Some rules in security are clear. We teach our employees to always use strong passwords and never share them. When sensitive data is at rest it should always be encrypted. When forced to use public Wi-Fi, always use a VPN.
In real life, however, data controls cannot always be binary. Personally Identifiable Information (PII) and Personal Health Information (PHI) must be protected. Sometimes, it must also be shared. We can assume that HR will most often be authorized to share that type of data, but there may be cases when others need to do so as part of their job.
This presents a significant challenge to organizations implementing legacy data loss prevention (DLP) and insider risk management (IRM) solutions.
Binary Controls Were Designed for Security, Not Productivity
Legacy solutions were designed to solve what was perceived to be a simple problem: block the misuse of sensitive data. Their three-step approach was also simple:
- Identify, classify, and tag every piece of data in the organization.
- Establish granular rules – in advance – dictating what each class will be allowed to do with each class of data.
- Block any action that violated a predetermined rule – without exception.
While this approach may have worked twenty years ago, today’s environment is more complex. Data users are no longer confined to corporate networks and databases with local applications on each endpoint. Pre-classifying every piece of data in a distributed organization – before data protection can begin – is a luxury few organizations can risk.
More importantly, the requirement that security teams predict every use case for every user and every class of data is a fool’s errand.
Data Permissions are Rarely Binary
Data needs to be shared to be useful. Design documents are shared with engineering, product teams, marketing, procurement, and vendors. Legal documents are shared internally and with external resources. Even PII and PHI must be shared in some circumstances. When legacy solutions require teams to make binary rules dictating which users can perform which actions with each class of data, it is inevitable that problems will arise.
False positives – blocking a user from using data in a legitimate manner – are bad for businesses. They frustrate users attempting to do their jobs and bog down security teams responding to these events.
Rather than improve security, binary controls can increase risk. Users respond to blocked actions by seeking alternative methods of obtaining or sharing information and unauthorized workarounds become the norm. In turn, this decreases visibility into the content and context of user activity and removes the ability for security teams to adjust policies accordingly. As workarounds become increasingly accepted, an organization’s security culture is degraded.
Adaptive Controls Protect Data Better
Security teams today need to support a business’s goals at large. This requires an understanding of intent and adaptive controls that protects sensitive information while allowing legitimate users to access the data they need to do their jobs.
The Reveal Platform by Next’s policy-free approach provides immediate visibility into data usage, before a single policy is set. It baselines each user in days instead of months to understand behavior and report on risks to data without preset rules. By moving machine learning to each endpoint, Reveal can analyze the data, user, and activity to understand user actions before and after an event to help determine intent.
With visibility into intent, Reveal can impose a variety of soft and hard controls:
- Allow activity to proceed while maintaining an audit trail on all activity on and off the corporate network.
- Warn users of actions that are unsafe or violate data use policies. Reveal’s incident-based training can prompt users when they attempt actions that could put data at risk. This includes a reminder of why the action is flagged, policy reminders, and safe alternatives. It can even require acknowledgement of company policies before allowing a user to proceed.
- Contain an attack. With Reveal, customers can isolate devices from the network to prevent the incident from spreading further, lock out user sessions, take screenshots to gather evidence, display messages, block uploads, and kill processes to protect your organization.
Maintain Visibility with Reveal
By retaining visibility to all activity, Reveal protects your organizations sensitive data while enabling administrators to make informed decisions around responses and policy creation. It enforces controls that are appropriate to risk without hampering legitimate users.
Want to learn more about our adaptive controls and how your company can deploy a single solution to protect your sensitive data from insider threats and external attacks? Watch our on-demand videos for a self-directed demo.
