Protecting data at the source in the security industry is more challenging than it sounds. The source is ever-changing depending on the context of the data. For example, a security camera on the network's edge will be the source for the collected video feed, and sometimes, analytics run on the feed. The server will be the data source for changes or configurations pushed to the security device. Securing data at the source is complex and requires a complete understanding of the network and how the devices on that network are communicating.
When we introduce the cloud into the equation, it becomes a bit more complicated. The cloud presents a new source and a new destination for data that must also be secured. This article focuses first on the best practices for securing data in traditional on-premises deployments, then explores strategies to secure physical networks in hybrid cloud environments, ensuring a comprehensive approach to data protection in both settings.
Although this article will contain much information on protecting data at the source, it is not a comprehensive list. I highly recommend using an extensive list of controls when securing data at the source. My favorite resource is the NIST series. NIST 800-53 (SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | CSRC (nist.gov)) contains a robust list of controls for most environments, and the NIST 800-210 (NIST Publishes SP 800-210: AC Guidance for Cloud | CSRC) contains a list of controls for cloud deployment. In addition to NIST adherence, staff training is one of the most effective controls that any organization can deploy to secure data at the source. That way, staff members will know what to look for when securing environments and can implement best practices. DHS CISA offers many free training and resources for organizations to take advantage of - Cybersecurity Training & Exercises | CISA.
Securing Data at the Source in On-Premises Deployments
Traditional on-premises data centers remain fundamental to many organizations' IT infrastructure. Some customers prefer the speed and ownership that on-premises solutions offer. Just like in physical security, cyber security uses layers to adequately protect data and devices. Here, physical security, combined with network and system security, forms the foundation of data protection.
-
Device Hardening: Thinking of data at the source, it is paramount to harden the device. Here are some essential tips for hardening devices as much as possible:
- Check if the manufacturer has a device hardening guide; this will give most organizations a good idea of where to start securing data at the source.
- Ensure firmware and software is updated regularly.
- Enable strong passwords and ensure that default passwords are not used.
- Security, surveillance, and other IIoT (Industrial Internet of Things) systems should be a part of any organization’s password change management plan to ensure they are updated regularly.
- Disable unused service protocols and ports on devices. For example, if your organization is not using email for IIoT devices, there is no need to have SMTP enabled on the device. Turn off any service, port, or protocol that is not being specifically used.
- Disable depreciated protocols (i.e., SSL, TLS 1.1, SNMP v1, and HTTP) that are no longer supported and deemed insecure.
- Enable encryption of data at rest and data in transit (discussed in further detail under the encryption section).
- Enable secure boot mechanisms to ensure that the device boots using software known to be good. This prevents malicious software from loading during the device start-up process.
- Implement secure elements (SE) in IIoT devices to provide hardware-based security for storing sensitive data such as cryptographic keys, certificates, and authentication data. Secure elements offer a tamper-resistant environment, making it significantly more difficult for attackers to extract sensitive information or tamper with device operations. This is particularly crucial for devices that perform critical functions and need to maintain operational integrity and confidentiality of data.
- Network Security Measures: Deploy firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and protect the network perimeter. Segmentation of networks can limit potential breaches to isolated areas, reducing the overall impact on the data center.
- Firewalls are a barrier between trusted internal networks and untrusted external networks like the Internet. They are essential for controlling incoming and outgoing network traffic based on predetermined security rules. By filtering traffic, firewalls prevent unauthorized access to networked devices and protect sensitive data from external threats.
- Intrusion Detection Systems (IDS) are deployed within the network to detect unusual or suspicious activities by monitoring network traffic. IDS plays a critical role in identifying potential security breaches as they occur by alerting the system administrators to malicious activities. Their real-time network monitoring helps quickly identify and mitigate threats before they can spread or cause considerable damage.
- Intrusion Prevention Systems (IPS) are positioned to detect potential threats and prevent them by automatically responding to detected threats without human intervention. IPS enhances network security by actively preventing identified threats from exploiting vulnerabilities. They are critical in stopping attacks that manage to evade initial defenses like firewalls, thereby providing an additional layer of security.
- Network segmentation involves dividing a more extensive network into smaller, isolated networks. This can be done physically or virtually. Segmentation limits the spread of breaches by confining them to isolated areas of the network, thus minimizing the overall impact on the organization’s IT infrastructure. It significantly reduces the attack surface and helps enforce more granular security policies tailored to individual network segments' needs and security requirements.
- Data Encryption: Encrypting data at rest and in transit protects sensitive information from unauthorized access, even if other security measures fail. Utilizing strong encryption standards ensures that data remains secure, whether it is being accessed or transported.
- Encrypting Data at Rest refers to all data in storage that is not actively moving from device to device or network to network. Encrypting this data means converting it into a secure form that unauthorized users cannot interpret without the correct decryption key. Encrypting data at rest protects sensitive information from being accessed by unauthorized individuals during incidents like physical theft of hardware, unauthorized data access, or data breaches. This ensures that even if security measures like physical security fail or devices are compromised, the data remains secure and indecipherable to unauthorized entities. Data sitting on the IoT device (configuration information, video, images, credentials, etc.) should be encrypted using a FIPS-compliant encryption algorithm.
