As network boundaries dissolve, staying compliant requires focusing on the intersection of people and data.
Between high-visibility data breaches and new requirements such as the European Union’s General Data Protection Regulation (GDPR), compliance is more important than ever. But the dissolving network perimeter, with more users accessing more corporate systems from more devices, makes it much harder to track the location of critical data and what users do with that data.
Become compliant and proving that compliance in this new environment, while staying agile and efficient, requires new tools and processes that focus not on individual systems or threats, but on the intersection of people and data.
New Compliance Challenges
One example of the risks of a boundary-less network is an employee who, without approval from his employer, uses a cloud storage service such as Dropbox to store sensitive intellectual property. Traditional data loss prevention (DLP) solutions and other conventional network controls won’t catch this potential threat, says Allan Alford, Forcepoint’s chief information security officer. In a zero-perimeter world, a DLP solution must integrate with a cloud access security broker (CASB) to stop the loss of data to locations outside of the conventional network boundary.
Taking into account how real people use data can lead to a more realistic approach to managing the environment. It is not feasible to completely block data transfer to third-party clouds because such platforms are such an important and cost-effective part of modern computing environments. Instead, a solution that integrates DLP with a CASB provides both usability and security by bringing third-party cloud providers into the fold as governed and allowable cloud usage.
A human-centric approach can also help balance the needs for user privacy and corporate security on user-owned devices such as smartphones and tablets. On the process side, this might include requiring users to password-protect their devices and agree to a remote wiping of corporate email if the device is lost or stolen. More robust tools might include DLP and next-generation firewalls, device certificates, and requiring devices to meet minimum security standards before connecting to the corporate network.
Don’t Forget Audits
The increased complexity of the dissolving network perimeter is also increasing the length and potential cost of compliance audits, as well as the risk of impact on brand reputation.
In the past, such audits followed a well-defined process that included identifying the location of critical data, classifying its sensitivity, auditing the security of the systems where the data is located, and ensuring each data type and system met the relevant controls.
In a world of dissolving network boundaries, “…your systems are everywhere, some in your control, some with third parties,” says Alford, making it “much more challenging” for both enterprises and auditors to complete each of these steps. But the same people-focused, human-centric tools and processes that aid compliance can also reduce the cost and length of audits by closely tracking data flow and ensuring proper safeguards are in place.