It is unrelenting: the continuous stream of hacks, leaks and burns that is our infosec space. As a vendor, it is disappointing. As a customer, it’s scary. For everyone, it is damaging. We can churn out the facts and figures but there is little value in that. Everyone knows it costs a lot, hurts many, and impedes the progress of businesses and governments, and by that, our very social fabric. Crime is everywhere and it’s not always in your face – or on the television.
Most of the audience for this article is involved in moving sensitive data from one-to-one or one-to-many constituents. NonStop being the workhorse that it is, most of the data we work with is extremely sensitive, cost and time risk-oriented, and has a highly sensitive value to people of all norms and backgrounds. And in reality – much like that crimes that are perpetuated – we operate in the background. Most of our constituents don’t know (or care) about how their credit card transaction data is moved between processors, or that their billing information for their health care procedure last Tuesday was moved between insurance carriers. They just care that it was done with no interaction on their part.
This transactional process is a reasonable expectation – just like how we expect our food to be safe, our light switches to not shock us when we turn them on, or our brakes to work when we engage them in our cars.
We – Data443 DataExpress Data Placement Manager – have been in world of MFT for over 25 years. Our product spans the centralized and concentrated nature of core datasets on big iron and pushes out to disparate parts of the business and partners. It’s a delicate balance getting that data out there reliably and securely. And it takes all parts of the business (IT and core business functions) to make it work!
Many times, organizations have the tools at hand and can mitigate risk fairly simply with People, Process and Tools. I have long advocated that third-parties are your second largest risk (your employees being your largest) and should be treated with the same rigor and trepidation.
With this in mind, here are my top five things for 2021 that actually can be done with what you have!
#1: Subject your external parties to access recertification validations
We see all too often that third-party credentials are very rarely rotated, reset or otherwise managed. Horror stories abound, shared passwords are everywhere and even certificates aren’t changed. Although they probably don’t need to be rotated as frequently as end-users do, it is well known that system-to-system accounts are some of the worst culprits for risk. I can see you nodding your head now but shaking your head as you consider the mess of resetting 100’s or 1000’s of IDs. Understand, several of our customers for DataExpress Data Placement Manager have counts exceeding this. For example, we advocate the inclusion of a self-reset password/certificate functionality for these use cases so that at least the external party can manage this process themselves – according to their schedule and change windows.
Or something else. Anything is better than nothing, which is what it seems most of these other appliance and mail gateway products were exposed to. We can’t do that. Not anymore. There are plenty of solutions out there for protecting a service in many ways. Remember: it’s not just about blocking the known issues, it’s also about having capabilities to block issues that are either unknown or just ‘out in the wild,’ and the vendor hasn’t had time to patch yet, but the external service can defend. Even before Microsoft released the patch for Exchange, many firewall and WAF vendors released blocking mechanisms that would protect the OWA server. As is often the case, the operating system or app server may have a vulnerability long before the application will – so shore up those defenses with the basics!
#3: Leverage Virtual Offerings
Public Cloud, Hybrid, or whatever setup you are on, you must consider it. Our MFTaaS will move very quickly with patches, updates and vulnerability remediation (day 0 plus minutes) because we can, and because we are purposely built for that. Same with HPE’s upcoming cloud offerings. Having your QR, QA, or some of your production load in these environments is a consideration worth looking at now, as they are a viable candidate for this capability. We have moved much of our email archiving customer base to our cloud archiving offering from the on-premises solution for this reason: it’s a faster movement to new security stacks, generally easier to segment off, and offers some serious resiliency benefits.
#4: SIEM SIEM SIEM
However your existing or new solution operates, please mandate that it integrates with your existing security operations platforms: from SIEM and everything else in-between. Not just logging, but also all of the OS and application actions must be monitored. The platform itself should also be subjected to application monitoring as well. Success, failure, abends and other such actions should really be understood by the SecOps team. They need to know the difference between a few failures and 10,000 failures – and why that’s important. We’re not just talking about protecting from a Snowden level event here, we are looking at items like a slow data leak, probing from adversaries, and egress via multiple accounts. The Microsoft OWA issue went unnoticed for some time because they left a hidden open doorway in the file space, on a device that is rarely reviewed. Properly event log monitoring would immediately show that these files weren’t there before and had never been used before.
#5: Any factor Authentication
It shouldn’t need to be said, but here it goes: whenever possible, use not just multifactor, but any step-up authentication. We offer a few at Data443, but same goes for Single Sign On for your users and other such offerings that can bring additional identity verification into the mix. Anything that helps with validation and authenticity of the transaction.
Bonus #6: Classification & Identification
With the SCHREMS II and more data movement, storage and retention laws coming into place, Data Classification technology is becoming mandatory for all MFT solutions. GDPR, CCPA and the like drive new behaviors in what, when and where data can be processed, moved and stored. No matter how old or new your tech solution is, surely 2021 will ensure you will have brushes with these new requirements!