Safeguard Enterprise’s Proprietary and Business confidential data

Many Technology Industries says they are well protected from the Security threats due to their strong technical controls, management controls, and validation processes and others say we wanted to implement the processes that give 100% protection. It is highly impossible to provide 100% security assurance to the protection of an enterprise’s assets with sophisticated technology tools considering newly emerging threats. Data is the heart of an organization and exposure of  Intellectual proprietary, Research and Development results, metrics and the Strategic plan will put an enterprise to back-seat in today's competitive business market.
This article describes various safeguard methodologies to protect enterprise assets from internal and external threats. 

Key challenges to safeguard an enterprise’s data.

This section describes immediate challenges that need to be addressed to protect enterprise data.

  • The Corporate’s defense security controls are defeated with today’s innovative tactics.
  • The Corporate business documents are stored in the email inbox and shared with others. 
  • The C-Level executives share the business strategic information and other sensitive information with other senior-level executives using social media such as Whatsapp, email without encrypting the information.
  • Inadequate and ineffective Security awareness training program to the employees
  • Majority of enterprise spend big investment to mitigate external threats and failed to put adequate internal security controls to mitigate data theft threats from insiders within the enterprise
  • Applications are note designed with Secure coding practices
  • Senior Management and Financial analysts create future business plans, valuation models, financial forecasts, and pricing strategies using spreadsheets on their laptops and share via e-mail.
  • The entire business units may have access to shared directories which may contain strategic and Intellectual proprietary documents. Anyone can accede these documents and share with others without understanding the negative business impact on an enterprise.

Mandatory security controls to safeguard data leakage

This section describes some of the important and mandatory security controls that must be deployed to safeguard the enterprise’s data.

  • Develop and deploy the enterprise-wide policy to protect critical assets.
  • In addition to firewalls, the enterprise must also deploy other security tools such as IDS / IPS and Web filtering tools to safeguard its assets.
  • Perform a periodic risk assessment to identify critical assets, business processes, and mission-critical systems.
  • Deploy software-defined networking, and reducing the use of e-mail as a substitute for the document management system.
  • Store the sensitive data and Proprietary data on On-premise and deploy the web-based interfaces into public cloud (Hybrid Cloud) and connect the On-prem and public cloud environment using a secured network connection such as VPN. Deploy only less sensitive data into the public cloud.
  • When the data is encrypted in the public cloud, the enterprise my retain the key for decryption.
  • Perform a periodic risk assessment to identify critical assets, business processes, and mission-critical systems.
  • Develop Security Governance to develop applications with security architecture standards.
  • Use Advanced Encryption Standard with a 256-bit key to encrypt and decrypt data at rest.
  • Deploy a Document Management System or Content Management System to manage to store the digital documents and track the access of the user. This will provide visibility into who is accessing transmitting, and altering documents which makes it much harder for insiders to exploit client information undetected. Use the Workflow process to share documents instead of E-mail sharing. 
  • The enterprise must ensure that the data is not stored in end user device all the time and this will reduce the risk if the device is lost or stolen.
  • Virtual Desktop Infrastructure (VDI) to end-user environments will improve the security and reduce the risk, VDI allows customized rules and permission on the individual desktop as per job role requirement and also need to know basis. This will allow an enterprise to provide a minimum level of access to their employees/contractors to perform their job.

Protect enterprise's intellectual proprietary data against insider threats

  • Conduct periodic security awareness training and teach employees what is good and what is bad behavior. 
  • Employ rigorous hiring and promotion processes and frequent screening for the position of greater access.
  • Deploy a wide range of security tools on employe’s device such as a desktop, laptop, and mobile devices.
  • Separate operational roles and management roles and define Role Based Access Control (RBAC) and ensure that operational employee does not have access to management related data.
  • Deploy stringent security controls on how and when an employee can access proprietary data.

