The way we protect the enterprise from malicious cyber-attacks has changed. As IT security teams have implemented new and improved ways to keep hackers out of critical infrastructure and applications, the bad guys have turned their attention to a new, preferred method of entry: users
People are far easier to crack than a 512-bit hash. End users across the enterprise are being targeted because they are the new "weak link" in the chain. So now, more than ever, organisations that want to protect against human-focused attacks must put identity governance at the centre of their security strategy. Governing access to the enterprise's sensitive data is imperative, no matter where it resides. Identity governance is a much larger and more complex problem than just giving employees access to apps, systems and data. It is about managing and governing all digital identities that have access to sensitive data and ensuring that all locations where sensitive information is stored are part of the identity governance program, whether it resides in applications, systems, files storage systems.
What we know about data breaches is frankly scary. From the moment a hacker gains entry, the average time to detect a breach is about 200-220 days. Think about that for a moment: that's like having a creepy guy hiding in your basement for 200 days, snooping round the house when you are at work. And worse still, according to an experiment conducted by the US Federal Trade Commission, once a hacker has infiltrated the system it only takes about 20 minutes for the stolen data to appear on the dark web. So, by the time a breach is discovered, the data is usually already lost, alongside money, time and reputation; and the organisation is then left scurrying to shore up their defences in time for the next attack.
With the implementation of the General Data Protection Regulation (GDPR) – as well as country-specific regulations over personally-identifiable information – coming into force, the stakes are even higher. Now, enterprises face hefty fines in the event of a breach, as well as strict guidelines about the time it takes to notify those affected once a breach is discovered.
The best way to address the problem is to secure the weakest link within the organisation: people and their digital identities. Hackers target identities as a means to get legitimate user credentials to infiltrate the enterprise, attracting as little notice as possible. Couple this with the proliferation of sensitive data stored in files that are increasingly outside of IT's visibility, and identity governance is more critical than ever.
The enterprise data problem
As data shifts from being stored in structure applications and databases to various types of files that can be stored in a wide variety of locations, I've yet to meet a CIO or CISO who doesn't recognise that securing sensitive data stored in files is a growing problem for their organisation. Yet, many have yet to address this 'elephant' in the proverbial security room, either because they haven't had time to prioritise it or they don't even know where to begin. Often, it's a combination of both.
Broadly speaking, this unstructured data is commonly found in a variety of formats, such as Word documents, Excel spreadsheets or PowerPoint presentations, and is usually pulled out of the exact databases and applications that an organisation is trying to secure. Files like these often contain sensitive and privileged information like personal data of employees or customers, including their addresses, dates of birth and social security numbers. Once extracted, these files are easy to copy and share, but it's difficult to control who has access to them and ensure the data is being used correctly. And the problem is quickly escalating as organisations are creating more data and storing it in files every day. In fact, by 2022, 93 per cent of all data is expected to be stored in files.
GDPR has done a lot to raise the visibility around uncovering and protecting sensitive personal data stored in files, including the issue of properly governing access to that data. Even two years ago, companies outside of the European Union didn't really believe GDPR was going to affect them. Today, the world has woken up to the fact that every organisation who works with European customers or business partners is affected by GDPR, which means most global organisations can and will be held accountable. And if these organisations are being asked to ensure the safety of EU citizens' private information, they must know where that data lives and who has access to it at all times – including all of that data that sits in files and folders, often outside of IT's purview. Unlike previous regulations, GDPR has real teeth. Any direct financial losses resulting from lost or stolen sensitive data will be compounded by hefty fines of up to 4% of a business' global annual turnover.
Fortunately, recent surveys suggest business leaders are increasingly prioritising identity governance strategies to help adhere to incoming regulations. For instance, 65 per cent of delegates polled at this year's Gartner IAM Summit in London agreed that governing access to data stored in files was a priority for them as part of their overall identity governance strategies. This represents a marked increase on last year's response, confirming that governing access to data stored in files is an increasingly important and growing trend amongst UK business leaders.
As we approach 25 May, the deadline for GDPR compliance looms and the rush to not only find sensitive data but to properly govern access to it amplifies. The most effective way to do this is through a comprehensive identity governance program that enables organisations to discover where sensitive data resides, establish access controls over it, and provide real-time visibility across on-premises and cloud storage systems to how access is being used. Only by putting identity governance at the centre of your organisation's IT security strategy can you address the ever-growing threats and compliance concerns.
Paul Trulove is Chief Product Officer at SailPoint