Episode 24: Data Security Outlook for 2022 and Beyond

Transcript:

Bill Tolson:

Welcome to The Information Management 360 Podcast from Archive360. This week's episode is titled Data Security for 2022 and Beyond. My name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive 360. Joining me today is Michael Sampson, senior analyst at Osterman Research. Welcome, Michael.

Michael S.:

Hey, Bill. Thanks for having me.

Bill Tolson:

Sure. Looking forward to it. So again, like I said, joining me today's Michael, really to discuss the subject of security, mostly data security. We're getting it into all kinds of things around infrastructure security, perimeter security, data security, and it's actually based off of a Osterman Research paper published late last year that I think Michael, you wrote, but I'd like to give you a chance to briefly describe Osterman Research, what the company does and is, and anything else you want to talk about?

Michael S.:

Awesome. Thank you. So Osterman Research is a market research and consulting firm. We focus on things like cybersecurity, data protection and information governance, and yes, the genesis for this call was very much a paper that we wrote last year based on a survey that Archive360 was part of around Zero Trust. But I'm sure, Bill, that there'll be other topics that we concentrate on in this call as well around data privacy and ransomware, and some of the other things that we do as part of our wheelhouse and so on.

Bill Tolson:

Absolutely. And just to remind everyone listening, the Osterman Research white paper that both Michael and I have mentioned centered on Zero Trust, but also on other security capabilities. The white paper available from the Archive360 website resources page. So if you want to go download that for free, it's a very, very interesting paper on security, and I think most people will find it very illuminating.

Bill Tolson:

So to set the stage for this podcast, Michael, we're going to discuss security in general, but also focus on infrastructure security and data security and how they differ infrastructure and data security has really been pushed into focused over the last several years due to the rise in cyber attacks, ransomware and the newer more dangerous extortion wear variants, which are really interesting animals to talk about. To complicate matters, the COVID-19 pandemic pushed much of the workforce over the last two and a half years to working remotely with, generally speaking, less secure capabilities around the technology they have from their remote offices.

Bill Tolson:

Personally, identifiable information has become a major target for cyber thieves to sell, actually to gather and to sell because of this governments at both the country and state level have begun adopting data security and privacy regulations that if violated could put an organization at a business very quickly because of the potentially large fines and associated brand damage, we all remember the target cyber hack. They didn't go out of business, but they suffered huge amounts of cost in trying to right that whole thing. The situation has rightly pushed data security privately onto the top of every company's priority list, hopefully. So Michael, I mentioned infrastructure security and data security, many people consider them the same. However, in reality, they're really not. Can you explain the differences between infrastructure and data security for our audience?

Michael S.:

Well, I can definitely give it a try. For me, infrastructure security is the things like, from an IT world, would be your servers in your data center and keeping those safe from people, being able to compromise access to those and then leverage those IT assets for things other than what you actually want to do on them. So crypto miners, for example, part of the attacks against infrastructure, where someone is able to deploy malware and then that downloads a crypto minor, that then uses up your processing cycles. If it's in the cloud, you're then paying your variable costs for cycles that you're not getting any benefits for, but all of that processing power is going to other things. Infrastructure is also commonly used in the sense of critical infrastructure. So things like roads, airports, fuel supplies, which we saw with the colonial pipeline ransomware attack, was that last year or the year before? I don't know. I think it was last year.

Michael S.:

And also JBS food supplies, agriculture, financial services. If you can knock those things off as a threat actor or a cyber criminal, you can very quickly bring a sector or an economy or a country to its knees. I'm not based in the U.S., but I heard that something like 45% of the fuel production or delivery capabilities on the East Coast of the U.S. was knocked out when colonial pipeline was taken offline and people couldn't buy gas, they can't get home, they can't get to work. And very, very quickly once tanks run dry in vehicles, no one goes anywhere because you can't, you're stranded. You can't leave home. You can't get back home.

Michael S.:

Data security on the other hand is about protecting the data elements itself, the word document that includes the business strategy for your organization, the CRM system that has the contact details for your customers and prospects. And you mentioned data privacy, that's something we probably will talk about later on, but that becomes an integral part of protecting those data rich systems that include data that is newly covered by a growing array of data, privacy regulations.

