Vaultize sat down with Mike Lamberg of OpenLink Financial, a provider of technology solutions for the energy, metal, power and financial markets, to talk about the state of enterprise file security today.
As VP, CISO of OpenLink Financial, Lamberg leads the financial software vendor’s enterprise file security initiatives and its information security program.
Lamberg has worked in the IT field for more than 20 years and held a variety of related roles, including several years as vice president of information security for the New York Stock Exchange and its prior technology subsidiary Securities Industry Automation Corporation (SIAC)
Vaultize: What are the biggest enterprise file security concerns for businesses today — particularly in the context of file sharing, access and collaboration?
Mike Lamberg: The biggest concern is confidential data loss and the loss of control over corporate information. Tracking who has access to confidential data is also important. The traditional network perimeter no longer exists; the environment in which your information lives and who has access to it is constantly expanding. The consumerization of technology has reduced the effectiveness of traditional network and information security methods.
Today, to hire quality technical people, you have to accept that they want (and often need) to have access to their own personal devices and tools in order to get their jobs done.
Vaultize: There has been a proliferation in the number of devices and access points people use to access information. Online tools like Dropbox, OneDrive and Google Drive are also being used more to share files and collaborate. What are your opinions on enterprises allowing employees to use consumer-level solutions to access, store and share enterprise files?
Mike Lamberg: The real problem with the technologies you mentioned is that control over the information, for the most part, is being left to the individual. These types of products become the basis for much of the “shadow IT” that goes on in the enterprise. It’s not that these products are “bad,” it’s that it’s very hard to apply corporate controls over the information that gets uploaded onto them.
Look at OneDrive for Business as an example. There’s nothing preventing someone from loading that application onto a personal device. Yes, I can lock the app down so that only a credentialed individual has the ability to utilize it, but at the end of the day, I have an individual running a cloud based application on a personal device containing corporate data. Corporate IT does not have a lot of control over that situation. For these cloud-based services to be successful in the enterprise, corporate IT needs to be given more control than they’re currently provided. We’re not there yet. There’s still a lot of work that needs to be done in this area.
Vaultize: What can corporate IT departments do to retain or regain control over company information?
Mike Lamberg: The unrealistic response is to keep everything within your data center, don’t use public services, deploy data loss prevention (DLP) technologies on your network perimeter, tag or label all your information as “public,” “confidential,” “restricted,” etc., and then introduce ways that your email system is able to recognize these tags and only allow certain types of information to be sent. Also monitor and audit your data flows in your network environment.
But keep in mind that as soon as information leaves your corporate network environment, you’re going to run the risk of losing control over it.
If enterprise data is going out on your company owned mobile devices, you could extend your corporate edge to those devices by forcing them to only communicate via a VPN back to your corporate edge. All communication, including internet, would need to pass through your corporate security protection layers offered by your enterprise network.
But when you start talking about personal devices, the situation could get confrontational due to the nature of an IT department wanting to exert control over the personal device in the name of protecting corporate data.
Vaultize: Is it shortsighted for IT teams to focus on protecting devices, rather than data and content?
Mike Lamberg: For devices owned by the company, it’s not shortsighted. You can control those devices through a variety of mobile device management (MDM) technologies available. But it may be a struggle for an individual to allow you to put an MDM suite on their personal device.
Ideally, every corporate end user should get issued a corporate-owned device that IT can control. But this isn’t the trend these days. Just from a cost-basis perspective, this scenario could be prohibitive for small to mid-sized companies.
Vaultize: Is there tension between IT departments wanting to protect and control data and end users wanting anywhere, anytime, any device access to the data they need?
Mike Lamberg: It’s definitely a problem for software and technology development shops. A developer wants the ability to use the tools that they are most comfortable with, which typically include open source and freeware projects and possibly cloud-based applications. Within an organization, you have to be very careful about the use of these products. Once again, the challenge for the IT team is the balance between control and productivity enablement. IT needs to be in control in order for it to meet security, compliance and regulatory requirements. IT needs to know and understand all the apps in the network environment and have visibility into everything that touches corporate data. This drives the need for all software tools to be vetted.
I actually see a lot of value in the use of open source tools. They tend to be feature-rich with many good capabilities as well as quick support for bug fixes. The big issue for IT is typically that the number of requests for approval to use a product far exceeds the IT department’s ability to manage the requests. How do we allow a developer to be productive by utilizing these products, yet still stay in control over what’s being brought in? IT and possibly legal need to assure that none of this software has security issues or violates any licenses, contractual obligations, copyrights, etc. That’s the challenge.
Vaultize: How does data become compromised in an enterprise?
Mike Lamberg: Employees intentionally and unintentionally circumventing IT policies to get their jobs done faster or more efficiently probably makes up about 70 percent of the instances of data compromise. Mobile device loss or theft probably goes toward about 20 percent of the picture. Pure, illegal criminal activity is probably less than 10 percent. Most cyber attacks fall into two broad categories: directed, where someone is trying to do something specific; and opportunistic, where someone via say a broad phishing campaign just happens to get into a company’s network and decides to take a look around to see what they can find.
Vaultize: Where does data loss rank among the list of worries for the C-suite?
Mike Lamberg: That’s a hard question to answer. It depends on the type of company and the type of data needing protection. In a software development organization, they’re most concerned about their source code and other intellectual property. A service-oriented organization is probably more concerned about client information. The C-suite is concerned about information defining their corporate strategy. For any of these cases, if the data is compromised, significant reputational and financial harm could be the result.
Vaultize: Why don’t more organizations do more about data loss?
Mike Lamberg: Data loss and information security is now frequently discussed in boardrooms and at the C-suite level, but there needs to be more education on information security. There is still a preconception that the IT department will just handle everything related to cyber security issues. The staff think that if there’s a problem, IT will flag the issue and utilize its infrastructure tools to fix it. But technology doesn’t fix security problems alone. Technology helps, but dealing with information security concerns really comes down to the staff.
An organization’s staff is its greatest asset and could also be its greatest liability. It’s a matter of training. We need to train our teams in information security; this doesn’t mean making them security experts. Ensuring your staff have security “street smarts” in cyberspace is critical to the overall success of an organization in defending itself against cyber security issues.
Vaultize: Do regulated organizations need to think about information security differently than non-regulated ones?
Mike Lamberg: I don’t think there should be any difference between how you deal with security in a regulated organization versus a non-regulated one. The problems you are trying to protect against are exactly the same: either you’ll suffer confidentiality, availability or integrity issues that will affect your business and possibly your customers.
Regardless of the type of organization, you should build a reasonable information security program that has a minimum of three major pillars:
First, build a solid awareness program to train your staff to understand security issues and policies that need to applied and supported by the organization.
Second, build an infrastructure that can, within reason, block the most common threats (i.e., use of firewalls, IDS, web proxies, etc.).
Third, have solid security monitoring of your network and application environment. If you don’t have the expertise or staff to do this, outsource to one of the many Managed Security Services Providers (MSSP) out there.
Remember that bad things are always going to happen. The maturity of an organization is tested by how well it responds when a problem occurs. You need to have a well-documented security incident escalation plan. This allows you to deal with problems when they are small rather than wasting time allowing them to become big and out of control.