Skip to main content

Hidden Security Gaps for Remote Work – Part 4: Data Security

By July 14, 2020Thoughts

Now that the fire drill of getting the workforce working remotely has subsided, many IT and security teams within companies are picking up the pieces after this extraordinary set of events.

Due to the accelerated timeline — literally overnight — proper security controls and processes had to be put aside to keep the business operational. Because of this, hidden security gaps undoubtedly lie waiting. In this series, I’ve already revealed the hidden gaps related to Identity, Endpoint, and VPN. Now, I’ll conclude with a discussion on data security.

Why Data Security?

You’re probably thinking your data is safe because you have an identity infrastructure, an endpoint security solution, and VPN. Well, I’ve got bad news for you: your data is not safe as you think.

Why is your data not safe? Because Digital Transformation, that’s why—the Harry-and-Marv “Wet Bandits” of the modern attack surface.

Companies, large and small, are consuming cloud-based software services at an alarming rate. Every time an employee connects to a SaaS provider, sanctioned or unsanctioned, there’s the potential for data to be leaked, lost, or encrypted.

Every time an employee connects to a SaaS provider, sanctioned or unsanctioned, there’s the potential for data to be leaked, lost, or encrypted.

So, what’s the difference between sanctioned and unsanctioned?

Sanctioned Applications or Providers

This term refers to cloud services that have gone through an organization’s risk and business management process and have received approval for organization-wide or department-wide use.

Unsanctioned Applications (a.k.a., Shadow IT)

This term refers to SaaS applications or cloud services consumed by employees or departments without the knowledge of the central IT organization, thereby creating higher risk.

Sanctioned Data Leakage and Loss

A lot of emphasis is placed on the riskiness of Shadow IT for good and obvious reasons. However, even with data residing in sanctioned application providers, there’s plenty of risk for leakage and loss, in large part due to the inability to control a user downloading, interacting with or encrypting it. Once the user is authenticated, they have free reign. Essentially, the data has been leaked.

With the ability to download all data from the sanctioned application, a user can upload it to any number of cloud storage or SaaS providers outside of the organization’s IT purview. The data has now been lost. The organization, at this point, has lost all control and visibility of the data. Uh-oh.

All hope is not lost, though.

The Solution: SWG & CASB in SASE

The solution is in the cloud, in the form of a Secure Access Service Edge (SASE). Two major features of SASE, Secure Web Gateway (SWG) and Cloud Access Security Broker (CASB), provide NGFW-like functions through Data Loss Prevention (DLP) capabilities applied to internet-bound traffic.

SASE delivers data security without compromising performance, the ultimate combination.

With SASE, data can be inspected and policies can be enforced at the service edge. You’re empowered to monitor data movement and enforce any data security policy regardless of the user’s location or type of access. It delivers data security without compromising performance, the ultimate combination.

Data security with SASE

  • Traffic inspection at the edge
  • Monitoring of data movement
  • Enforcement of data security policies
  • Applied regardless of user’s location or type of access
  • No compromise of performance

Series End

In closing, this series was meant to help you see the gaps lying in wait in our “new normal” of an entirely remote workforce. I hope I did that for you! I also hope these insights, born out of my own experience, have helped you and your organization be a little bit safer. If you gained any nugget of information that helped you, I’ve done my part.

Until next time, stay safe.

Featured image from Tyler DeHague via Dribbble

Leave a Reply