 |
Maintaining a competitive advantage requires global businesses to expand the access and usage of sensitive information across more user types than ever. More and more companies are adopting a hybrid workforce of employees, trusted 3rd party collaborators and outsourcers via “anywhere, anytime” access models which have no infrastructure-defined “borders” to create data control bottlenecks or enforcement points. Using the global network to tap an exponentially larger and more accessible talent pool enables business opportunities which fundamentally increase the value of sensitive information to a growing spectrum of privileged users. Not surprisingly, the risk to data from privileged users (defined at the insider threat) is one of the largest threats to security and value still unaddressed by most companies.
Traditionally, a “Privileged User” has been defined as someone (i.e. IT administrator) with authorized access to sensitive networks, machines, applications, and data as a normal course of duty. Nowadays, that definition has expanded to include senior managers, business managers, legal, HR, engineers, designers, security administrators, and even the accounting team. In many respects “privileged user” has become a generic term for anybody with 'proper' access to sensitive data irrespective of their right to actually use it. This distinction also means any user with the right to access sensitive information automatically becomes an insider threat potential (i.e. someone with specific malicious intent). Whatever their specific role or disposition, every privileged user is a potentially critical liability without the organization’s ability to centrally monitor, audit, guide, and enforce effective data usage policies that balance productivity with risk management.
Privileged users are privileged for a reason, so any information protection solution must be able to enforce policies that are effective without being burdensome or restrictive. Creating a process to manage sensitive workflows by and among privileged users requires defining a set of compliant conditions which align with organizational goals and standards. These simple parameters yield a multi-dimensional policy matrix from which to determine risk and response whenever user, rights, information type, operation, business context, and policy intersect.
Infrastructure-based technologies like DLP offer very limited policy logic and response options to combine privileged user productivity with security to counter the insider threat in most real world scenarios. Without data-level visibility and complete situational awareness at the point of use, DLP alone cannot definitively recognize privileged users, their usage rights, or assess risk based on the context of use without impeding value-creating processes. Every year millions of dollars are wasted in a fruitless struggle to use aging and increasingly irrelevant measures to control the misuse of information and mitigate the insider threat. However, the ability to audit and manage sensitive information usage for this very specific and known user population can significantly reduce a company’s risk profile for relatively little cost.
1.) Do not put in place security policies or solutions and rely on the integrity of the privileged user, consider the risk of malicious or non-malicious insider threats.
-
Problem - A very small minority of users are dishonest or malignant but the actions of even one individual can lead to staggering losses.
-
Problem - Bad things can happen to good people. One lost laptop, USB device, or password can make headline news with regards to intentions.
2.) Apply written company policies and enforce them through manual internal audits.
-
Problem - Though this approach may meet minimum compliance standards and though it may mitigate risk on some level, it is not a preventative approach. Audits are time-intensive, expensive, and may well occur long after the problem has happened.
-
Problem - Honest users will often work around restrictive policies and controls with no bad intentions simply to save time, putting sensitive data at risk and exposing the business to insider threats.
3.) Deploy network-based security technology, monitoring of privileged user traffic, or encryption.
-
Problem - Network solutions often miss encrypted or “tunneled” data traveling over the network. Knowing these limitations, privileged users can easily defeat the system.
-
Problem - Technology designed to monitor traffic is unable to monitor or prevent “point of risk” activity such as copying to local drives, USBs, CDs, or DVDs.
-
Problem - Broad encryption solutions are both cumbersome and ineffective, often blocking out well-intentioned users and letting in mal-intentioned privileged users.
-
Problem - An insider who knows of these vulnerable areas can easily use them against the business.
Verdasys Digital Guardian is a proven approach for centrally managing privileged users. Using data-level monitoring and control Digital Guardian is able to identify, analyze, and intelligently enforce access and control policies in real-time, without limiting authorized uses, based on the privileged user’s rights to access and use sensitive information. For instance, an encryption policy can be applied which allows a privileged business user authorized to access certain sensitive information to transparently decrypt those files. At the same time a privileged IT administrator needing access to the same files in order to back it up may also access them; however, they will be unable to decrypt it – even if logged into the business user’s same machine – if their specific policy forbids it. Users with no business need to access the files would simply be blocked from decrypting, moving, renaming, or deleting; or be required to justify their action, or guided towards more compliant behavior.
By “knowing” the context of risk for every given situation automatically based on user, data, activity, and policy Digital Guardian can apply the exact measure that protects data while enabling privileged users to do their jobs without restriction. This dynamic protection allows increased collaboration and eliminates cumbersome data protection policies.
|
|
