Digital transformation (DX) is the natural evolution of traditional business operations allowing organizations to capitalize on the full capabilities of our technological advancements, meet consumer expectations and keep competitors at bay (or at least be on par with them). DX isn’t just a cookie cutter deployment of on-prem systems migrated to the ‘cloud.’ In fact, that in itself may be considered a terrible cloud migration strategy resulting in more risk and costs (leaky S3 bucket anyone?).
DX is a fundamental change in how an organization provides services and products to its customers from the ground up. This opportunity to rebuild part or the full business is a chance to build an agile and future-proofed organization that is aligned or even exceeds customer expectations.
Performing a quick Google search of Digital Transformation, there are hundreds of articles, blogs and webinars from small organizations through to heavy hitters like CIO magazine, Forbes and McKinsey and Company. The common theme that is lacking from all of these great articles is that in security and privacy should be factored in right from the start of the journey. Unfortunately the disconnect between the ‘business’ and risk functions is as present today as ever and in a world of agile, multi-cloud and high data collection and analytics, the risks are higher than ever. Keeping things simple, the focus on risks can be grouped into three areas, users and entities, applications and data. With that in mind, this article focuses on areas where security and privacy can enable and increase the speed of DX:
Data Governance and Encryption
Given that DX is fueled by the insights derived by a strong data analytics program, understanding where sensitive data resides is critical to risk reduction from a security and privacy compliance standpoint. Without knowing where this data is stored, collected, used, etc., how can an organization ensure it is appropriately addressing its risk exposure? Similar to how annual penetration test are performed as a bare minimum to meet security and compliance obligations such as PCI-DSS, organizations should execute a recurring data discovery process to find where sensitive data may be hiding across the environment within structured and unstructured data sets. There are tools to assist with this type of discovery activity to keep things simple. Once this data has been discovered and classified, additional initiatives can be started to appropriately secure and centralize governance of this data while still deriving business value.
Once this data has been found and classified, sensitive data that should be encrypted throughout its lifecycle to reduce the risk of an inadvertent or intentional breach. Business analytics activities generally do not need the sensitive information such as the customers address or credit card number in order to understand regional shopping trends, for example but it does require data to be in its expected format in order to perform the analysis. The ability to secure data in its original format will ensure applications and downstream systems are able to function as expected while exceeding most privacy regulations and aligning with GDPR and CCPA guidelines and reducing the impact of a breach.
Organizations need to adopt a model where no entity or user is inherently granted access to corporate systems or data. This approach ensures that the entity or user must prove their identity and permission level before they are granted access. Some of the factors that enforce a zero trust security model are listed below:
Identity proofing and strong authentication: Each identity must prove itself before being granted access to any systems or information, not just with a username and password but based on the level of access or data being accessed. The National Institute for Standards and Technology Special Publication 800-63A provides detailed technical guidelines around Identity Proofing. The security adage of ‘trust by verify’ has evolved to don’t trust until verified, through a strong identification mechanism based on need, for example, a user’s existing social media or email account is sufficient to create an account and to access certain non-sensitive information however if accessing financial information, a cell phone number or government ID is required. Additionally, organizations must move beyond just username and password to a data centric model or risk-based framework. Based on the data being accessed (having data discovery and classification in plan is a pre-requisite), additional layers of authentication must be provided such as SMS one-time-passwords, tokens, challenge/response, etc.
Data access control: Ensuring entities and users have the right level of access is priority however the approach should be, does this entity have the minimum level of access required to perform their job? It’s not a matter of trust, it’s a matter of security. If an account becomes compromised, then any information that the account has access to can also be considered compromised be it a trusted employee, a contractor or a third party. Taking a top down approach with restricting the most sensitive data or assets (read only? Where can the data be stored?) will help reduce risk while keeping efforts manageable. If data discovery and classification activities have already been completed, an organization will be able to focus on the sensitive data and apply policies to control and monitor access.
Visibility across the DX landscape
With presence across multiple environments, be it on-premises, public or private clouds, IoT in varied levels of integration (IaaS, PaaS, SaaS), organizations need an approach that gives visibility across all systems, especially those that have sensitive data or perform business critical processes. Having a scalable and intelligent centralized system to monitor for suspicious activities, known and unknown attack vectors, is a critical factor in securing the environment. Taking an industry recognized framework such as the Mitre Att&ck framework and focusing on the most relevant attack tactics, techniques or procedures (TTPs) is one approach to securing the enterprise. The benefit of using such a framework is that cloud TTPs can also be addressed with this Mitre Att&ck framework. Micro Focus provides a MITRE ATT&CK mapping capability to its customers whether through Security Information and Event Management (SIEM) or User and Entity Behaviour Analytics (UEBA) to ensure Security Operations teams have what they need to successfully protect and detect attacks.
Analytics and Automation
With DX, entities and processes will gain the ability to execute functions that historically were performed by users. Initiating business processes, performing code reviews, running performance tests, automatically scaling up systems to meet increased demand, approving financial transactions and wiring funds are functions that can be automated. Overall, process automation can be considered more secure and scalable as it removes the number of manual entry-points. However, given the inherent ‘trusted’ status, these processes could be modified to perform malicious activities such as wiring funds to a different account number. Through the use of User Entity and Behaviour Analytics (UEBA) entities that support and run process automation as well as privileged users that can create new processes can be monitored to detect if unauthorized processes are created or if they deviate from the expected workflow. UEBA can monitor these activities at scale to ensure visibility across all environments.
DX, Plus Strong Security, is the Future
DX is here and is necessary for most organizations who wish to survive in the ‘new normal’. Unfortunately, security and privacy continues to be an afterthought but should be a critical factor in a successful DX program. The key focus areas above should help security teams identify and priority risks while enabling DX.