NC Feb-Mar 2023
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FEATURE: DATA PERSPECTIVES<br />
ultimately affected 300 million guests of<br />
<strong>Mar</strong>riott Hotels, attackers are routinely<br />
spending months inside businesses looking for<br />
data. In 2022, it took an average of 277 days<br />
-a bout nine months - to identify and contain a<br />
breach. Throughout this time, bad actors have<br />
access to corporate data; they have the time<br />
to explore and identify the most valuable<br />
information. And the chance to copy and/or<br />
delete that data - depending on the attack's<br />
objective.<br />
The costs are huge: the average cost of a<br />
data breach in the US is now $9.44 million<br />
($4.35 is the average cost globally). From<br />
regulatory fines - which are increasingly<br />
punitive across the globe - to the impact on<br />
share value, customer trust, even business<br />
partnerships, the long-term implications of a<br />
data breach are potentially devastating.<br />
MISPLACED TRUST IN INFRASTRUCTURE<br />
Yet these affected companies have ostensibly<br />
robust security postures. They have highly<br />
experienced security teams and an extensive<br />
investment in infrastructure. But they have<br />
bought into the security industry's long<br />
perpetuated myth that locking down<br />
infrastructure, using VPNs, SD-WANs and<br />
firewalls, will protect a business' data.<br />
As breach after breach has confirmed,<br />
relying on infrastructure security fails to provide<br />
the level of control needed to safeguard data<br />
from bad actors. For the vast majority of<br />
businesses, data is rarely restricted to the<br />
corporate network environment. It is in the<br />
cloud, on a user's laptop, on a supplier's<br />
network. Those perimeters cannot be<br />
controlled, especially for any business that is<br />
part of supply chain and third-party networks.<br />
How does Vendor A protect third party<br />
Supplier B when the business has no control<br />
over their network? Using traditional,<br />
infrastructure dependent security, it can't.<br />
Furthermore, while an SD-WAN is a more<br />
secure way of sending data across the Internet,<br />
it only provides control from the network<br />
egress point to the end destination. It provides<br />
no control over what happens on an<br />
organisation's LAN side. It cannot prohibit<br />
data being forwarded on to another location<br />
or person. Plus, of course, it is accepted that<br />
SD-WAN misconfiguration can add a risk of<br />
breach, which means the data is exposed - as<br />
shown by the public CVE's (Common<br />
Vulnerabilities and Exposures) available to<br />
review on most SD-WAN vendors' websites.<br />
And while SD-WANs, VPNs and firewalls use<br />
IPSEC as an encryption protocol, their<br />
approach to encryption is flawed: the<br />
encryption keys and management are<br />
handled by the same group, in direct<br />
contravention of accepted zero trust<br />
standards of "Separation of Duties".<br />
PROTECT THE DATA<br />
It is, therefore, essential to take another<br />
approach, to focus on protecting the data. By<br />
wrapping security around the data, a<br />
business can safeguard this vital asset<br />
irrespective of infrastructure. Adopting Layer<br />
4, policy-based encryption ensures the data<br />
payload is protected for its entire journey -<br />
whether it was generated within the business<br />
or by a third party.<br />
If it crosses a misconfigured SD-WAN, the<br />
data is still safeguarded: it is encrypted,<br />
making it valueless to any hacker. However<br />
long an attack may continue, or however long<br />
an individual or group can be camped out in<br />
the business looking for data to use in a<br />
ransomware attack, if the sensitive data is<br />
encrypted there is nothing to work with. The<br />
fact that the payload data only is encrypted,<br />
while header data remains in the clear means<br />
minimal disruption to network services or<br />
applications, as well as making<br />
troubleshooting an encrypted network easier.<br />
This mindset shift protects not only the data<br />
and, by default, the business, but also the<br />
senior management team responsible - indeed<br />
personally liable - for security and information<br />
protection compliance. Rather than placing<br />
the burden of data protection onto network<br />
security teams, this approach realises the true<br />
goal of zero trust: separating policy setting<br />
responsibility from system administration. The<br />
security posture is defined from a business<br />
standpoint, rather than a network security and<br />
infrastructure position - and that is an essential<br />
and long overdue mindset change.<br />
CO<strong>NC</strong>LUSION<br />
This mindset change is becoming critical -<br />
from both a business and regulatory<br />
perspective. Over the past few years,<br />
regulators globally have increased their focus<br />
on data protection. From punitive fines,<br />
including the maximum with its 20 million<br />
euros (or 25% of global revenue, whichever is<br />
the higher) per breach of European Union's<br />
General Data Protection Regulation (GDPR) to<br />
the risk of imprisonment, the rise in regulation<br />
across China and the Middle East reinforces<br />
the global clear recognition that data loss has<br />
a material cost to businesses.<br />
Until recently, however, regulators have not<br />
been prescriptive about the way in which that<br />
data is secured - an approach that has<br />
allowed the 'lock down infrastructure' security<br />
model to continue. This attitude is changing.<br />
In North America, new laws demand<br />
encryption between Utilities' Command and<br />
Control centres to safeguard national<br />
infrastructure. This approach is set to expand<br />
as regulators and businesses recognise that<br />
the only way to safeguard data crossing<br />
increasingly dispersed infrastructures, from SD-<br />
WAN to the cloud, is to encrypt it - and do so<br />
in a way that doesn't impede the ability of the<br />
business to function.<br />
It is now essential that companies<br />
recognise the limitations of relying on SD-<br />
WANs, VPNs and firewalls. Abstracting data<br />
protection from the underlying infrastructure<br />
is the only way to ensure the business is<br />
protected and compliant. <strong>NC</strong><br />
WWW.NETWORKCOMPUTING.CO.UK @<strong>NC</strong>MagAndAwards FEBRUARY/MARCH <strong>2023</strong> NETWORKcomputing 29