Information is power. For that reason, fraudsters are increasingly looking to data theft as their next get-rich-quick scheme. Hence, enterprises need to be more careful than ever in the management of their data assets.
It is impossible for a company to develop a complete asset management database without knowing exactly what it has, where it is located, who owns the device and if the device is doing what it is supposed to do. These are the four pillars of IT data asset management. Here are some specific actions you can take today to fill in the blanks for these pillars.
The automobile went through a similar evolution over a decade past, says Mark E.S. Bernard, an IT security consultant based in Canada.
An IT architecture needs to be designed with a central brain — a system that can monitor the infrastructure, including cloud, for faults and report these faults to the central brain.
With the dawning of artificial intelligence, this should be more advanced than the manual monitoring and reporting systems that some businesses have today. However, even the manual approach to monitoring the infrastructure and investigating anomalies or problems is not used in every computing environment today.
It is often said that CISOs never know exactly what they have on the enterprise network, because new devices are constantly connected while older machines are taken offline. From a data security standpoint, whether these devices are malicious or benign must be determined in real time, a necessary evil that is not always possible.
“Shadow IT, or rogue IT, is the common term for employees subverting IT policy — using their own mobile devices, downloading applications that may not be sanctioned — at their place of business,” says John Grim, head of the Verizon Threat Research Advisory Center (VTRAC), based in Basking Ridge, New Jersey.
Grim says enterprises often consider insiders who bring shadow IT devices on to a network as potential vulnerabilities. These people leave the proverbial door open to external threat actors, introducing their own device or training to employees, and making sure it cannot be directly connected. He suggests companies create a BYOD (bring your own device) or guest network for those using their own equipment for work applications. Such a guest network, however, would not necessarily include devices installed by the departments themselves to expand the corporate network.
“It’s important to understand that the threat of shadow or rogue IT is not the same today as it was 15 years ago,” says Joey Johnson, CISO at Premise Health, headquartered in Brentwood, Tenn. “The technology landscape has changed, and companies are pulling back from assigning laptops to each user because they recognize everyone has access to a smartphone or tablet. Employees want business apps for their timecards, HR benefits, and email, and they expect to be able to access these apps from their personal devices.”
In response to these changes, many organizations have shifted their entire tech stack to make it directly available and accessible by leveraging single sign-on and multifactor authentication to ensure access is efficient and secure.
Here is something to ponder. Today anyone can take corporate data assets and move them to a smartphone or tablet, then upload the information to an online file sharing platform. Even worse, users can create corporate data assets on personal platforms and then take any arbitrary action they wish. The best protection in these cases is an ounce of prevention. Companies need to meet team members where they are and provide them with better tools to get work done before the staffer goes out on his or her own and comes home with a device they like.
Jamil Farshchi, CISO for Atlanta-based Equifax, says that such problems with security, including trouble with shadow IT and asset management, serve as “a canary in the coal mine for problems with technology. Strong alignment between security and technology teams is critical to an effective security program,” he says. “To that end, the security team should be the technology team’s biggest advocate.”
The most direct security technology to address the shadow IT issue has been the Cloud Access Security Broker (CASB) offerings, a software application that resides either on-premises or in the cloud that sits between cloud service users and cloud applications, says Garrett A. Bekker III, principal security analyst for 451 Research in Houston, Texas. The CASB monitors all activity and enforces security policies. Many CASB vendors have emerged within the past five or six years to, at least initially, focus on solving the shadow IT problem by identifying all the Software-as-a-Service (SaaS) applications running in an enterprise network, and also risk-scoring them to help characterize the security threat they may pose.
The risk is that shadow IT is not managed with the core systems and infrastructure. Shadow IT often occurs in very large organizations when different department heads have the authority to demand a budget for IT, rather than centralizing the resources and leveraging it for benefits. Larger organizations, such as federal and provincial governments, are examples of this excessiveness.
A common way to mitigate this risk is to centralize ownership with the CTO or CIO and work with the CFO to identify, from a budget expenditure view, what departments and organizations created their own networks and built expensive infrastructure on those networks. While the organization stands to save potentially millions of dollars by eliminating shadow IT, the CISO benefits by removing potential entry points and backdoors into the organization’s infrastructure. This can reduce or eliminate the risk created by unmonitored and undermaintained assets accessing the infrastructure and being used by the infrastructure.
Decommissioned assets often can be misused by the criminal element.
“Decommissioned assets in the workplace or at home can create new exposures, you need to include a media destruction policy and procedure,” Bernard notes. He adds that a smart TV or phone might get turned into the manufacturer because of a defect or upgrade, but archived within that device could be account numbers and passwords. “If someone with bad intentions gets access to that device, they could commit fraud,” he adds.
