Encryption on Steroids – Attribute Based Access Control (ABAC)

How many data breaches need to occur before companies take real preventative action? While hotel chains, retail stores, and Facebook are likely to grab headlines, companies of all sizes, across all industries, face the same threats. If you work with intellectual property, handle sensitive materials, or are subject to regulatory compliance, you need to safeguard your digital assets.

Pernicious attacks don’t always come from the outside. According to JAMA Internal Medicine, 53 percent of the 1,138 instances of a data breach at medical facilities they analyzed originated from inside the organization. Overall, 15.1 million patient records were compromised in 2018, a near three-fold uptick from 2017.

Unprepared companies find themselves on newsfeeds for both negligence in combatting a breach and the resulting punishment levied by regulating bodies. Despite this, most companies trying to manage their data are using increasingly unreliable methods such as:

  • Putting up a firewall around the application. Despite amazing progress with firewalls and network security, a malicious attack or internal leak (whether intentional or inadvertent) will result in compromised data.
  • Using an Access Control List (ACL). Sadly, this static method of protecting who can touch data doesn’t work in today’s modern, dynamic, and globally distributed environment.
  • Applying Role-Based Access Control (RBAC). Using authentication schemes, location, network, risk, and individual characteristics can work for one-time access, but today’s environment is dynamic, making RBAC impossible to keep updated.

Chasing dynamic data with static security models will not support a fast-moving company. As more data becomes available for sharing across a variety of networks, these security measures are proving ineffective at stopping data breaches. Using a network, an ACL, or RBAC simply can’t stop malicious attacks or internal threats.

The paradigm is shifting to Attribute-Based Access Control (ABAC) to redefine data protection. ABAC has been developed to address the most stringent security requirements of the most important government entities on the planet. ABAC is the platform of choice for the US DoD, the UK MoD, and has quickly become a NIST standard.

At its basic level, ABAC uses an ‘IF/THEN/AND’ model to protect the data itself. This model is then applied to data via policy, checking attributes and applying the appropriate permissions (aka “digital rights”).

A Starbucks in Slovakia

Imagine a US State Department official carrying a laptop into a foreign country notorious for its ability to hack and steal data from the open web. This official heads into a Starbucks, opens his or her laptop, and connects to the public WiFi. It’s hard to argue that this may be one of the easiest ways for data to be compromised, but if this official’s data is encrypted via ABAC, data safety is assured regardless of how open the network may be. Regardless of the location, encrypted data is protected by an ABAC schema that guarantees appropriate access or denial of access.

ABAC puts the encryption and safety measures inside the data itself, ensuring that even if hacked or flat-out stolen (e.g., a thumb drive stuck into the side of a laptop), the encryption prevents the data from being compromised and utilized outside of its intended use.

Live inside the data itself

Attributes are the foundation of ABAC. Factors such as program, citizenship, location, clearance level, even time of day, can be used to protect the data. If the user violates any parameter, the ability to access is lost.

Continuing from the above example about an official opening his or her files in a Starbucks in Slovakia, the policy may allow this user to access the data based on multi-factor authentication, United States location, and clearance level. The fact that the official is trying to access the data in another country violates the policy, which then denies access to the data and reports the attempted use to the policy management system. All elements of the policy must be met. This official could copy/paste the information into a separate application or right into their personal email address, but the encryption inside the data itself prevents their ability to access it and protects the information.

Moving information around the globe on a second-by-second basis while maintaining control of the intellectual property or sensitive data is more important than ever. An ABAC system can be set up as a centrally located security measure, independent of people, geography, and network perimeter security, and provide a single data safety infrastructure around multiple applications. Users will have persistent rights management regardless of the application they use to access ABAC-encrypted data.

When you put the encryption inside the data and metadata itself, companies can seize control of their data and prevent a breach from internal or external threats. The Department of Commerce has made this a mandatory practice and the adoption is spreading throughout several governmental and military agencies.

There isn’t an industry that couldn’t benefit from implementing an ABAC solution, especially in a world where data is dynamic, information moves across the world in real-time, and breaches can ruin a company’s reputation and trustworthiness.

What will data-centric security look like over the next 5 years?

As we inch closer to the end of the decade, it doesn’t hurt to start thinking about what the 2020’s will bring in terms of data security.  So, we put on our thinking caps and came up with how we see the data security landscape shaping up as we enter a new decade.

Simply put, we see “data safety” becoming the new data security.  The term “data security” has been around for awhile, but we need to start rethinking the term’s relevance as we tread deeper into a more digitally driven world.

If you want to read up on how we see this world evolving, you can download the paper here.

Identity and Security Go Hand in Hand

We’re in the midst of a key paradigm shift when it comes to security. Instead of focusing on the perimeter like in the old days, attention has now turned to focusing on the data itself. What with the proliferation of cloud services, mobile and IoT advancements, and increasingly globalized workforces, trying to contain the perimeter hasn’t gotten out of hand.

As a result, security professionals are developing strategies and implementing solutions focused on controlling access to sensitive data stores and applications themselves as these are where the most sensitive and/or confidential data originate from.

Thankfully, NextLabs and the Identity-Defined Security Alliance (IDSA) were prescient enough to see this trend coming. The IDSA is comprised of two dozen identity and security vendors (including NextLabs), solution providers, and practitioners that act as an independent source of education and information on identity-centric security strategies. The group facilitates collaboration via a knowledge base spanning practical guidance, best practices, and validated solutions for reducing the risk of data breaches.