Michael S.:

Even just things like email contents, who you're talking with, the invoices that you're sending, if you are able to compromise an email account and you can start looking at where the financial processes in an organization works and who's responsible for sign off, you can start slipping in as a threat actor or a cyber criminal, some falsified invoices, or a change of bank account request. And that leads through things like business email compromise, firms losing tens of dollars up to tens of millions of dollars when transactions go awry as a result of someone compromising all of that. I was curious a very big issue, and we can start with a conversation or a differentiation between infrastructure and data, but there's many ways of trying to approach this beast and this challenge.

Bill Tolson:

Yes, yes. In a simplistic way, I've read a lot of papers on this and I have seen a lot of so-called industry experts and I don't doubt that they are, but they equate infrastructure security with perimeter security. Basically, we're trying to stop bad actors from outside getting in and accessing our servers and information and things like that, which that makes a lot of sense. But then, like you referenced Michael, data security and we'll get into how that plays into Zero Trust in a bit, but data security even now, and how do you protect individual files with sensitive data in it?

Bill Tolson:

You're assuming that somebody will break through the perimeter and they almost always do because it's in the headlines all the time. So once they get by that, then how do you protect the individual sensitive data, even down to, besides protecting a file, maybe protecting a field within that file with encryption or anonymization or something like that. So we're getting into much more interesting capabilities that are needed when it comes to overall security for systems as well as individual data as well.

Bill Tolson:

And the data is one of the things that the extortion wire goes after. They want to copy that data and then threaten to release it if you don't pay up as well as encrypt all your other data. But it's one of those things where we've gone beyond having to worry about infrastructure security, which we absolutely do. And then also taking that next step and saying, "Okay, what data within our system do we need to protect even more?" And that's where companies and CISOs and all kinds of other people are spending a lot of mental cycles trying to figure that out, but cyber criminals will keep developing new ways to break into the corporate systems. So the industries have to keep working on how to stop them, but there's some really interesting tactics that continue to go on. So Michael, in your experience, what are the most popular ways cyber criminals are getting into corporate enterprises?

Michael S.:

Bill, I guess, it depends on what you define as most popular or how you play that out in terms of the next paragraphs below that. There's a view that the highest number of threats are most likely to come from inside the organization from employees making mistakes, sending an unencrypted spreadsheet that's got customer data in it to a marketing firm outside, but mistakenly copy it to someone else who is also outside, because type ahead, addressing has not worked correctly. Or you have malicious insiders that are stealing data and selling it to others for their own profit.

Michael S.:

In terms of popularity where the most threats come from in terms of, say, frequency or popularity, then we see phishing as a very common initial vector for trying to steal credentials to systems, and then be able to either maintain persistence in an email account. Or if the organization is using Microsoft 365, if you are able to phish someone's exchange credentials, that's no longer just exchange that gives access to Teams and SharePoint and one drive and everything else that individual has access to, which creates a whole new set of vectors for looking around to find data that you can exfiltrate and ways that you are able as a threat actor or cyber criminal to unleash unpleasant outcomes on an organization in terms of highest cost impact.

Michael S.:

It's either a ransomware threat that is the most popular way for cyber criminals to gain funds and with the emergence of double and triple ransomware designs, double and triple extortion designs around ransomware, we're seeing that becoming an increasingly devastating and challenging issue for organizations to deal with. Business email compromises also listed up there as being a costly form of cyber crime. And we have a whole other report that we released, that Osterman released in January of this year around business email compromise and the lack of preparedness in organizational processes and technical protections to be able to protect against the unique attributes of business email, compromise threats.

Michael S.:

And then in terms of popularity, the things that drive the most devastation would be ransomware. If someone's able to get into your system and spend a few weeks moving around and deploying a piece of code that will encrypt at some point in time, when a trigger is pulled by a threat actor, that becomes absolute devastation. And we see cyber criminals increasingly being strategic about when they release those things. For example, school districts often find ransomware efforts happen or begin just a couple of days before the new school year starts.

Michael S.:

And you've got school district with 300, 400,000 students that are due to start in a couple of days. And particularly over the last couple of years where students have been learning from home. If the online school system is encrypted and no one can get access to it, you have 300 to 400,000 students going, "What do I do?" And their parents and guardians saying, "Now I'm really in trouble because I have other plans, I need to go to work, I've got this happening." So there's a whole lot of challenges around threat vectors for cyber threats.

