We’re long past the days when you could pretend that a firewall was adequate protection for company information. You can’t protect files by putting them in one place and making your users come to the files anymore; employees, the devices they use, and the data they work with all move around far too much. Instead of trying to lock up your data, concentrate on user-centric and information-centric security; you need to choose who should have access to what information, under what circumstances – and that means identity and access management (IAM) are key.
That’s hard to get right; take the service Democratic campaigns use to see the contact details for Democratic voters, and add the kind of information about them that businesses would put into their CRM system about customers. The NGP VAN service seems to had a failure of access management that left campaign workers able to access voter information collected by another campaign – information that should have only been accessible to workers on the other campaign.
That kind of problem is a classic access management failure; someone in your sales team who accesses an information store shouldn’t be able to see what employees in HR or your legal department would see if they logged on to the same place. Getting that right means you need both strong identity systems to manage users, and file classification, or Information Rights Management (IRM).
Think of IRM as DRM for files that blocks those from being edited, printed, or forwarded except by the people you choose; you can use Active Directory Rights Management or Azure RMS if you prefer a cloud service (which still works with server software like Exchange and Windows Server). The easiest way to apply file classification and rights management is to set policies that automatically tag and protect files with the appropriate settings for the employee creating them, or the folder where they’re saved. Documents your legal team creates might be tagged so they can’t leave the company, whereas price lists the sales team uses can be set to expire at the end of the quarter.
You also need to protect the user accounts that unlock access to these documents, because getting access to the credentials of one user and then moving horizontally through your other systems is a common pattern of attack. These days, that protection needs to go beyond passwords. You can add multi-factor authentication to your systems using online identity services like Azure Active Directory, Authly, and Auth0. This does more than just swapping the password for a known device, like a phone, as a second factor; identity services also look at the context of an attempted login, and the behaviour of the user and their device.
Is someone who signed in from Boston an hour ago now trying to sign in from France or China? They couldn’t have got there that fast, so it’s likely not them. Traditional conditional access protection will check if a device has antimalware protection and has even scanned recently, but that’s not the only threat. Is this a device you’re managing, a new device you’ve never seen before, or the same device you blocked from logging in with a different account yesterday?
Is a user who has the right account and the right password logging in from an IP address known to be infected by a botnet (as many computers in hotel business centres are)? Large online services track this information and are often involved in botnet takedowns, giving them insight into threats few companies could get on their own.
You can use these kinds of services to protect your systems, wherever they’re running. Looking at patterns of behaviour, across far more than your own users, gives you an extra level of protection beyond the usual IAM, and lets you switch from trying to prevent attacks to spotting them as they happen.
Mary Branscombe is a freelance technology journalist for a wide range of sites. She has been a technology writer for more than two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the Web, and most things in between, from consumer and small business technology, to enterprise architecture and cloud services. She also dabbles in mystery fiction about the world of technology and startups. Visit www.marybranscombe.com or follow @marypcbuk on Twitter.
