Securing your company’s – and customers’ – data perimeter
TRACKING down Joseph Carson, the chief security scientist at data security company Thycotic, for an interview is not straightforward. The Belfast native is in high demand worldwide and arranges the interview while in Asia, then takes a call from Estonia.
He spends much of his work advising companies and governments on data security in general and specifically securing data ahead of the EU’s new regulations on data privacy.
Carson is personally advising many companies and governments on how to approach the mammoth task of implementing the General Data Protection Regulation (GDPR).
When work first started on the GDPR almost a decade ago, Carson initially thought that the regulation was misdirected, an emotional response that many organisations are currently experiencing. The scope of change is terrifying for many businesses if they have not already started preparing to implement it. However, once Carson began to research the reasons for many of the most egregious breaches of consumer data, that perspective quickly shifted.
“Looking into the reasons and causes for most of the breaches, it became clear to me that many of the companies involved were doing less than adequate security practices to protect the data, but were making huge amounts of money by using that data,” he said. “It became clear that there needed to be a line drawn and that the companies should be made to treat their customers’ data with the care and protection it deserves.”
Treating customers’ data with care is exactly what Thycotic is about. The company specialises in protecting one of the most crucial security perimeters in any company – passwords.
That doesn’t just mean the passwords used by users or administrators, but also those needed by applications and systems themselves. The solution the company provides is making it possible to make sure that the passwords relating to key accounts are automated, rotated and managed, as well as making sure that the auditing and monitoring of those accounts are consistent.
The need for this approach to security has never been more apparent. The company’s research shows that privileged accounts such as firewalls and databases are among the most targeted accounts for hackers.
Once they have access to those accounts then they can move around the network undetected, and perform malicious tasks. Thycotic’s work makes this much less likely to happen and much harder for those accounts to be exploited.
Once a password is hacked, the amount of data that criminals can access will surprise even the companies themselves.
Many of the problems which Carson cites, which include data breaches at some of the largest corporations in the world, have come about due to information being stored by organisations for long periods of time, to the point that the organisation doesn’t always know what information it holds on consumers, or where it is — often to the point that it can be very hard for them to realise what consumer data has been lost when a breach occurs.
“Historically many organisations have been taking backups of historical data to cope with issues that may arise, such as disaster recovery or to deal with threats to consumer data such as ransomware. The problem is that many companies have been doing that en masse and unstructured, keeping it for many years. Without a clear idea of what the company has and how long it should be kept for, it will be impossible to be compliant with the GDPR,” he said.
Another significant challenge that Carson sees is that many business-to-business companies, not used to being in a position where they are in control of large tranches of consumer data, are unwittingly drawn into an area that they have little experience of.
Carson cites data centres as an example — under the GDPR they are just as responsible as their clients, who actually collect consumers’ information, for securing the data effectively and handling it securely. As a result, if you run a data centre you had better be certain you know what type of information your customers are collecting, and how it was collected — business-to-business organisations will also need to be vigilant, knowing that they are only providing services for reputable and honest companies.
“Businesses need to understand the type of personal data that they are collecting/processing and identify how GDPR applies to them. Many businesses may not be directly collecting consumers’ personal data, but they may at some point in their supply chain,” he said.
It’s a complex and rapidly-evolving environment. Carson has seen a lot of change in the data security industry since he began working in the area more than 20 years ago, in particular the significant shift in how ‘security’ is viewed within the industry and the GDPR is in many ways a logical progression for the industry. “Years ago you would have been doing security as a responsibility, not as a role. Now it is a full-time job keeping data and networks protected,” he said.