must only be used to fulfil that purpose. Information such as customer addresses and credit card details are often unnecessary for business analytics. Yet, the data does need to be in the expected format for the analytics to be performed. As a result, securing data in the expected format is not only important for complying with GDPR and CCPA guidelines, but also to ensure the applications and systems function as appropriate.
Some of the most common causes of data breaches are related to application, system and data permissions. More often than not this is due to organisations giving the wrong permissions to the wrong people or sometimes the permissions were provided in the past and are no longer necessary. In order to mitigate these risks, organisations should enforce the zero trust security model. This can be achieved by implementing a system which requires users to prove their identity or permission level before being granted access. Zero trust involves taking into account elements such as authentication and data access controls.
Before being granted access to any system or information, users must prove their identity with usernames, passwords and access levels. The National Institute for Standards and Technology Special Publication 800-63A provides detailed technical guidelines around Identity Proofing. The security adage of ‘trust but verify’ has evolved to don’t trust until verified, through a strong identification mechanism based on need. Putting this into context, it means that further levels of authentication such as a mobile number or government ID may be needed to access sensitive data including financial information. Additional layers of authentication such as SMS one-time passwords or challenge/response type questions should also be provided to move to a data-centric model.
Making sure that users have the right level of access is certainly a priority, what’s more important is that users have the minimum level of access to be able to perform their job. A top down approach should be taken to restrict the most sensitive data or assets, in case an account is compromised. This could be in the form of read-only documents or carefully controlling where data can be stored. Importantly, only when the data discovery and classification phase has been completed, can organisations focus on how best to secure their sensitive data and apply policies to monitor access.
Using an established framework
To ensure visibility across all systems, organisations need to adopt an approach which allows for a scalable and intelligent centralised system to monitor for suspicious activities. Securing the environment is critical, especially with a presence across multiple platforms, such as on-premises systems, public or private clouds and IoT devices in varied levels of integration.
It’s sensible to use an industry recognised framework such as MITRE ATT&CK, as it allows for the relevant attack tactics, techniques and procedures (TTPs) to be addressed, further securing the enterprise. According to Micro Focus’s 2020 State of Security Operations report, 90pc of organisations are currently relying on the MITRE ATT&CK framework to understand attack techniques.
The implementation of DX allows a number of activities and processes which were previously performed by users to be automated. This includes – but is not limited to – initiating business processes, performing code reviews, running performance tests, automatically scaling up systems to meet increased demand, approving financial transactions and wiring funds.
Despite being considered more secure because of a reduced number of manual entry points, there is potential for these processes to be modified to perform malicious activities. Through the use of User Entity and Behaviour Analytics (UEBA), for instance, entities that support and run process automation, as well as privileged users that can create new processes, can be monitored to detect if unauthorised processes are created or if they deviate from the expected workflow. UEBA can monitor these activities at scale to ensure a holistic view across all environments.
The path to business resiliency
Adapting quickly to today’s constantly evolving digital landscape is one of the major challenges which organisations and business leaders are currently facing. To thrive in adverse conditions, building a roadmap to cyber resiliency, and, in turn, business resiliency is vital. Put simply, for every organisation undertaking DX, security and privacy can no longer be an afterthought.