Over the last few years, a consensus has emerged that the perimeter is dead. Thanks to a confluence of trends—such as the Internet of things (IoT), cloud computing, and bring your own device (BYOD)—the potential points of entry into a network and unauthorized data access continues to expand. For the most part, external threats across this expanded attack surface have been prioritized over internal risks, which in turn has resulted in outdated framing of insider threats.
Insider threats remain largely viewed as internal members within a specific organization. While this is one core component, it overlooks the range of ‘insiders’ who may also have access to data thanks to the rise of multi-cloud data environments and applications. Trusting all providers and all of their employees to be good custodians of your data is simply too risky and not realistic. Instead, mitigations against insider threats must focus on object-level data protection for data at rest and in motion to protect data against both external threats, as well as the broader insider threats emerging in the new frontier of data protection. By combining the risks associated with external actors with an updated understanding of insider threats, it becomes clear that data is the new perimeter.
Insider Threats in the New Frontier of Data Protection
With an expanded attack surface, external actors continue to pose a significant challenge. According to Verizon’s Data Breach Investigations Report 2018, almost three-quarters of attacks are perpetrated by external actors. Because of this, external actors have understandably received the most attention, while a more nuanced framing of insider threats has failed to emerge on pace with technological changes. This may be starting to change as organizations begin to integrate risks associated with a wide range of third-party providers.
Organizations increasingly use third-party providers—from cloud services to messaging apps—to conduct their most sensitive of business. For instance, over 83% of organizations are pursuing a multi-cloud strategy, with multiple private and public clouds for different business applications. While it has helped create significant business efficiencies, it involves a high level of trust in a third-party to protect your data. Cloud services and application providers become the de facto data security provider as well.
Supply chains also reflect another form of third-party providers that similarly are too frequently overlooked when crafting security strategies. Contractors and their data access can significantly help business productivity, but they also can be a security vulnerability. Whether serving as an access point to the broader network or error in cloud server configurations, supply chains can pose another form of insider risk to organizations. In fact, misconfigured cloud servers are often overlooked but have resulted in numerous data compromises and millions of breached data records.
In short, with their internal data access, third-party providers should also be considered an additional form of internal threat. The traditional measures of insider risk comprise over 25% of data breaches according to the DBIR; this will most certainly expand into the future as a modern framing of insider risks takes hold. Third-party providers also face the ‘traditional’ insider risks from internal employees, while their own data security strategies can possibly leave additional sensitive data exposed. Because of this, third-party service provider security is starting to become a regulatory requirement in certain industries, including the U.S. government who has introduced or finalized a series of security requirements for contractors, such as data breach notification and cloud security.
Data Security with Zero Trust Required
The breadth of third-party access is only going to grow with increasing reliance on multi-cloud environments, automation, and more devices. As organizations begin to adjust their risk strategies to prepare for this digital transformation, zero trust strategies have gained momentum. Zero trust entails a deny by default approach, with significant emphasis on access privileges.
For the most part, zero trust has focused on application and network access. However, as data continues to flow in unprecedented levels through external storage and service providers, access privileges must be at the data-level and persistent across environments to truly deny unauthorized data access.
Object-level data protection with explicit and customizable access privileges is essential to deter today’s insider risks, including third-party providers. A focus on data access, including data revocation and expirations, helps secure data from unauthorized access. This is especially useful for countering insider threats who too often may leverage access privileges long after separating from a company or switching divisions. Because the access privileges persist wherever the data goes, data owners retain greater control of the data, even when stored across a broad range of cloud environments and devices. Access privileges can be time-bound and evolve over time as requirements shift and as the workforce changes.
The Virtru Data Protection Platform provides this object-level data protection that persists with data across platforms and providers. Data owners establish and can evolve access privileges over time as partnerships and providers change. Built on the Trusted Data Format, the Virtru Data Protection Platform was designed to protect data from both external and insider threats.
Join us at Black Hat to hear about the exciting launch of additional data security capabilities.
Speak with one of our security experts to learn how the Virtru Data Protection Platform can protect your organization’s data against insider threats