Defense-in-depth is a well-known concept in the field of cybersecurity. It was originally developed by the National Security Agency to provide multiple layers of protection against various types of attacks. While this approach is widely used in organizations, it requires adaptation to effectively safeguard against new threats and methods.
Data security is another important aspect of cybersecurity. With the increasing adoption of cloud technology for data storage, organizations face the challenge of protecting sensitive information stored on different platforms with varying control mechanisms. This complexity makes it crucial to employ new protection methods to ensure data is not compromised.
One critical aspect of defense-in-depth is the choice between risk reduction and threat detection. Risk reduction focuses on minimizing the attack surface by limiting access to sensitive data and preventing public exposure. On the other hand, threat detection involves identifying malicious activities such as data exfiltration or ransomware attacks. Both approaches are necessary for effective defense-in-depth.
However, this raises two important questions: why not choose just one approach, and what makes data security unique in the context of defense-in-depth?
Choosing only one approach, whether risk reduction or threat detection, is not sufficient for comprehensive cybersecurity. Trying to reduce risk to zero would involve severe limitations on storing and accessing sensitive data, hindering business operations. Zero risk is not an achievable goal in real-world scenarios.
On the other hand, solely focusing on threat detection would lead to an overwhelming number of alerts, making it difficult to respond effectively. Alert fatigue is already a significant challenge in cybersecurity, and inundating teams with alerts on unnecessary data access only exacerbates the problem.
The best approach is a combination of risk reduction and threat detection. Organizations should first aim to reduce risk to an acceptable level, which allows the business to operate without unnecessary exposure. This includes deleting inactive data, removing unneeded access, and validating encryption and backup policies. However, even with reduced risk, there is still a need for monitoring potential threats. Compromised credentials or insider threats can still lead to unauthorized access, and data that was once valuable may become obsolete.
Creating guardrails and closely monitoring activities within those boundaries are crucial. By understanding where risks are minimal and where they are necessary, organizations can focus their efforts on preventing threats more effectively. This may involve deploying additional security measures or prioritizing specific alerts for investigation. For example, if sensitive data has been removed from a particular location, it is essential to monitor that location for any potential data leaks or exfiltration attempts. Likewise, if a data team is situated in a specific geography, alerting should be in place for suspicious access attempts from other locations.
To illustrate this concept, consider the following examples:
– If sensitive data, such as social security numbers, is removed from non-essential services, continuous classification should be implemented. This ensures that any data leaks outside approved locations are promptly detected and addressed.
– When defining access policies based on the principle of least privilege, it is important to create distinct access policies for different types of data. For instance, European Union data should be removed from repositories located in the United States.
A comprehensive data security approach should not focus solely on static configurations and controls. It should combine both risk reduction and threat detection, allowing them to complement each other. This approach ensures that organizations have a continuous and accurate understanding of the risks they face and can effectively respond to potential threats.
In conclusion, defense-in-depth remains a crucial approach to cybersecurity, but it requires adaptation to address evolving threats. Data security, particularly in the cloud, presents unique challenges that demand a combination of risk reduction and threat detection. By striking this balance, organizations can effectively safeguard their data and mitigate potential risks.