August 25 2020

Zero Trust or Insights-Based Trust: How can CISOs Enable Internal Data & Analytics Adoption

What do Snapchat and Managed Health Services of Indiana have in common? Both have been subjected to data breaches caused by insiders.

According to a Washington Post article at the time of the Snapchat breach, “The attacker pretended to be Snapchat chief executive Evan Spiegel and tricked an employee into emailing over the information...”

In the case of Managed Health Services, an article from HIPAA Journal reports “A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI ... employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed.”

With the drastic shift from in-office to at-home offices, how can CISOs trust that their sensitive data is secure from internal threats? No one wants to believe that a breach could come from one of their own employees, however, reports suggest >70% data breaches result from either malicious internal behavior or negligence on the part of your employees. In this new environment, is it better to adopt a Zero-Trust approach, or an Insights-Based Trust approach?

Zero Trust

According to a recent threat post article, A Practical Guide to Zero Trust Security, “ ‘Zero trust’ is a phrase first coined by John Kindervag of Forrester in 2010 to describe the need to move security leaders away from a failed perimeter-centric approach and guide them to a model that relies on continuous verification of trust across every device, user and application. It does this by pivoting from a “trust but verify” to “never trust, always verify” approach. In practice, this model considers all resources to be external and continuously verifies trust before granting only the required access.”

Taking the zero-trust approach means exactly what the name implies: you don’t trust anyone with access to sensitive information or data that could be harmful if released. Things like client files and PII data, access to the company’s cloud data warehouses where this information is housed, and more. While zero trust is an effective way to prevent internal breaches (if no one has access, then the information can’t be leaked), what impact does this have on your growth and culture? What security ops overheads are we talking about?

Let’s say that you are an eCommerce brand who had to move to a remote working environment because of the pandemic. Without employees and customer service representatives working in the office, you enacted a zero-trust approach and restricted access to things like customer’s addresses, phone numbers, email addresses, and important shopping information. You understand that someone needs to have access to these things in order to service the customers efficiently so you give one team lead the green light.

But with everyone working remotely, is this an efficient approach? Here is what the impact would look like on different teams:

  • Data Science: Your data scientists need access to certain data in order to understand buying behavior to build new features. Without the information they need, this could lengthen the timelines of projects, delay products releases, and more.
  • Marketing: Needs to understand which customer segments to target which can be difficult with limited access or having to constantly ask permission. Without access, you are asking your marketing team to create campaigns blindly, increasing the chances that they don’t target your customer base efficiently.
  • Customer Service: Customer service agents don’t typically have access to PII. However, if a customer calls and your agent doesn’t have access to the customer’s order history without special permissions, how can they service the customer effectively? Zero-trust will significantly impact the customer experience in this case.

Insights-based Trust

The Zero-Based Trust option doesn’t meet the needs of an evolving industry because it is far too limiting in its approach.

So, what should you do?

Dasera proposes that CISO’s adopt an Insights-Based Trust approach. What exactly is Insights-Based Trust? This means giving your insiders the access they need to do their jobs effectively, while still letting insiders know that malicious and careless behaviors are being automatically monitored and will have repercussions.

The key is utilizing a platform that automates the safe internal querying of consumer data. Querying can tell you how data is being used rather than who is accessing it. This will answer the questions that keep you up at night like:

  • Are the right people using the data, and most importantly, how are they using it?
  • Where are my sensitive data fields stored?
  • Who is being careless/malicious in their data use and have their managers been automatically notified for gross violations?

In a recent blog post about queries being the ground truth for risk, Dasera CTO Noah Johnson says,

“By monitoring the queries that run on sensitive consumer data, companies can ensure the data is used safely, responsibly, and only for its designated purpose. Query inspection also allows security teams to detect and respond to incidents quickly.”

With a solution that can help you proactively mitigate risks to foresee risky behavior and stay ahead of potential breaches, you can get the immediate results you are looking for without adding extra work for your teams.

The Verdict

In our Red Book of Insider Threats, Shaq Khan, CEO at Fortfire says:

“CISOs have to be torchbearers of a different way to think about security – one that leads with knowledge-based trust instead of championing zero trust. If anything, we have to move over to a world of 100% trust – trust in employees as well as trust in our monitoring, reporting, and remediation capabilities.”

Instead of sacrificing your customer experience and overall company culture, there is a way to preserve both employee and customer experience while keeping sensitive data secure. Utilize AI for your security measures to reduce risk in real-time by blocking and rewriting queries on the fly. Understand how queries are internally used and recognize potential risks before they become a breach.

To maximize the security measures that you already have in place while giving your employees the access they need to get the job done right, it’s important to have the right tools in place.

Dasera uses an award-winning, ML-assisted, query analysis engine to understand query behavior and the context of each query, rewriting them on the fly if a potential breach is detected.

Internal data use is growing and so is internal risk. Protect your company, contact us for a free demo today.