- Encrypting Data in Transit involves data moving across a network or between locations, such as during web browsing, file transfers, or streaming. Encryption of data in transit protects it from being intercepted by malicious actors during its transfer. That data must be encrypted using a FIPS-compliant encryption (Algorithm Validation Lists - Cryptographic Algorithm Validation Program (CAVP) (nist.rip)). This is crucial for maintaining the confidentiality and integrity of sensitive information as it moves between servers, devices, or users, thereby preventing data from being read or tampered with by attackers.
- Using Strong Encryption Standards such as AES (Advanced Encryption Standard) with adequate key lengths ensures the encryption's effectiveness against brute force attacks and other decryption attempts. Strong encryption standards are vital for ensuring that encrypted data remains secure over time, even as computational power increases and potential vulnerabilities in older encryption methods are discovered. They help organizations comply with industry regulations and standards, maintaining trust with customers and stakeholders regarding the security of their data.
- Regular Audits and Compliance: Security audits help identify and mitigate vulnerabilities. Compliance with standards such as ISO/IEC 27001 or SOC (Service Organization Control) for information security management ensures that best practices are followed, and security measures are continuously updated.
- Regular Security Audits involve systematically evaluating the security of a company's information system by measuring how well it conforms to a set of established criteria. This typically includes assessments of software, hardware, and procedural details. Regular security audits are crucial for identifying and mitigating vulnerabilities before they can be exploited. They help organizations understand their current security posture, reveal weaknesses in their systems, and provide recommendations for improvement. Audits also help to ensure that previous security measures are still effective against new threats.
- Compliance with Security Standards Security standards such as ISO/IEC 27001, SOC, PCI-DSS, HIPAA, and CMMC, which provide a framework for information security management, ensure that an organization follows internationally recognized best practices in information security. Compliance with these standards helps organizations maintain a robust security management practice. It enhances the trust of clients and stakeholders and ensures that the organization is legally compliant with international security regulations. This can prevent potential legal consequences and financial losses associated with data breaches.
- Continuous Update of Security Measures involves revising and enhancing security protocols, systems, and policies in response to new vulnerabilities and emerging threats. The landscape of cybersecurity threats evolves rapidly. Continuous updates to security measures ensure that an organization's defenses remain effective against the latest threats. This adaptive approach is crucial for defending against sophisticated cyber-attacks and mitigating the risk of data breaches.
- Backup and Disaster Recovery: Implement robust backup procedures and disaster recovery plans to ensure data integrity and availability. Regular testing of these plans is crucial to prepare for data loss scenarios.
- Robust Backup Procedures involve creating copies of data that can be restored if the original data is lost or corrupted. These backups should be made regularly and stored securely, onsite and offsite. Having robust backup procedures is critical for ensuring that data can be quickly recovered after incidents like data corruption, hardware failure, cyberattacks, or natural disasters. This resilience against data loss helps maintain business continuity, minimizes downtime, and protects against potential financial and reputational damage.
- Disaster Recovery Plans are comprehensive strategies that define how an organization will recover its IT infrastructure and operations after a severe disruption. This includes detailed processes and procedures for rapidly restoring systems, applications, and data. Implementing disaster recovery plans ensures that an organization can continue to operate or quickly resume mission-critical functions following a disruption. This is crucial for minimizing the impact on business operations, reducing the duration of severe disruption, and safeguarding against extensive losses.
- Regular Testing of Backup and Disaster Recovery Plans involves simulating various disaster scenarios to ensure that the backup systems and recovery procedures are practical and can be executed under stress. Regular testing is essential because it verifies the functionality and efficiency of the backup and recovery procedures and highlights improvement areas. This proactive approach helps organizations stay prepared for unforeseen events and ensures rapid recovery capabilities, thereby reducing the risk of data loss and operational downtime.
Transitioning to Hybrid Cloud Environments
As businesses adopt cloud technologies, securing physical networks and data in hybrid environments becomes critical. Here’s how organizations can safeguard their hybrid setups:
- Cloud Service Provider (CSP) Selection: Choose a CSP with a solid physical and network security track record. Ensure they comply with international security standards and regularly undergo independent audits.
- Cloud Access Security Broker (CASB): Implement CASB solutions to extend security policies from on-prem environments to the cloud. CASBs help monitor activity and enforce security policies across cloud services.
- Enhanced Data Security in the Cloud: Besides using the CSP’s encryption capabilities, manage your encryption keys where possible. Consider additional layers of security, such as tokenization, for sensitive data.
- Hybrid Network Security: Secure the data traffic between on-prem and cloud environments using VPNs or direct connect services to reduce exposure over public internet connections. Consistently apply security policies across both environments.
- Unified Security Management: Use centralized security management tools to maintain visibility and control over security policies, incident responses, and compliance across all environments. This approach helps detect and respond to threats swiftly and effectively.
- Educate and Train Staff: Regular staff training on the latest security threats and best practices is essential. An informed team can better manage and secure hybrid environments.
- Data Residency: Organizations must consider where their data resides. Is it located on a server on the organization's premises or in the cloud? If it is in the cloud, where are the data centers? Are they in the US or overseas? Many organizations have legal or compliance factors regulating where they can keep data. Every organization must know exactly where (physically) their data is stored.
Conclusion
Securing data at the source in traditional on-prem deployments requires a multi-layered approach that includes physical security, network protection, and strict access controls. As organizations transition to hybrid cloud models, they must extend these principles into the cloud, adapting to new challenges and leveraging advanced security tools cloud service providers offer. By implementing these best practices, businesses can ensure the security and integrity of their data across all platforms, safeguarding their most critical assets in an increasingly digital world.