This is the third in a series of posts I'm writing on the Center for Internet Security (CIS) Controls Version 8. The CIS Controls are 18 information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks from attackers. In this post I discuss what I see in my work as an information security auditor with clients regarding to Control 03 - Data Protection.
The CIS overview for Data Protection is - Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.Sunset at Montana State University Billings |
3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
3.3 Configure Data Access Control Lists3.4 Enforce Data Retention3.5 Securely Dispose of Data3.6 Encrypt Data on End-User Devices3.7 Establish and Maintain a Data Classification Scheme3.8 Document Data Flows3.9 Encrypt Data on Removable Media3.10 Encrypt Sensitive Data in Transit3.11 Encrypt Sensitive Data at Rest3.12 Segment Data Processing and Storage Based on Sensitivity3.13 Deploy a Data Loss Prevention Solution3.14 Log Sensitive Data Access
Data classification is listed as a control so that companies can determine the sensitivity of data and protect it accordingly. Larger companies generally do a better job of this, from what I've encountered. Smaller companies find it easier to protect all of their non-public data the same way as they don't have the staffing resources or tools to do much else.
One of the most basic things a company must do is properly restrict access to data via access controls as well as log access to data. Companies usually implement this well but occasionally I'll find that customers have share drives that contain sensitive information are open to all staff or more staff than have a need for access. In one case, a company's Human Resources share was not restricted. All of the employees' job offer letters with salary information was available. On-boarding documents, such as I-9 forms with Social Security numbers and copies of drivers' licenses were accessible to anyone in the company who happened to know how to access the share. In another case, the company's code repositories were configured to allow any of the thousands of employees in the company to access, change, and delete the code. In cloud environments, I find that customers sometimes misconfigure their AWS buckets so they are available to the public or are not encrypted. Again, the IT Directors and CISOs are taken aback when they see that organization data is not properly protected. They don't know about the data so they can't protect it.
In a recent gap analysis, the client I worked with provided services to hospitals and medical practices. They collected Social Security numbers via a web application. The SSNs were encrypted in the database but the SSN field for each patient was available to all customer support staff every time they looked at a patient record. This is not the usual practice. Most companies mask the first five digits with only the last four digits viewable. Or they may mask the entire SSN. They make the full SSN available only when the staff member clicks on a button to do so...and only if they been granted the need to know. Additionally, they may also need to authenticate again to reveal the full number.
A tool that can help you understand your data environment and security needs better is a data flow diagram, as the CIS Controls document recommends. A data flow diagram is a visual representation of how data flow into and out of an organization's infrastructure, where it's stored on company systems, cloud providers, as well as shared with and received back from service providers.
It's also very important to establish a data lifecycle - Create, Store, Use, Share, Archive, Destroy. It costs money to store and protect data you don't need. It also opens your company up to legal liability. In the event of a data breach and public release of sensitive information, you will have a difficult time explaining why you stored data of a customer who stopped using your service 10 years ago. The company may be in violation of regulations and be liable to fines or lawsuits. I see this a lot with customers. They save data forever as they did not plan for data deletion when they designed their applications and databases. They were focused on getting a functional web application to customers as quickly as possible. They don't know how to redesign their collection and storage of the data.
Fortunately, there are tools available when data management is planned from the onset. Administrators can run tasks on databases to archive or delete data once it ages past the retention policy. AWS bucket policies can be configured to send inactive and old data to Glacier. It can then be automatically deleted after a specified number of months or years. Microsoft Outlook 365 has data retention policies that can be implemented. Generally, companies don't take advantage of these tools because they are short-staffed. The employees have little if any time to implement such features as they struggle with their main priority to maintain their services for customers. Companies with dedicated IT security or compliance departments are generally more successful in this area.
- Encryption of data at rest - Most companies I work with are generally diligent about encrypting their data or use tools and services that make encryption the default option. They encrypt drive volumes and databases in AWS and Azure. They encrypt Windows drives with BitLocker, macOS drives with FileVault, and Linux drives with LUKS.
- Encryption of data in transit - Companies use the currently supported version of TLS to encrypt data in transit between web applications and end users. They use STFP/SSH for file transfers. VPNs are established between on-premises locations and cloud services. Laptops users are required to use a VPN client to protect their traffic from interception when using public WiFi networks.
- Data Loss Prevention - Many tools now exist to prevent data exfiltration that were expensive and difficult to implement in the past. Some companies I've worked with have policies and tools in place that monitor and limit the number of files a person may email outside the organization or upload to a cloud service. Some companies even prevent any and all copying and pasting of data from email or Office 365 products to a non-company managed products and systems. DLP tools can prevent copying of files to USB drives. Firewalls can report on the amount of data a particular user is uploading to online storage services.
- Most companies have an incident response plan and steps in place to respond to a data breach. Some IT security teams conduct quarterly testing of their response plan so they are prepared when a data breach occurs.
Next month, I'll discuss the Center for Internet Security Control 04 - Secure Configuration of Enterprise Assets and Software.
No comments:
Post a Comment