Data security: Stop chasing the rats, and protect the cheese

Vormetric CSO Sol Cates says legacy perimeter security was never designed to protect what attackers really want: your sensitive information. The data-centric approach can mitigate the threat of rogue insiders and malicious outsiders by putting layers of protection around the data themselves.

Of 700 IT security decision-makers surveyed, only 27 percent indicated that their enterprises block privileged user access to sensitive data. This is a major finding of the 2013 Insider Threat Report, which data security firm Vormetric conducted in partnership with Enterprise Strategy Group.

To learn more about the survey and the data-centric view of IT security, We had a conversation with Vormetric CSO Sol Cates. One interesting facet of his resume: Sol worked in the government intelligence community for 10 years, living in the DC area.

Mr. Cates stressed again and again the threat of the “insider” in moving from perimeter-based security to a data-centric posture. Toward the end of my conversation he said:

From our perspective we've seen many different threats to data, many different factors to it. I think the one that is being skipped over and over again is the insider, because it usually comes down to a question of trust. But it's not so much trust of the individual, but trust of the architecture that you have built. Do you trust how your users interact with your data, how they manage the data, and can those become compromised and used against you?

Key takeaways:

• Cates’ metaphor: perimeter defenses only keep “rats” on the outside. Your data is the “cheese”
• Insiders going rogue: who is watching the watchers?
• Legacy perimeter defenses: the data cannot protect itself
• Data-centric security: layers of protection closer to the data
• You need to think about the concept of privileged access—this is what malicious attackers are after
• Three phases to data security: discovering data, finding it, and protecting it
• Majority of spend is still going to the perimeter layer
• Security posture: which individuals actually need to see the data?
• DBAs do not need to see sensitive information to do their job
• Limiting information access inside your enterprise reduces your attack surface

We : Could you provide an introduction to Vormetric?

Sol Cates: The company has been around for about 12 years. The technology we originally designed was really for encrypting data at rest, and we went out to the marketplace. We got some feedback from some larger organizations both in the government and in the financial service sector. They said, encryption is great but that’s not really the risk that I am worried about. They asked, could you find a way to stop privileged users inside my infrastructure from actually seeing my information? Such as my system administrators, DBAs, storage admins and so forth. Could you find a way to actually prevent them from seeing my information but still let them do their job?

So that’s what we then set out to design—a technology that allows us to blind the infrastructure from information, whether it’s PCI data, healthcare data, an Excel spreadsheet, it doesn’t really matter. If it's your policy, you should say who should see this information and under what conditions—what applications, what business processes, what business users? What need to they have to see that information? So it's really a data-centric approach to protecting the data and making sure of appropriate usage, including the removal of privileged users, to determine who actually sees that information within the infrastructure. 

To wind that back to the Insider Threat survey that we just recently released. The privileged users are really a piece of that. So there are really two parts to the insider threats and risk that people can see. One is the intended user doing something bad. So this could somebody interacting with the information maliciously, or accidentally, such as a call center operator or somebody who's got access to detailed or sensitive information. And that's one part of the risk, but usually it's pretty heavily looked at. So auditing, application layer, and so on—people feel pretty good at putting some margin of control around that.

But the other part of this discussion is: who is watching the watchers? Which users actually set up all those controls and actually govern the environment? Not only can admins and DBAs go rogue, as we saw with Edward Snowden, but also they are a big target. How do I get information without setting off a lot of alarms? I would go to the privileged user who set it up and has access inside all of the platforms.

One of the things we saw with the survey is that there are two parts to the entire threat. One is the end user or non-technical employee doing something nefarious. Or it could be your contractors, privileged users, or administrators—whether they go rogue or become compromised.

We :Pretend that I am a CSO, and I come to you and I say hey—I read the press release about your Insider Threat Report. What do I need to know about data-centric security strategies?

Sol Cates: The old way of protecting data was putting more firewalls and perimeter defenses around the data. The problem is the data cannot protect itself, and those tools were never designed to protect the data. The firewall will not stop data from leaving the environment if it is allowed to do so through whatever protocol that permits it. So all of these types of perimeter defenses were never designed to protect the data. The data has no mechanism for protecting itself.

So the data-centric approach is where you start to put that layer of the perimeter closer and closer to the data itself. Inside your applications, inside your databases, inside your network shares, wherever data reside inside your environment. You've got to put the layers closer to the data itself. It's like taking the M&M model that we've been using for so many years—it's crunchy on the outside and chewy on the inside. Put the crunchy part around the data and layers on top of that to make it a proper chocolate model.

