As a society, we’ve been forced seemingly overnight into a new work environment with offices closing (and many companies permanently downsizing office space) and remote work seeming more and more like it's here to stay. The new normal is sure to be more digital, and enterprises are moving quickly to adapt to these changes by enabling remote work and further accelerating the migration to the cloud. Unfortunately, these rapid changes have also opened up new avenues for attackers to exploit. If companies are to remain secure in the new normal, they’ll need to adapt their security posture as well.
Enterprises already invest heavily in security (worldwide security spending is already over $100 billion annually, and expected to grow to $170 billion by 2022), but still lack basic visibility into and control over the sensitive data they collect and consume. This lack of visibility prevents companies from understanding how their organization uses data and also from taking advantage of these data consumption patterns, a key requirement as we evolve into the age of data. Meanwhile, a lack of control around data consumption means while companies may have implemented controls around who is able to access data and what data they’re allowed to access, they’ve not closed a critical gap: how much data a credentialed request is allowed to consume.
These two factors — an inability to understand enterprise data consumption and a lack of control around how much data is allowed to be consumed — combined with a quickly evolving regulatory environment, create a perfect storm for today’s enterprises: credentialed requests for data are often able to consume without limits, opening up a level of risk that puts entire companies at stake. With the rapid changes demanded by today’s new normal, the urgency to close this gap has only grown in importance.
Companies that don’t place limits on the consumption of sensitive data are already in very dangerous territory as they remain vulnerable to both insider and external threats. Verizon’s latest Data Breach Investigations Report informs us that inside actors are involved in 30% of data breaches, and over 80% of hacking-related breaches (hacking by external parties is the most common type of threat action) involve the use of brute-force attacks or stolen credentials. The common denominator here is clear: having credentials is the best way to obtain what threat actors are looking for — sensitive data.
In addition to the financial impacts of a breach (CCPA fines can be up to $7,500 per record, for example), the impacts to brand reputation and operations pile up quickly, with strategic efforts put on hold while team members turn into firefighters and customers lose trust in the company.
To mitigate these risks, enterprises need a solution that provides observability and control over data consumption. These controls provide confidence in the security of the organization’s data no matter where it lives, enabling companies to properly and rapidly take advantage of the migration to the cloud. In fact, it’s only by having these capabilities that organizations can confidently and securely enter the new normal.
Ideally, it would be great if you could treat your data the same way banks treat money in an ATM. Here’s the process as we see it:
This is where most companies are today, and where security tools offer their services. You’re able to solve for identity, authentication, and privilege, and most tools can provide some level of auditing for you as well. However, there is a major piece missing from the enterprise’s arsenal that banks solved a long time ago: controlling how much someone is able to consume — money in the bank’s case, data in ours.
For security and logical reasons, banks place limits on the amount of money you’re allowed to withdraw from an ATM. These limits are enforced on individual trips to the ATM, as well as contextually throughout the day. Limits like this protect the end user from fraudulent activity, protect the bank from customers withdrawing more money than they have (either accidentally or maliciously), and ultimately build trust in the bank’s ability to securely store its customers’ money.
This is exactly what enterprises need to be doing with sensitive data. You need the ability to contextually understand consumption patterns across all sensitive data (whether PII, PHI, or PCI data), limit how much data a request is allowed to consume, and proactively prevent requests from consuming more data than they are allowed to.
With ALTR, organizations can set governance policy to limit the consumption of sensitive data across the enterprise. Each time sensitive data is requested, ALTR records both the request itself and metadata around the request (which data was requested, how much, when, from where, etc.), and analyzes the request against ALTR’s risk engine before allowing or preventing the return of sensitive data. Data consumption and policy-related information can be sent to enterprise SIEMs and external security clouds and visualization tools (like Snowflake and Domo) for further analysis so the company can understand and learn from its data consumption behavior.
By implementing data consumption governance with ALTR, enterprises can understand how their organization consumes sensitive data, protects that data, protects their customers, keeps up with a rapidly changing regulatory environment, builds trust, and solidifies their reputation while securely and confidently entering the new normal.
Ready to learn more about improving visibility into and control over your organization's data consumption? Check out this brief overview or reach out to get the conversation started. We’d love to hear from you!