With the proliferation of keyloggers, Trojans and other malware, it becomes progressively more difficult to ensure that data being used is safe.
In fact, it may not be possible to state that data in use is ever truly secure given that any company is also dependent on the end user and how trustworthy he or she is. So perhaps the first precaution that can be taken is to ensure that those that have access to the data actually need to access it.
It is also important to consider if a person does have access to data where can they access it from and how. If data is highly secure, then really it should never leave the secure location where it is stored, whether that is on-premise or in the cloud, no matter who might be asking or how convenient it might be.
This issue becomes more of a concern when employees are being encouraged to work from home or are tempted to do work from an unsecured machine.
So the first step is identifying the required privacy of data (data discovery and classification is a useful task in itself) and who is allowed access to that data. Then the appropriate access rights can be set up and procedures created on how that data is to be accessed.
Once the policy is in place, then technical solutions can be used to help enforce those policies. To that end, it is important that data protection is part of the work flow and that the user is largely unaware of it where possible. It should be part of what they do.
Full disk encryption (FDE) is a good first step and increasingly ‘invisible’ to the end user. Whilst this may be considered as data at rest, it should be noted that FDE encrypts swap space which is arguably data in use. Furthermore, it has to include all media. For instance, data copied to a USB must be just as encrypted as the hard disk of the desktop or laptop.
Another technical solution that provides protection for company data is the use of a virtual OS on USB sticks. This allows employees to plug this USB into any machine, have their familiar environment and still be private. This allows employees to use home machines that may also be used by their family and yet maintain complete separation from that platform.
Increasingly Data Leak Prevention (DLP) is being used to ensure that a foolish action is prevented from publicising sensitive data but this is a whole subject in itself.
Good gateway protection implementing defence in depth continues to be good policy for the company infrastructure. Locking down the user’s OS and keeping it and all applications patched with the latest and greatest releases is also key.
However, this frequently runs into issues where the danger of manufacturers introducing errors and hence vulnerabilities is contrasted with the vulnerabilities that are being patched. It requires an understanding of what is being patched, a process to test before production and a way to roll back if an error is discovered that cannot be accepted.
Another way of controlling the desktop environment is the application whitelisting where only known applications are permitted to run. This can impede productivity but if possible can go a long way to reduce the chance of malware and of inadvertent disclosure.
As ever, the deployment of defence in depth is best practice and some control at the gateway of a network is an extra precaution that is easy to deploy, manage and monitor. There also remains little alternative to good desktop security.
In the end, the security of data in use is about risk mitigation. However, with the current targeted attacks and the proliferation of zero day threats, the risk level is high. It is necessary that action is taken to implement the required precautions that reduce the risk to an acceptable level.
Cross-posted from Redscan