We : M&Ms, OK! (laughs)

Sol Cates: The data is the target, so you need to put layers closer to the data. You not only limit use of data to appropriate users but also prevent malicious use of data, by preventing the privileged users from seeing the information. People who are cloud providers—you are leveraging their infrastructure, their infrastructure management. How can you prevent them from seeing your information yet still consume those infrastructure services and benefit from what they have to offer?

At the end of the day, the data-centric model is really about putting layers of controls closer to the data, not relying solely on protection at the perimeter layer.

We : Let's say I am still that CSO—we are still relying on perimeter-based approaches, and why is that not enough these days?

Sol Cates: What's interesting, a little over 54 or 56 percent of what is spent, if I remember correctly, is going to perimeter defenses. They were never designed to protect the data, only the network and the assets. So from a design perspective, they were really there for making sure appropriate connections and appropriate protocols worked in exchange between different sites and users. 

Never were they designed to protect the data itself. So I think from a spend perspective people are starting to shift a little bit towards data security, which is good. But there is going to be a shift for a while. If you had to go out and protect sensitive information for your organization, would you just put more firewalls around the information, or would you find ways to actually protect the data itself? We are so used to the perimeter approach, and I think it is starting to shift.

We : Based on the survey and your experience, how far are companies into that process? What are your respondents saying about the shift to a data-centric approach?

Sol Cates: There is still a lot of spend going towards the perimeter. One of the parts I saw from the survey was pretty interesting—73 percent of the respondents that we surveyed are not blocking their privileged users. If you do then they don't get to see your sensitive data. So 73 percent haven't heard anything about that yet, let alone looking into things like encryption or tokenization. There are different techniques that help combat this. A big portion is putting controls around their data itself, and the people who administer it.

The insider going bad, that's piece of it. But bad actors on the outside want to become the insider. And who's the most attractive target? Is it the secretary, or is it the administrator that manages your databases? It's not so much the individual. It's the concept of the account itself, the process or the privilege itself, not the individual, that you need to worry about.

We: What sort of threats are coming from malicious insiders? What do IT security departments need to be planning for?

Sol Cates: There are really three phases to it. First off, is the discovery. Usually when you've got data, unless it's regulated, you probably haven't gone through a discovery process yet. What's considered sensitive? What does need to be protected?

The second phase is finding it, and a key problem for a lot of organizations is that it's everywhere. They've gone through mergers and acquisitions, rapid growth and so forth. So finding all the pieces that are considered sensitive—how do you do that quickly?

The third part is actually protecting it. From this perspective, what are the risks to the data? There are multiple layers. If you look inside the traditional architecture, they are five layers of data access. One is storage, which is physical in nature. You access the physical media. One is operating systems, because everything runs on an operating system, whether you're SAP or an Excel spreadsheet. Then you've got your database, and your application tier, and on top that is your network connection.

The majority of the spend is still going to the endpoint or perimeter layer. They are not focusing on the other layers, where your data is actually designed, consumed and produced. So you've got to look at all those layers and put counter-measures in for each one. You've got to look at all those different layers, because as you do that, you reduce your attack surface dramatically. 

We:  How does an enterprise actually respond to these insider threats?

Sol Cates: As you go through the discovery and actually classify your information and find where it is, once you identify it, you need to start taking a posture of, should individuals see the information? Which individuals for various reasons should see the information? Once you start getting pretty granular into business owners and business users, it gets pretty complicated, because there are so many different types of business users for different reasons.

There are two that are pretty easy to establish early on. One is, should a database administrator, the person who runs the infrastructure, ever see your sensitive data? The answer from the survey is no. Do they actually need to see the data inside the database to do their job? We assert no. Right there, you reduce a big part of your attack surface, because right then your operating system and database layers are rendered useless to an attacker or an insider. They just don't have access to the information any more. They can run the infrastructure and not see the content.

And then you can focus on the business line user or process user that needs to see data for their job. So that's where you need to do the classification. Do you need to see the data to do your job, or do you not? If you can limit the people who don't need to see it, because they are in administration, we highly recommend that. You can reduce your attack surface, and then focus on the business users who do need to see the data to complete their job.

We: Who do you believe stands to benefit from reading the Insider Threat Report?

Sol Cates: The people we actually surveyed were a little over 80 percent Fortune 1000, larger enterprises, and the majority were US-based.

The people who can benefit from this would primarily be larger organizations that have multiple touchpoints and have lots of data. It is the larger organizations that are wrestling with this the most, because they have lots of data, they have lots of systems, and lots of individuals in business and administration that actually interact with the data. They see that they'll get a lot from it. The paradigm shift that I think needs to happen is that we have to move our resources away from chasing the rats, and start protecting the cheese. Those larger organizations understand that a little bit better.