Itzak Assaraf, CTO and Founder 1touch.io
Jeff Schwartz, Vice President, North America Engineering at Check Point Software
Dameon Welch Abernathy, Cyber Security Evangelist
Network controls have historically been proven to be very capable in limiting access to networks and therefore the data held within them. As our networks have evolved, so have these controls.
However, even with these more complex controls, there still remains the fact that network criteria has been chosen as the main standard for determining access to network elements. For example, if we look at traditional web access we can see that limiting HR access via HTTP is an often used rule, and is completely acceptable in most cases.
But what if HR were to draw personal data from LinkedIn, and combine it with other data provided by an individual. While HTTP is a legitimate means by which to transfer or access that data, and the applications used may be allowed by an organisation, over time the storage and processing of that personal data will create risk exposure for the organisation – something that simple network or application controls do not deal with.
Clearly, organisations need better visibility regarding the content of the data they are using; an organisation’s risk exposure to the use of different sets of data varies on the type of data being stored, processed or shared. Increasingly, organisations want to log how sensitive data is being used, so that they can limit their exposure to the risk of storing or processing excess data. It is important that they hold as much useful data as possible for business purposes, while limiting the overall data load to reduce liability.
The main problems organisations currently face are that of a constantly changing dynamic environment, human usage and shadow IT. Take for example personal data; organisations simply no longer have control of where personal data is held. An organisation may have developers that create applications and will use personal data lists to test those applications. Management will be ignorant of this usage of data, while nevertheless being held responsible for it.
Organisations also need visibility into the usage of different types of data for compliance purposes; i.e. are specific types of data being transferred in an encrypted manner?
Clearly an automated way of discovering, classifying and tracking all types of data flow, specifically data of a highly sensitive nature such as personal data, is needed by most organisations if they are to keep up with their ever-changing threat landscape in terms of the usage of sensitive data.
1touch.io is on stand J140 at Infosecurity Europe 2018