Long gone are the days of the physical perimeter, where a company’s IT infrastructure was entirely on-site. Today’s increasingly decentralized enterprises depend on a workforce that operates both at home and on mobile devices, working together with the help of cloud-based services. Yet the death of the traditional perimeter does not mean the end of security architecture. Instead, we need to recognize that it is all about trust.
As little as a decade ago, most organizations assumed that their security protection was robust, and few had deployed security operations centers or other cyber monitoring solutions. The concept of “zero trust” was a useful spur to action: work on the assumption that any of your resources might be compromised and put monitoring solutions in place so that you can take remedial action if you find something is amiss.
But when designing underlying cyber protections, too many architects are taking zero trust to be the primary objective. This is a misinterpretation. In the first instance, we should look to protect our resources from attack. What zero trust reminds us is that we are fallible and that we should put in place backup plans in the form of monitoring and incident response for the (hopefully rare) cases where our protection plans fail.
Zero Trust at the Endpoint
Where we see this misinterpretation most frequently is in the context of the user endpoint, where many enterprises are making plans that can be summarized as “Don’t worry about the endpoint: We’ll just assume zero trust.” There are cases where this is a reasonable decision, made in the full understanding of the risk. But in too many cases, the risks are poorly understood.
In many ways, this is a legacy of decades of remote access solutions built around the traditional security perimeter. In the threat environment of years past, the critical risk for remote access was that an unauthorized individual would seek to connect to the remote access portal. The critical controls were passwords and two-factor authentication. But in the future threat landscape, this risk is joined by another: a legitimate user connects but the machine they are using to do so is not fully under their control.
This is not hypothetical. It is a risk that has played out in the real world, albeit in a different context — Internet banking. Here is a real-world case study where high-value systems are accessed from endpoints that have few, if any, controls, and which must indeed be treated as zero trust.
Man-in-the-Browser: A Cautionary Tale
In the early days of Internet banking, the risk was unauthorized access, and banks developed varying levels of protection ranging from passwords, of which only some characters are used for each logon, to two-factor authentication. But the more sophisticated attackers then turned to a far more pernicious mode of attack: man-in-the-browser.
With a man-in-the-browser attack, a user connects using his or her valid authentication methods. But the web browser has been compromised, and what the user subsequently sees is not what the website says, but rather what the attacker displays. What the website sees is not the user’s input, but the attacker’s input.
Even two-factor authentication (2FA) techniques can be subverted in a man-in-the-browser attack. We have seen real-world instances where users have entered their 2FA details to approve a valid transfer, but what is actually approved instead is a malicious transfer set up by the attacker.
Furthermore, 2FA works best when used sparingly. If 2FA is used too frequently, two things happen. First, users get frustrated and efficiency suffers. And second, users become too accustomed to entering their 2FA details and are more easily convinced to enter them by an attacker (such as the man-in-the-browser) — making it easier for an attacker to bypass the control.
Benefits & Risks
Clearly, banks have decided to persist with Internet banking despite these risks; the business benefits are worth the risk. But despite heavy investments in cyber and fraud monitoring, there are significant losses suffered every year. The calculus is that (given transfer limits) any individual loss will be manageable and that the aggregate costs can be passed on to customers.
In other contexts, however, that calculus may be different. Individual cyber incidents that affect an enterprise’s core systems may have far higher impact than the loss of funds from any single bank account. In these cases, man-in-the-browser (or equivalent attacks) could be catastrophic — anything that the valid user can do, the attacker can, too.
Where this is the case, we must see zero trust as a backup in case of failure rather than the primary plan. In today’s enterprise architecture, user endpoints are probably the hardest elements to secure. But regardless of how frustrating it may be, where security really matters, the enterprise is only ever as secure as the endpoints it allows to access its sensitive core systems.
The General Data Protection Regulation (GDPR) has been in effect since May 2018, and companies that have done their due diligence to comply with the regulation may feel confident they have their bases covered. However, GDPR compliance rules are not as simple as they might seem at first glance, and there are special use cases that every company should consider. If compliance officers rush through checking the boxes and do not carefully assess the scope of GDPR, and how it relates to the company’s data collection practices, they most certainly will have holes in their compliance plan.
Here are three examples of frequently overlooked compliance issues that could put companies at risk.
1. It’s not just about consumer data
GDPR was designed to create more protections for consumers whose data is collected by different companies. But the scope of the regulation is much more expansive and can be applied in ways many companies didn’t account for in their initial compliance plans. In addition to consumer personal data, companies are also required to handle the personal data of employees, job applicants and non-customers (e.g., people who fill out a form but don’t purchase) with a new standard of care.
The regulation mandates that all data processing activities have a legal justification, so the best practice is to collect only the data that is necessary for essential data processing activities for consumers, job applicants, and everyone in between. Companies should evaluate their data processing practices with the goal of data minimization in order to stay compliant with GDPR.
Recommendation: Don’t just review data capture practices; review data retention practices for all data. Make sure you’re properly disposing of old resumes, employee personal data, and any other records whose usefulness has expired.
2. Policy vs. Reality
Any company that aims to process personal data must establish policies governing how data is collected, stored, and processed to stay compliant with GDPR. While good data governance is the cornerstone to GDPR compliance, simply having policies in place is not sufficient for compliance. Companies must go a step further to ensure that employees fulfill the obligations of data processing defined under GDPR. Functionally, this means companies are obligated to make sure that what people do on a day-to-day basis aligns with the GDPR policies. And if the behavior of employees doesn’t meet a company’s standards, then corrective action must be taken.
Often, breach of policy is unintentional — for example, if a customer support agent is on a call with a customer and saves personal information about the customer in a system where it does not belong. Or if an enterprising employee experiments with new software or establishes free software-as-a-service accounts and forgets to report them to the compliance officer at the company. While these scenarios may seem like little issues, they expose companies to big risk because both examples are GDPR violations.
Recommendation: To mitigate risk, we recommend running frequent “mini” audits. Our security and compliance team has learned firsthand that compliance is easiest to incorporate into daily workflow when audits are part of workflows. While most companies run quarterly audits at best, annual audits at worst, mini audits that are time-boxed will signal to your company that compliance isn’t a quarterly event but, rather, a continuous practice. Better yet, automate the audit process with tools so when policy and reality drift apart, the deviation is spotted right away.
3. Edge Cases
The data that encapsulates “personal information” under GDPR isn’t always as straightforward as basic demographic information. For example, job title is an unexpected category of personal information. Around 99.9% of the time, job title is not considered personal information that is protected under GDPR, but it certainly can be depending upon the situation. For example, consider this job title: Chancellor of Germany. There is only one person in the world today that holds this position, meaning the identity of the individual can be revealed by this particular detail. So, in this case, job title must be considered personal information under GDPR, and is therefore a protected class of data. The catch is if one job title counts as personal information, then all job titles must be considered as potential personal information and treated as such.
Recommendation: As part of your regular data audits, allocate some time to look at the information you collect that you don’t mark as personal information. Just using the “non-personal” information, can a clever person deduce if a data point belongs to a specific person? If so, then you might want to rethink what’s personal information and what is not.
Complying with GDPR is more involved and extensive than it initially appears, but it is not an impossible standard. The best advice is to assume that you don’t need any data versus the opposite, that you do. In this way — in the spirit of GDPR — companies will inevitably provide the highest-caliber personal data protection for their users and ensure accountability for personal data processing throughout the organization.
Jason Wang is the founder and CEO of TrueVault, a data security company that is transforming how companies handle personal data. Businesses use personal data to shape customer experience, but security risks mount as more sensitive data is collected. TrueVault tackles this … View Full Bio