Once upon a time, IT environments were standardized. Policies and controls to mitigate risk could be consistently applied without much concern for crossing multiple platforms. Then came a cascading series of technology changes over the last decade that eliminated those standards – virtualization, private and public cloud infrastructure, and software as a service (SaaS), consumed on BYOD laptops and mobile devices, and running a variety of operating systems.
The resulting hybrid IT environment means that you can have the best policies and controls in one part of your environment, but inconsistency in another part of the environment can open the door to data loss. For example, you might have an automated means of removing employee access to applications or data when an employee leaves your company, through integrations between your HR and Identity Management systems. But if it only works for apps running in your data center, then cloud-based apps or file management systems might be vulnerable to abuse by a disgruntled former employee or hackers who acquire credentials to orphan accounts.
Here are five common data loss risks found in hybrid environments and tips for what can be done to mitigate them.
1. Uncontrolled privileged users
Data loss stemming from inappropriate use of privileged access can be devastating. Whether a privileged user intentionally abuses their rights to steal data, as we saw in the Panama Papers, WikiLeaks or Edward Snowden cases, or their credentials are stolen and abused, as we saw in the OPM or Anthem attacks, the end result is costly, can damage careers and destroy companies.
Policies for managing privileged user access need to be consistent across cloud and distributed systems. The controls that support those policies need to be consistent as well, including:
- Two-factor authentication (2FA) for sensitive data
- Privileged application management that limits and records privileged sessions
- Privileged access governance that discovers orphan accounts and those with excess access compared to peers – in other words, identify accounts outside of policy
2. Inconsistent access management and governance
Enterprises have invested significantly in access management and governance systems to provide employees and contractors with simplified access to resources they need, while demonstrating that least privilege is enforced to auditors. But much of that investment has been focused on the distributed environment. The public cloud environment is often a patchwork of SaaS services acquired by business units, and IaaS or PaaS (primarily AWS or Azure) used by developers.
The difficulty is that in a hybrid IT environment, there is integration between cloud and distributed environments, so the policies and controls in effect are going to represent the most permissive. A centralized approach is necessary to consistently enforce policies and provide visibility of all access privileges and unusual usage, including:
- Identity Governance and Administration that spans all environments, and includes analytics that identifies outliers
- Single sign-on that is centrally administered regardless of where the application runs
- Integration with HR systems, so that access can be consistently assigned and revoked
3. Incident response procedures that don’t include service providers
Like access management and governance, most enterprises have invested heavily in incident monitoring and response processes to minimize damage when (not if) attackers succeed. The challenge in a hybrid environment is that service providers need to be factored into both the monitoring and the response processes.
Many organizations don’t adequately plan for how to engage with cloud service providers during breaches, which can cause delays in responding. Even though many cloud service providers have security controls that exceed that of their customers, no security is impossible to breach. Your incident management needs to include:
- Knowing where the service provider’s security responsibility ends and the enterprise’s security begins
- Drills that include contacting service providers and interacting with their staff
- Monitoring access to cloud services and any other relevant data that the cloud provider offers
4. Irregular encryption application
Data security has been a major focus of both enterprises and cloud providers, and encryption of data at rest is an option for either Amazon S3 buckets or Azure SQL Database. Sensitive data in transit also can and should be encrypted, especially between enterprise and external cloud environments.
The challenge is to apply policies consistently across the hybrid IT environment, particularly for unstructured data. Most enterprises make extensive use of file sharing and code repositories both hosted internally and in the cloud that may or may not be encrypted. If employees aren’t provided with a convenient way of sharing information, they will self-source file sharing from companies like Dropbox or Bitbucket, without enterprise security policies and controls. Your encryption policies should include:
- Consistent application across the hybrid IT environment and across the data lifecycle
- Transparency to the end user so they won’t seek ways around the controls
- Support for both structured and unstructured data
5. Poorly-maintained configurations
As new vulnerabilities are identified in existing software, such as via bug bounty programs or revealed on “patch Tuesday”, configuration policies must be updated and systems and applications must be patched. New server builds, whether being deployed in the data center, or in containers in the public cloud, also need to be built in accordance with current policies. And records must be available to demonstrate to auditors that policies are in place and being enforced when required by regulations, regardless of where the infrastructure resides.
The scale of this effort in the enterprise, subject to multiple regulations can be overwhelming. Your configuration management in a hybrid environment should include:
- Close alliances between the operations teams who maintain the automation for deploying servers and those responsible for maintaining security policies
- Education for operations teams on where to look for gaps in coverage across the hybrid environment
- Configuration management that includes automated scans for configurations that are outside of policy, and is cloud and data center compatible.
As enterprises continue to consume more cloud infrastructure and services, it will become increasingly critical to have a hybrid approach to minimizing the risk of data loss. Without the luxury of standardization in a hybrid IT environment, an intentional effort must be made to become more consistent with policies and controls.
