While physical security is typically handled by a dedicated data center facility function, using sophisticated modern surveillance and authentication technology to prevent unauthorized entrance, securing the data logically is a different story.
This is not to say that nothing is being done. Penetration testing, for example, is a critical tool that organizations and data center operators use to identify vulnerabilities in hardware, software and network components. And by simulating real-world attacks, organizations evaluate their readiness to detect sophisticated cybercrime and test their response strategies. Penetration testing also helps data center clients confirm that the service provider is maintaining high security standards.
Additionally, data centers invest heavily to protect against external threats. State-of-the-art firewalls, AI-powered tools that provide real-time insights into dangerous network traffic, built-in resiliency and redundancy, and other technologies give data center operators unprecedented control over malicious attacks, yet companies are still losing data.
Internal threats are real — and often not given enough attention
Internal breaches — data theft by employees or contractors — represent a significant and often overlooked risk.
Employees, or contactors, take data all the time for various reasons. Some are leaving for a new job and want to take customer lists, sales forecasts, marketing data or information about planned new products. Others are simply angry at their employer and want to strike back.
Even a localized security issue can be devastating.
Consider a data breach that shuts down production for a day or two at a busy manufacturing facility. While that event might not be newsworthy, it leads to lost revenue for the company and a headache for customers who don’t receive their products.
Shouldn’t exfiltrating data be more difficult? In the past, companies wanted to maximize access to increase productivity. The solution at many companies was to utilize virtual private networks (VPNs) that gave employees full access to company systems and software when not in the office.
The use of VPNs expanded significantly during the COVID-19 pandemic, when so many employees were working from home and needed remote access. Since then, few companies have dialed back employee access, leading to elevated levels of risk from internal breaches.
The solution is implementing a “zero-trust” strategy that eliminates unnecessary employee access and protects the company from bad decisions or malicious intent.
Here are three steps companies should take today to move to a zero-trust environment:
1. Implement strict access controls to mitigate risk
In the past, many companies operated with a “castle and moat” data philosophy. Outside the castle, access to data was severely restricted by a security moat, but everyone inside the walls — employees, contractors and trusted vendors — was considered safe.
Today, smart companies utilize role-based controls to limit employee access to necessary data only. For example, an operations person can see production data but is restricted from viewing accounting and legal files.
As an individual’s role changes, access changes, too; a senior business unit leader would have more access than a new frontline hire.
These highly configurable access controls are possible through modern data security software, which can allow or restrict access to individual applications or networks with the click of a mouse.
One important caveat: Successful role-based access control systems aren’t “set it and forget it.” They must be actively managed and require vigilance to verify that as employees come and go, and the business evolves, access is still tightly controlled.
Considerations
- Collaboration is key to developing successful internal data access controls. Take time to work with business unit leaders to understand what their functions do and what access they need to carry out daily tasks.
- Dedicate ongoing resources to maintain a zero-trust strategy. Even the best controls will erode over time if not maintained.
2. Create and maintain network segmentation to isolate data
The traditional approach of data storage capabilities at each worksite is giving way to consolidation, as companies move their data and cloud computing to new state-of-the-art facilities.
But creating and maintaining separate networks — physically or logically separate with no connectivity between them — is a critical element in mitigating the risk of data breaches.
Applications designed for collaboration with third parties can also provide dangerous entry points into a data center or multi-cloud environment. Network segmentation isolates and protects sensitive data from vendors and partners that have access.
Another critical protection to consider is the use of multiple data centers, in different geographic locations, to enhance security, provide redundancy of systems and protect against natural disasters.
Considerations
- Network segmentation can be complex and costly, and often requires additional staffing to manage, but the benefits far outweigh the challenges.
- It’s possible to design a system that is overly segmented, making it difficult to manage and a challenge for employees to navigate needed systems. Gaining a full understanding of assets and data needs can help.
- As with access control, ongoing review and approval is critical to confirming that only those who need data can see it.
3. Utilize analytics to quickly identify potential threats
While AI is driving the need for more — and more powerful — data centers, the technology is also supporting data center security by providing real-time threat intelligence, anomaly detection and automated alerts.
Numerous solutions today utilize machine learning and data analytics to identify potentially risky behavior within a network.
Known as user and entity behavior analytics (UEBA), these solutions create a baseline of typical behavior for servers, applications and data, and then detect anomalies that may indicate a threat.
For example, an employee who typically downloads five files a week from an office location suddenly downloads 250 files from three separate locations. UEBA software detects and flags this change in behavior and alerts the cybersecurity team for further investigation. There may be a legitimate business need for the files, but if not, the company is aware and can take action to prevent a disruption.
Another critical element is proper management of IT assets, such as laptops, handheld devices and network equipment. A detailed policy that clearly delineates responsibility and accountability for assigning, maintaining and upgrading equipment is important to managing access.
Considerations
- Full compliance with applicable legal and regulatory standards to protect user privacy is critical.
- Continuous fine-tuning of your UEBA systems can help reduce or eliminate false positives and protect users from intrusive inquiries.
- To create an environment that prioritizes ongoing protection and monitoring, collaboration between the cybersecurity team and IT is a must.
- Conduct comprehensive security assessments of all third-party data center vendors and make certain they comply with relevant industry standards, such as SOC-2, HIPAA or ISO 27001.
- Define clear goals and responsibilities regarding data management and incident response.
Don’t be defenseless against internal breaches
Data security is critical to your company’s overall cybersecurity policy. A zero-trust strategy is underpinned by prevention, detection, and a company-wide philosophy that treats data as a critical asset that needs protection from both internal and external threats. In fact, cyber insurers are increasingly asking companies about their internal data controls. A provable zero-trust approach can help lower your premiums.
EY teams can help pair the right technologies with effective strategies that deliver thoughtful simplification to cybersecurity for data centers and their clients. Together, we streamline security processes, optimize costs and verify regulatory compliance through identity- and data-centric principles.
