Seemingly every week, a new report comes out revealing how little companies actually know about where their data is going.
This mainly comes down to a massive underestimation of the number of clouds or third-party resources that employees are connecting to. These can include consumer cloud apps, where employees might be sharing work data to be able to access from home.
It could be an employee placing data on an unsecured personal USB drive, or emailing it from their work email to a personal email.
What can companies do? The debate over the best way to keep control of the data is far from settled.
On one side of the debating hall are the data protection companies. Through a variety of methods, these companies seek to apply protections to the data itself, wherever it is or wherever it is trying to go.
For example, Gemalto advocates applying encryption to the data.
“Businesses are slowly coming to the realisation that hackers increasingly have the ability to breach company perimeters and more advanced security controls need to be implemented.
“Encryption adds that extra necessary layer, by focusing on protecting the most important aspect, which is the data.”
Other companies, such as Clearswift, advocate applying adaptive threat redaction, which automatically seeks out and blocks sensitive information at whichever point it is exiting the corporate network.
On the other side are companies such as CensorNet, which advocates a very different approach focused on securing authentication.
CensorNet CEO Ed Macnair has what may be considered a controversial view on the use of encryption.
“The encryption approach has its validity,” says Macnair, but he adds that it is not part of CensorNet’s approach.
“It’s all well and good encrypting that data – but why are you encrypting it? Is it because it’s going to get lost or stolen?”
He says that the companies which handle the data companies are afraid of losing, such as Salesforce, already spend a “fortune” on security.
“Is any company going to be able to do a better job?” he says.
The company has as customers more than 4000 organisations and over 1.3 million users worldwide. The solution provides visibility and control over web and cloud access.
“We go a step further. We make sure that only the right people can access the data they are supposed to.”
“What you’ve got to do is make sure that the access to the data is safeguarded,” says Macnair.
“Security is all about a layered approach. Encryption has its place. But it’s not a silver bullet.”
Macnair cites recent data breaches that have involved the use of valid credentials as evidence for this. He says that these hacks do not normally come from outside the organisation but typically with misused credentials: essentially a username and password that are being used inappropriately or have been lost or stolen.
“Even if data is encrypted, if someone has access to this data in an uncontrolled way, there will still be a problem.”
He says that the vast majority of breaches are caused by this scenario.
“The most important thing is monitoring access and understanding who’s accessed what and what they’re doing with it,” says Macnair.
He says that this involves a role-focused approach, looking at whether the resources being accessed by an employee relate to their role.
Moving towards this authentication approach means fundamentally re-examining the permissions structures within organisations.
Macnair says that many organisations have very flat permissions structures, simply divided into administrators or users.
“This doesn’t give you the ability to differentiate levels of access. Role-based access control is very important,” says Macnair. He says that companies should move to delegated administrative controls.
In the end, who accesses what is down to the individual organisation. For example, they might say they don’t want anybody on the sales team to be able to export the customer list.
“Then we give them the ability to implement the policy, and either alert on it or block it,” says Macnair.
As for sharing between organisations, Macnair says that the solution once again comes down to classifications. Is information company or commercially confidential?
When this is decided companies can decide on whether the information does or doesn’t leave the organisation and who it goes to.
As with all debates in cyber security, the answer to data protection versus authentication control may end up being that both sides are right to some extent. But we can expect to see it being fiercely debated for some time.