Michael S.:

And I guess, the other thing that I'd say as well is that, although in legal terms and in insurance terms, things like ransomware are not classified as an act of war, it definitely feels like that. And when an organization concentrates on improving preparedness and protections in one area, we see cyber criminals year on year changing and morphing their tactics and their attacks in order to take advantage of areas that are less protected as organizations have concentrated on the issues that were more significant over the past 12 months.

Michael S.:

It's an ongoing issue. I don't know if you have COVID fatigue, Bill, just kind of over this, but I wouldn't be surprised that there are organizations that also have cybersecurity fatigue of just going, "I'm over this. I just have a business to run and I want to do things and I want my employees to be productive. And yet we have these threats and these incidents that are real and are costly and are threatening to undermine the viability of our organization and the ability for us to go to market in an effective, and productive, and profitable way for an organization." Or for a government to do the things that they need to do in the areas that they're responsible for.

Bill Tolson:

That's interesting. You mentioned phishing and I probably get three to six phishing emails per week now, and-

Michael S.:

You're a popular guy, Bill.

Bill Tolson:

Well, that's a downside of being on LinkedIn and things like that, but some of them are absolutely terrible with obvious mistakes in spelling and things like that. Or the email, a return email address is wildly off, but some of them are excellent. And you really have to be careful about that. And that's one of the things that I think many employees in all types of industries haven't been trained enough around is always question this. If there's a link, by the way, I've been getting text phishing or smishing attempts probably once a week now, and my wife gets two or three, it's weird, but over the last six months, it's really picked up and you just got to get to the point where you don't trust anybody.

Bill Tolson:

And that, obviously, has some downside to productivity and business and all kinds of things, but you got to do it if you don't want to cause your enterprises a real issue. But you mentioned ransomware, can you explain briefly what that is and how it happens and that kind of stuff?

Michael S.:

Just coming back to this email issue about the increase in phishing, I've been wanting to run a research program on restoring resilience to email with the idea that if we don't trust anyone, if email has become such an untrusted channel of communication, then given that so much business communication organization to organization happens through that channel, what are the approaches that organizations can do to try and restore resilience and trustworthiness to it? It's not a program that we have pushed ahead with at this point, but it's something that plays in the back of my head quite regularly, because I don't think it's good when every email that comes in, someone has to sit there and go, "Is this true? Is this someone I actually know? Is there a falseness in this?"

Michael S.:

That is, yes, there needs to be an awareness, but when the attacks become so believable and so frequent and so devastating, it's not a good look. It's not a good feel for a tool that we rely on so much. But in terms of ransomware, the general attack flow would be for a threat actor to find an entry point into a system, a server, a client device, a cloud service, and then be able to deploy a piece of code that will encrypt the data on that system at some point, when a trigger is pulled by the threat actor. The more systems that they're able to compromise and lay their traps on for a ransomware incident in the future, the greater the level of devastation that they can cause to an organization.

Michael S.:

So things like unsecured remote desktop ports have been a way for threat actors to get access to servers or machines, and then be able to deploy this, waiting to be executed ransomware code. Credential fishing is another way of being able to get access, ideally, to an administrator's details for servers to be able to then deploy those encrypts, detonate those at a very inconvenient time when no one wants to have to deal with it. And therefore, the likelihood of the firm just going, "All right, we'll pay the ransom so that we can get back to business, would be the highest."

Michael S.:

It feels really unfair to me when someone targets a public holiday in your country or my country or somewhere in Europe or just before Christmas or just before school starts. In many ways it's absolutely brilliant on the part of a threat actor, but it's absolutely devastating for organizations that have to face up to that happening. We talked about double, triple encryption and extortion designs. In the early days, there was just a single level of extortion, which was we have encrypted your data, pay us some money, or you won't be able to do anything. And for some organizations, particularly if they had backups, they were able to go, "No, we're good, thanks for nothing, but we'll restore from backup and we'll get back to business."

Michael S.:

As threat actors saw more and more organizations taking that path or in some jurisdictions it's against the law to pay ransom, so the threat actors would then step up to a double level of extortion. So first of all, before we detonate our encrypts, we are going to steal your data. And when we do detonate our encrypts, we'll say, you need to pay us one to restore your systems, but two also, so that we won't release or publish the information that we have, which causes things like data breach notifications and triggers some of these privacy and protection regulatory issues that are of increasing concern and commonality around the world.