Just this week the IDSA released a white paper, “The Path to Zero Trust Starts with Identity,” that examines the Zero Trust paradigm from the point of view of an entire alliance, as opposed to just one vendor’s interpretation.

Ultimately, the IDSA believes that identity-centric security controls can help organizations combine identity and security capabilities to improve their security postures. From unstructured data to applications to attributes, managing and controlling access from identity to data is the key.

For more info…
To read more about the Zero Trust model, you can download the paper here. Additionally, if you’d like to see a demo on how NextLabs can help you put the Zero Trust model into action, click here.

Upcoming Webinar: Next Generation Security Considerations for SAP

KPMG - Securing the ERP Webcast

SAP security requirements are becoming increasingly complex. Security threats, data restrictions, emerging regulations, and innovation in technology is leading traditional approaches to security and access governance to become costly, unmanageable, and without adequate risk coverage in many cases. As your technology landscape evolves, so should your approach to managing security and access governance.

KPMG, a NextLabs partner, will be hosting a webcast, “ERP Risk Series – Next Generation Security Considerations for SAP” on July 11, 2pm ET. They’ll discuss strategies for evolving your access governance and next generation SAP security considerations. The webcast will be hosted by Brian Jensen (Managing Director of the Oracle Risk Management Team), and the featured presenter will be Jonathan Levitt (Director Advisory, GRC Technology).

One CPE credit will be available to U.S. participants who meet the eligibility requirements.

So, click here to secure your spot today!

What is Digital Business Transformation…really?

Buzz words always amaze me. I love them if I think I coined them I love them until I think they are old and tired, but no matter what they seem to have a life of their own. Business transformation and Digital business transformation are a very hot topic these days in the enterprise space, but what does Digital Business Transformation really mean:

  1. Mobile first and cloud-enabled
  2. Collaboration requirements include always on, with seamless access anywhere and anytime, 24/7
  3. Digitally connected supply chains for highly responsive or just-in-time production
  4. Hyper-connected and complex business applications that are iPhone easy to use
  5. Internet of Things and Big Data driving real-time data decision streams and massive data volumes

more “What is Digital Business Transformation…really?”

Enterprise DRM that Actually Works

We know the problem. Enterprise level Digital Rights Management usually means that I can encrypt something, (usually MSFT Office or PDF), but then when I try to share it with someone who should be able to access it I waste a boatload of time trying to get them access and eventually I just send the data in clear text and tell them not to share it. Uh-oh

EDRM can be a pain or even worse puts me in a position of being out of compliance with internal security policies or even worse . . . governmental regulations. Now to be clear, I have never done anything like this. I am simply giving it as an example of what I have heard from others . . . right? In today’s hyperconnected world I need to be able to share/collaborate securely with people in the extended enterprise, partners, etc. anytime, anywhere and on any device, 24/7. . . is that too much to ask? Oh and by the way, my life is more than just Microsoft Office and PDF documents, I need to share lot’s of different file types . . . you know the drill.

Oh last but not least, I need the EDRM to be automatic, seamless, and deeply integrated with SAP, since that is where most of this work happens for me.

EDRM for SAP

Europe Benefits As Nextlabs Opens EMEA HQ

Mark Clark, VP of EMEA Sales, NextLabsNextLabs is very excited to welcome Mark Clark to the team as the Vice President of EMEA Sales.  The significant increase in both internal and external breaches and heightened regulatory requirements have made it essential for companies doing business in the EU to strengthen their data protection policies. Clark has opened NextLabs EMEA headquarters in London to lead the effort to help businesses address their data-centric security challenges.

In his new role, Clark will be working with commercial and government agencies, partners and System Integrators to meet the demands of organizations in the region. As a leader in data protection, NextLabs is committed to helping companies address the increasingly complex regulatory landscape, including the new GDPR mandates, to ensure that they have the necessary data protection in place to securely collaborate throughout their extended enterprise.

According to Chris Johnson, VP, Sales, SAP GRC EMEA, “Security is of the utmost concern to most of our customers, and it is vital to us that we can offer the latest technologies and innovations to answer modern business challenges.” NextLabs is committed to assuring that sensitive information only gets accessed by people with the correct authorization by providing advanced data security solutions to enterprise customers.

For more information, please visit  www.nextlabs.com or contact Mark Clark directly at +447739615851.

Changing Face of Data Security

By Sudhindra Kumar, Manager of Software Engineering at NextLabs, Inc.|

With the growing adoption of cloud for various business processes, traditional approaches to data security are no longer sufficient to keep enterprise data safe. Gone are the days when all critical information was protected behind a firewall with access restricted to specific clients/devices. IT security teams are under increased pressure to make data available to a plethora of devices (mobile phones/tablets/personal laptops, etc.) and applications without compromising on the security aspect of the data.

Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and increasing to 20.8 billion by 2020. A large percentage of these devices are going to be BYOD, which carry a combination of personal and business data, and have major vulnerabilities – putting your enterprise data at risk. Attackers have shifted their focus from secure enterprise environments to these vulnerable devices, which give them an easy gateway to your enterprise data. Mobile Device Management has become an important staple for every organization. more “Changing Face of Data Security”