Perfectionism and the Limits of Data Control

As sensitive data has moved beyond enterprise boundaries, the ability to control this data must transcend traditional enterprise access models.

By Kurt Roemer and Christian Reilly

Controlling the ever-growing amount of data and providing assurance of security, privacy and compliance is a never-ending quest for perfection – and who wouldn’t want to have perfect control over their most sensitive data? The problem is that the goal of achieving security perfectionism has some serious hidden implications and limits. This article explores contextually balancing risk, cost, and user experience to deliver the optimal level of security across highly dynamic access situations.

Data security challenges…

Today’s challenges in controlling data includes traditional enterprise access models, as well as new Consumerization and Industrialization models for access across IoT, cloud, BYO and mobile. The tightly controlled enterprise security model, which required end-to-end ownership and control, has been rendered obsolete by the speed of adoption and disruptive effects of these new paradigms.

Then along came consumerization to further challenge and bypass longstanding enterprise security policies, technologies and practices.

Traditional enterprise access models required a combination of secured endpoints, secured networks, secured datacenters, and all enabling technologies to be working in concert to provide an assumed level of trust. Connecting an “untrusted” endpoint, plugging into to the “wrong” network or moving an application workload to the cloud would obliterate security. In other words – everything had to work near perfectly or enterprise security failed.

Complementing these technology layers is an enterprise authentication model mostly oriented around a login event. If you provide all the credentials requested, including user id, password, passphrase, two-factor token, biometrics, certificates, smartcards, etc. your login is granted. And once you’re in, you’re in. All applications, files system access, rights and privileges, both inherited and shared with you, basically enable an All Access Pass, with few or no further access controls checked beyond those assigned at login. The ability to cut/copy/save/print or otherwise exfiltrate data is not further restricted based on your situation – or how that situation changes throughout your work week.

Similarly, traditional enterprise data control relies on a combination of physical control and encryption. Once the data hits the endpoint, the ability to track data movement is severely limited. Because data has to be unencrypted to be used and consumed, the promise of encryption is not as powerful as it otherwise could be. And, a loss of positive physical control could easily result in data loss, such as when a laptop, tablet, or smartphone is left in a taxi or left on an airplane. The location of sensitive data can only be estimated once data leaves the protection of servers and enterprise storage.

Sensitive business data has a complex and often unpredictable lifecycle. Managing the gap between perfection and reality is an IT responsibility and must not burden the endpoint.
Stan Black
Citrix Chief Security Officer

There must be a better way…

Reliance on traditional techniques that are no longer sufficient to address today’s challenges has resulted in all-too-familiar results: weekly reports of data theft, bulk exfiltration, breaches and their impact on business and privacy. There has to be a better model that reflects the reality of today’s dynamic threat landscape and prepares for further consumerization and industrialization of IT. Times have changed – and it’s time the enterprise access model evolves to reflect the way people are working - and how data must be protected at all costs across a broad range of situations.

Controlling enterprise data beyond enterprise boundaries requires new thinking and a new approach that leverages virtualization, containerization and secured networking, along with a contextual access model that is deeply situational aware.

  • Virtualization keeps sensitive data in the data center and off of unmanaged devices. Personal devices remain personal. And you never have to wonder where the data ended up, because it never hit the endpoint in the first place. Virtualization is a favorite technology for providing and proving regulatory compliance.
  • Containerization – When sensitive data must be securely mobilized, a containerized approach is preferred. In this way, the security of the hardware, operating system and individual applications is supplemented and extended by the security measures of the container. These measures include encrypted storage and usage, app-to-app data control and data wipe policies.
  • Secured Networking brings control over network and perimeter security even if you don’t own the networks and the data perimeter by enabling per-application VPNs, encrypting all traffic, providing for strong authentication across internal and external applications and implementing single sign on (SSO) for all applications using enterprise credentials. By making networking specific to the situation, applications and access requests, the days of the open, flat network upon login are in the past.
  • Contextual access – Access and control can be made even more powerful and effective in today’s threat environment be becoming deeply contextual. By making each access and transactional decision based on the “5W’s of Access (who, what, when, where, why)”, access is tailored to usage and data sensitivity. Policy requires less validation to check public information such as the weather, and requires more attestation and assurance for access to regulated sensitive data. Combined with virtualization and containerization, access is extended to the application and data levels, controlling individual app-to-app communications and whether data can be cut/copied/pasted/saved/emailed or otherwise exfiltrated. With these measures, the “All Access Pass” has been eliminated.

A better user experience…

The user experience is greatly enhanced with contextual access, as controls are applied at the time of need – not at the time of login – simplifying the login process and providing for strong security assurances only when they’re necessary to protect sensitive data and transactions.

Key Directives to protect data in the age of consumerization include the following requirements:

  1. Architect to support a mix of enterprise and consumer devices, apps, networks and services. The use of consumerization will only expand – especially with the Internet of Things.
  2. Further enable secured consumerization by implementing a BYO policy - and not just BYOD. Devices are only one aspect of the technology and services that are being brought into the workforce.
  3. Look beyond perfection and assume vulnerabilities, mistakes, and compromise constantly exist and challenge IT control. Design to this philosophy, dynamically tuning contextual access across ownership models, location, device characteristics and other elements unique to the risk situation.
  4. Ensure the organization understands the real reasons for security, by designing around security use cases – not around security technologies. Governance and compliance objectives that specify technologies often provide too low of a bar for security and make it hard to keep up with the use cases necessary to secure the business.
  5. Don’t transfer data to the endpoint unless absolutely necessary. Keep the data in the datacenter whenever possible. And when data must be mobilized, ensure it is protected in an enterprise-managed container.
  6. Don't design to the exception – design in the exception. All too often, security is weakened to support a “corner case”. Don’t forget to design in underserved use cases, as most policies that seem internal to the org also represent outsourcers, partners, customers, suppliers, and even those you exchange email with.
  7. Instead of assuming trust in endpoints, networks and users based on enterprise management models, verify the trust elements required for the situation. Policy should clearly result in a statement “what can this situation be trusted for?” with access granted/denied contextually. Trust has to be established – not assumed.

Approaching perfection in the control over sensitive data requires IT to transcend the enterprise access model. We’ve addressed the basics in this article – in future articles, we’ll get into more details of protecting sensitive data from being displayed, controlling email and thwarting screen scrapers and keystroke loggers.

Kurt Roemer
Chief Security Strategist


Christian Reilly
VP Chief Technology Officer Workspace Services