The challenge with archived data assets is it is often unclear who should make the call that they should be decommissioned, according to Johnson. “It can get messy. Do all stakeholders agree to the timeline that makes something old? Does an old device equal old data? A device can be extremely old, yet have new data stored on it. Ambiguity spawns both inconsistent application of data security controls and a lack of clarity around accountability. Ultimately, the protection of assets is a business problem to solve, not a security problem.”
Assets that get pulled from service from a government ministry or commercial enterprise may also contain secrets, such as private encryption keys,” he adds.
A key to identifying devices on a network is tracking the data trail. Knowing the data that the enterprise possesses seems basic, but it is often overlooked. “You need to know what you have; not having an asset inventory up to date is an issue,” says Grim. “How can you protect anything if you don’t know what’s there? … Or [how can you] investigate a breach?” By knowing the critical assets, he says, enterprises should be able to better protect these critical data.
“I cannot emphasize enough, know your data inventory and periodically review and update it, every time there’s a significant change in the network. It should be a rolling update,” Grim says.
Johnson agrees with Grim, but adds that before addressing any concerns, it is important to understand what your data assets are and where they live. “It’s key to start with the fundamentals, which often are the most challenging to solve.”
Afterward, it is critical to understand and identify what “normal” access to your data assets looks like, he says. For a business to be successful, users need to be able to interact with very sensitive data assets, but that access, by its very definition, introduces risk. To be able to identify and respond to any data threats, you need to understand the business context right out of the gate.
The next step, Johnson says, is to understand and identify what ‘normal’ access to your data assets looks like. For a business to be successful, people need to be able to interact with very sensitive data assets, but that access by its very definition introduces risk. To be able to identify and respond to any data threats, you need to understand the business context right out of the gate,” he continues.
Managing the data inventory
451 Research recently surveyed banks, finding that over the course of two years, workloads have become surprisingly equally distributed across traditional on-premise data centers, private clouds, and applications running in public clouds (AWS, Azure, GCP), and SaaS apps. It is more difficult to apply security policy to distributed data, according to Bekker.
While many companies are seeing an explosion in the amount of data they generate and consume, “most firms don’t even know where to begin with a data security strategy,” he says, adding many of these companies have little idea what data they have, where it is located, and what its value or sensitivity is.”
Security consultant Bernard notes that when there is shadow IT in an enterprise, tracking data becomes more difficult. “Shadow IT often occurs in very large organizations when different department heads have the authority to demand a budget for IT rather than centralizing the resources and leveraging it for benefits,” Bernard says.
Larger organizations, including the U.S. federal government and Canada’s provincial governments, are examples of this “excessiveness.”
Bernard believes the best way to mitigate this risk is to centralize ownership with the CTO or CIO, and work with the CFO to identify which departments and organizations have purchased IT assets on their own and added those to the corporate network without having IT and the security team first vet the devices and apply security. This can be done by comparing departmental purchases for hardware and software assets against IT-approved hardware and software purchases.
While many corporate executives still fear moving data stores to cloud and how that might impact managing an enterprise’s data, Equifax’s Farshchi counsels that, rather than “being afraid of migrations to the cloud, CISOs should see [it] as an opportunity to implement the kind of automation-enabled standardization and monitoring that isn’t possible in legacy environments,” he says.
“At Equifax,” he continues, “we are building an assurance model with a goal to monitor every control on every asset in real time all the time. This automation-enabled assurance is the promise of the cloud.”
John Pescatore, director of emerging security trends for the SANS Institute, says one of the three major failures that enables data-asset exposure is the IT misconfiguring servers and related access.
“IT administrators [might] misconfigure servers or network-attached disk drives and leave them wide open to access by anyone,” Pescatore says. “Or the admins [might] fail to patch [operating systems] and applications on the servers they manage and attackers exploit the vulnerabilities.”
Case in point: When IT does offer cloud base storage to support collaboration needs, such as Amazon S3, they sometimes leave access wide open or do not turn on recommended access controls and audit features, he says.
Generally speaking, building an effective asset management plan comes back to the basics, the experts agree. One needs to know what is owned, where it is either physically on the network or where the virtual device resides. Next the staff must know who owns the asset, whether it has been configured to meet the IT departments security requirements, and if the device is doing what it is supposed to do. If a device, physical or virtual, does not meet the security standards, its owner is unknown or its function is unknown, the IT team should consider powering it down or disconnecting it entirely to eliminate a security vulnerability. Just doing the basics, they argue, will enhance your defensive profile and reduce risks.