Some rules in security are clear. We teach our employees to always use strong passwords and never share them. When sensitive data is at rest it should always be encrypted. When forced to use public Wi-Fi, always use a VPN.
In real life, however, data controls cannot always be binary. Personally Identifiable Information (PII) and Personal Health Information (PHI) must be protected. Sometimes, it must also be shared. We can assume that HR will most often be authorized to share that type of data, but there may be cases when others need to do so as part of their job.
This presents a significant challenge to organizations implementing legacy data loss prevention (DLP) and insider risk management (IRM) solutions.
Legacy solutions were designed to solve what was perceived to be a simple problem: block the misuse of sensitive data. Their three-step approach was also simple:
While this approach may have worked twenty years ago, today’s environment is more complex. Data users are no longer confined to corporate networks and databases with local applications on each endpoint. Pre-classifying every piece of data in a distributed organization – before data protection can begin – is a luxury few organizations can risk.
More importantly, the requirement that security teams predict every use case for every user and every class of data is a fool’s errand.
Data needs to be shared to be useful. Design documents are shared with engineering, product teams, marketing, procurement, and vendors. Legal documents are shared internally and with external resources. Even PII and PHI must be shared in some circumstances. When legacy solutions require teams to make binary rules dictating which users can perform which actions with each class of data, it is inevitable that problems will arise.
False positives – blocking a user from using data in a legitimate manner – are bad for businesses. They frustrate users attempting to do their jobs and bog down security teams responding to these events.
Rather than improve security, binary controls can increase risk. Users respond to blocked actions by seeking alternative methods of obtaining or sharing information and unauthorized workarounds become the norm. In turn, this decreases visibility into the content and context of user activity and removes the ability for security teams to adjust policies accordingly. As workarounds become increasingly accepted, an organization’s security culture is degraded.
Security teams today need to support a business’s goals at large. This requires an understanding of intent and adaptive controls that protects sensitive information while allowing legitimate users to access the data they need to do their jobs.
The Reveal Platform by Next’s policy-free approach provides immediate visibility into data usage, before a single policy is set. It baselines each user in days instead of months to understand behavior and report on risks to data without preset rules. By moving machine learning to each endpoint, Reveal can analyze the data, user, and activity to understand user actions before and after an event to help determine intent.
With visibility into intent, Reveal can impose a variety of soft and hard controls:
By retaining visibility to all activity, Reveal protects your organizations sensitive data while enabling administrators to make informed decisions around responses and policy creation. It enforces controls that are appropriate to risk without hampering legitimate users.
Want to learn more about our adaptive controls and how your company can deploy a single solution to protect your sensitive data from insider threats and external attacks? Watch our on-demand videos for a self-directed demo.