In the third article in our five-part series on the Zero Trust Organization, “What Makes PAM So Important in Zero Trust Organizations,” we discussed the importance of monitoring, auditing, and controlling privileged accounts with access to critical data and processes. That article explained why these accounts – which have been used by criminals and saboteurs to do great harm to both businesses and governments – must always be connected to trusted identities. A Zero Trust environment is built on a never-trust/always-verify approach to all entities and transactions in the enterprise, which is why protections must be applied at four levels: user, application, data, and network. In this article, we will explain the critical role of securing enterprise data and the applications in which much of it resides.
Applications and data are the lifeblood of today’s digital enterprise. However, as the ineffectiveness of traditional perimeter-based security has become manifest, both are more vulnerable than ever before.
Although applications and their data seemingly go hand-in-hand, protecting an application may not automatically protect its data. In addition, there is another class of data to consider as well: unstructured data in files and folders, both on-premise and in the cloud. In most organizations, this equally valuable and vulnerable data is not sufficiently governed, and thus left unprotected from external and internal threats.
The connections and interdependencies within the modern digital enterprise have created gaps in cybersecurity that make it easier for intruders to find their way into networks by exploiting vulnerabilities at the application and data layer. Zero Trust security requires that every asset be protected as if it were a standalone entity, and this necessitates paying equal attention to both the application and its data. Effective cybersecurity today requires putting adequate protections in place at both levels.
Understanding Security at the Application Layer
Applications are business-critical tools of the modern enterprise. They are the foundation of user productivity and business insight. Today, applications can be hosted on-premise or be delivered to the user as a service from the cloud. They can be run on servers and database platforms or on laptops and mobile devices.
Front-end applications are one entry point for attackers to breach back-end databases. In fact, the massive Equifax data breach that exposed the personally identifiable information (PII) of about 143 million Americans was traced back to an unpatched piece of software used internally to create web applications. Once the attackers exploited that application’s vulnerability to enter Equifax’s servers, they gained access to the entire Equifax network – and the most sensitive customer data the credit giant possessed.
That’s why standard security practices must be applied to all enterprise applications, whether or not the application itself contains particularly sensitive or valuable data.
Companies can strengthen application security by applying protections at two distinct application levels: the application platform and application software.
1. Securing Application Platforms and Devices
The following measures must be applied to secure the platform used to host and access the application, regardless of the business-criticality of the application.
- Servers: Application and database hosts must be hardened by blocking unnecessary ports and disabling unused services.
- Databases: The application’s data repositories must be protected with adequate monitoring and auditing of privileged access.
- Devices: Incorporating device identity into application access control can minimize the threat from new attack surfaces.
- Patching: Companies must be diligent about monitoring software security bulletins and applying patches regularly and in a timely manner. (A patch for its web application vulnerability was available to Equifax for two months prior to the company’s breach.)
2. Securing Application Software
Security measures on an application’s underlying software must be applied proportionate to the application’s business value and importance. These include:
- Software Assurance: Understand and implement best practices in software assurance, defined by the U.S. Committee on National Security Systems as a “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle and that the software functions in the intended manner.”
- Threat Modeling: Use threat modeling in the design and testing phases to identify vulnerabilities and define countermeasures to prevent or mitigate risks.
- Vulnerability Assessment: Conduct regular vulnerability assessments to define, identify, classify, and prioritize application vulnerabilities.
The Devil Is In the Data: Locking Down Unstructured Assets
Applying these security practices at the application level, however, does not necessarily protect all or even most of the data within an enterprise. One of the biggest issues for the enterprise is unstructured data, data in files and folders both on-premise and in the cloud, which Gartner has estimated could comprise some 80% of all enterprise data. Some of this data can be sensitive, contain PII, and be business-critical. Unstructured data may reside in a word document or PDF file, within a spreadsheet, an email attachment, or even within a document embedded inside another.
Just as worrying is the accumulation of so-called dark data. As storage costs have plummeted, many companies elect to keep much more data than they actually use and their visibility into these dormant assets – parked in abandoned applications, documents, instant messages, or archived web content – is extremely limited.
Unfortunately, most unstructured and dark data is not adequately protected. Gartner has predicted that, through 2021, more than 80% of organizations will fail to develop a consolidated data security policy. This leaves most enterprises with a black box of at-risk data that is difficult to manage and protect. Even those organizations that try to map all the files that contain sensitive data to prioritize securing them may fail to locate and secure access to all of it.
Fortunately, there are other ways to address these data layer vulnerabilities. A Zero Trust Organization can take a number of actions to defend its data assets, including:
- Deploying tools for visibility into sensitive data and permissions in files and folders. This allows companies to clean up and prioritize files and folders, and their metadata, by business importance and risk.
- Cleaning up the data layer. Once companies gain this greater visibility, sensitive and valuable data can be more readily identified, and dark or outdated data can be removed. Deleting data reduces vulnerabilities and the costs associated with storing it. In fact, some data should not be stored after a certain period of time. The European General Data Protection Regulation (GDPR), which went into effect in May 2018, states personal data “shall be kept for no longer than is necessary for the purposes for which it is being processed.”
- Applying identity governance to all sources of data throughout the enterprise. All folders – and the permissions to access them – should be located, catalogued, and be clearly tied to an authenticated identity. If the data has no owner, then no one should be assigned permission to access it. Once the files are associated with an identity, they will be accessible only by that identity.
Zero Trust Organizations will recognize that securing both applications and data – particularly unstructured data – are distinct and vital aspects of cybersecurity. Solutions are readily available, and organizations that invest in these protections will reap rich dividends in improved security.
In our next article, we discuss how the Zero Trust Organization secures the network itself, both on-premise and in the cloud.