In the current climate of ransomware and near-daily reports of data breaches, many organizations are scrambling to review the robustness of their internal controls and processes. In many cases, weaknesses have crept in over time to some of the most basic and fundamental procedures, even in organizations that are well-run and festooned with compliance certifications and reports. In recognition of Data Privacy Day today, I’d like to discuss how reviewing and enhancing three basic principles can bolster overall data security and resilience within your organization. Ultimately, every company must own their own privacy and data security. I think that the following tips can help.
Perhaps the largest challenge in the modern world of Cloud and SaaS — creating and operating an access control system that accommodates your business needs — may also be the most fundamental pillar for data security. A modern identity management provider allows us to operate the basics of an access control policy: strong multi-factor authentication, privilege limitation, and user/application lifecycle management.
The first part is the easiest: Everyone MUST use multi-factor authentication, no exceptions. The last part is also simple to articulate: User accounts and applications that are no longer needed due to inactivity or the end of a relationship can be deactivated or deleted, sometimes in an automated fashion. Privilege limits, on the other hand, can be more complex.
In many organizations, access must be managed for multiple groups and individuals of various privilege levels. You’re probably managing lots of groups and lots of applications. Each group should define a role and privilege level for one or more applications. The effort here is to evaluate what roles and privileges are the minimum required for members of that group to perform their job duties. Perhaps your “level 2” service personnel need access to search and view an application’s error logs– so be it (assuming that the error logs don’t contain sensitive data, something else to watch out for). However, they may not need to search logs for ALL applications, nor be able to query the application’s back-end database. Your backup administrators may need to view and verify the status of nightly backup processes, but likely don’t need the ability to restore files from the customer ticketing system’s backups.
While the principle of least privilege has become a common term, it’s challenging to enforce across groups and applications. It requires continual evaluation and adjustment. Reviews of the groups, roles, privileges granted, and applications should be thorough and frequent– at least on a monthly cadence. Greater review frequency will mean fewer opportunities for drift and fewer possible gaps that could be exploited.
If the concept of frequent review and continual improvement sounds familiar, you can guess where this is heading. Change control and management is really a superset of access control; think of access control as change control principles applied to identity and access management.
Changes to critical business applications or infrastructure should undergo a process of testing, evaluation, and approval if thresholds are met. This undertaking requires effort, and the intended outcome is to mitigate risk, which is the same effect as access control procedures.
Change management is one of the most beneficial processes to maintain. It’s also one of the more difficult processes to maintain. When an organization is small, the scope of what your change management program covers may be small and easy to manage. As organizations grow in size and complexity, the scope expands, bringing significant demands to have change management keep pace. Once again, the need for continual review and improvement of processes is key. Your change management program scope should include ALL critical business systems, and this may span multiple cloud and SaaS providers depending on the size and maturity of your organization.
Perhaps the most difficult (and most important) process is Disaster Recovery (DR). If the worst happens, you don’t want to be caught flat-footed. You should be in “ready position” to engage a (hopefully) well-designed and well-tested recovery plan.
The challenges of DR in the realm of Cloud and SaaS are legion. If one of your critical SaaS vendors is having service issues, that can be a bad day. If one of your cloud providers is having service issues, it’s likely that not only your services are affected, but one or more of your SaaS vendors as well. That reality quickly becomes terrible, horrible, no good, very bad day territory.
Like change management, disaster recovery has a sprawling scope that’s dictated in part by the size, complexity, and maturity of your business. Do all of your business critical services have RPOs (Recovery Point Objectives) and RTOs (Recovery Time Objectives) defined? When was the last time those objectives were tested? Could changes in the scope or nature of those services have affected your RTO?
Talking about disaster recovery last is intentional. Organizations that take DR seriously perform exercises that prove they can make their objectives; if a test fails, gaps are identified and the process is modified and improved. A colleague of mine described a marker of a mature change management program as whether the program incorporated and addressed the impact of proposed changes to the DR program. That’s the goal here. Proactively assess impact and enact necessary changes to keep your program aligned with stated objectives.
Great, Now What?
Well, no surprise here, there is no magic bullet. However, there are ways to ease the burden. The Clumio data protection platform can help in a number of ways. Access controls are available in the platform that can mesh with your access control policy. The platform integrates with most enterprise identity providers. With features like file-level restore and full volume restore, the solution makes testing (or executing) disaster recovery scenarios almost frictionless. Meanwhile, your backup policies and compliance status with those policies is front-and-center in the platform.
To learn more about how Clumio can improve your data protection, please visit https://clumio.com/platform/