Protect enterprise's intellectual proprietary data against external threats

In addition to firewalls, the enterprise must also deploy other security tools such as IDS / IPS and Web filtering tools to safeguard its assets. When the data is stored and processed inside the enterprise's data center, the sensitive data must be protected using security tools such as web filtering, intrusion detection, and antimalware controls

Case studies

This section provides sample case studies that were deployed in an enterprise to safeguard the enterprise’s critical data

Data Loss Prevention
Data loss protection (DLP) tools can stop sensitive data from being e-mailed externally, uploaded to websites, downloaded to external drives, or even printed. In addition to this, DLP tool also prevents data copy into removable media such as CDs and pen drives. In some scenarios, we cannot stop receiving sensitive data such as Social Security number from external channels and DLP tool has been configured not to send a response back to the customer; instead, it may trigger an internal security incident to local security admin for investigation. 

Security Awareness Training
One of the critical parameters is to increase the level of security awareness. The enterprise should conduct information security awareness training to change the employee mind set and this can be done on a weekly or periodic basis across the enterprise more frequently instead of semi-annually or annually. Some Financial institutions spent about 25% of their technical staff time on secure application development practices including interfaces and access management solutions in order to increase security awareness level. This will assist an enterprise to develop a secure application with stringent access control deployment to reduce data leakage.

Access Restriction to endpoint devices
Stringent and policy-based access restriction to externally connected device NAC policy restricts access to an enterprise network and allows an only authorized person to connect your network. NAC will assess the posture of the connected device and apply appropriate policies. It also defines compliance requirements that devices should meet before access is granted. Identity Services Engine (ISE) is a Cisco product that can be used to implement this policy. NAC restricts the data access on each user.

Network Segmentation
One of the industrial company divided its networks into higher security network for its sensitive Intellectual Proprietary data and low-security network zone to store other data.
  
Digital Rights Management

Digital Rights Management (DRM) was deployed on one of the Oil and Gas Company to store negotiation strategies securely and thus reducing unauthorized access to anyone who does not have legitimate access rights. These documents also keep tags for sensitive documents and using DLP tools, these documents will not be allowed to transmit using emails or printing. The DRM tool also restricts unauthorized users to open, copy and printing.
 
Cloud Access Security Broker (CASB)
The CASB (Cloud Access Security Broker) is deployed between Cloud Service Consumer and Cloud Service Provider and it has the capability to enhance enterprise's data security policy to deny unwanted activities based on the classification of data. This also monitors user access to enterprise sensitivity data. This has been deployed on one of the Telecom Industries to support data leakage in the Public Cloud. When the CASB is integrated with Office 365 solution, blocks outbound sensitive data loss via email content and attached files. For any unexpected activities by the user, the system triggers an alert to the configures user's email or SMS.

Azure Information Protection (AIP)
One of the manufacturing has deployed AIP (Azure Information Protection) along with DLP tool for their on-premise data center to protect Intellectual property, a customer's personally identifiable information (PII), financial data during data in motion. Azure Information Protection (AIP) allows data owner to classify the data and add security directly to your sensitive data so that it's always protected and identifiable. The data owner or Admin creates policies for data classification and data has been classified either manually or automatically for new documents and for all the existing documents as per data protection policy. The date is encrypted with permissions to ensure that only authorized users can access the data. In addition to this, we can also define security controls not to print, save, copy text, or forward the file.  These tools provide the ability to recall the document from unauthorized users. The access to the receivers can be revoked after the valid duration of the period given to the user.

Conclusion

The passive defense approach to protect data such as SOC does not provide a higher level of protection and it is time to balance with active defense level. The passive analysis is a time-consuming process and at the end of the analysis, it may be a false positive attack or false negative attacks. The enterprise should deploy active defense and some of the defense approaches have been described in the Case study section. Any exposure of sensitive enterprise’s data to the public domain or to the business competitor or to the disgruntled employee will have serious impact to enterprise’s brand value and it would lead to loss of business and due to lack of faith with enterprise, the current customer might go to other competitors.

Authored By - Ananda Narayanan G
TCS Cyber Security Practice

 

Rate this article: 
Average: 4 (2 votes)