Michael S.:

And then triple extortion is the, we've encrypted your data, but first of all, we've actually stolen your data. We've got your data, we've encrypted what we've left on your system. And now not only are we willing to publish it, but we're willing to sell it to the highest bid or in some cases we've seen thread actors using the details for people that have been caught up in the exfiltrated data. So if your details are in there, Bill, the actor rings you from a call center and says, "Hey, Bill, we've just nicked your data from the healthcare provider down the road. If you don't pay us a hundred bucks, we're going to publish your record. Ha ha, have a nice life."

Michael S.:

You then as an individual have to go, "It's not my fault, but they've got personal and sensitive data on me that I actually don't want to have out in the public sphere. And either I pay it or I run the risk that they do actually have something and they will release it."

Bill Tolson:

Looking at what you talked about, the third stage ransomware or extortion, where one of the tactics now is that the system will wait, the code will wait for some period of time. Could be weeks, could be months in certain cases as it's going to and looking for sensitive data and copying PII and that kind of stuff. But part of that now is it will go out throughout the system and even in the cloud accounts attached to it and look for backups and delete those backups. So the company being can't do a restore.

Bill Tolson:

And in some cases, what we've suggested as somewhat of a defense is, number one, either air gap it, put it on a tape and take the tape out and put it in a box which most people don't want to do anymore. Or you can programmatically air gap it by hopping the backup, maybe up to a cloud account like Azure or AWS and writing it to an immutable tier stored so it can't be deleted.

Bill Tolson:

And in some cases, companies are even encrypting the backup so that it can't be opened and data be pulled out of it, but writing it to an immutable tier, storage tier so it can't be deleted is one of the defenses that they're mentioning now. But the ransomware extortion wear is it's wild. I think, boy, I've read some, a lot of stuff about what the average fine is. I think it's like 4 million, not fine, the average payment is like $4 million least in the U.S., maybe more, but it's been growing every year dramatically and-

Michael S.:

Well, it's such an effective way of getting money. It's so effective.

Bill Tolson:

You wonder it's growing. There was the famous case with the City of Atlanta years ago where they got a hit and all their systems were taken down encrypted and unusable and they got the extortion wear note or threat basically saying, "Pay us." I don't know, it was one or 200 grand in Bitcoin. It wasn't very much, I think, and the city turned it down. They said, "No, well, we're not going to pay." So they never got the encryption case. The city ended up spending 16 million to get somewhat back to the point they were, obviously, you didn't have cyber liability insurance or anything like that, but it's interesting, but it's also scary that this stuff can be out there and already be in the system.

Bill Tolson:

And like you say, copying data that they could go to do to the GDPR authorities in the EU and say, "Hey, we got all this data. We're going to release it from this company. You might want to shoot them with a couple of fines. And those fines for the GDPR are huge potentially." So you get to the point where what's the payback here? Should I pay the fine? Or should I pay the ransom?

Michael S.:

For the Atlanta situation, my understanding was the original Bitcoin demand was only 51 grand. And the estimate by the government to solve the problem was something like 2.6 million. So they started working down that path. But it took them 17 million to recover from that, which is a huge amount of money.

Bill Tolson:

Well, and the number of systems that were offline for a length of time, you said the employees weren't getting paid, the people who lived in the city couldn't pay their water bills, all kinds of stuff. It was wild.

Michael S.:

Absolutely. Sure. And you mentioned immutable backups for ransomware. And I think that it is a effective way of having the ability to restore and get back to business. In a single level ransomware design, it's a perfectly valid thing to do. We have backups on immutable storage. We're not going to pay you the ransom because we can restore it. But as soon as the threat actor moves to exfiltrating your data before they encrypt, while you can get over the encryption fact, you can't get over the exfiltration fact merely by using immutable backups, the actor still has your data. They can still call their GDPR authorities. They can still call the authorities in the us that have privacy regulations. They can still call the end users and the individuals and the customers whose data has been caught up in that.

Michael S.:

Yes, from a systems perspective, you can get back to business. But if that data is still out there and released, then you face loss of customer trust, you face loss of corporate reputation, you face potentially going out of business as a result of these things.

Bill Tolson:

And that's absolutely true. Absolutely true. And we've been talking amongst, I'm an Archive360 and myself, a member of the Cybersecurity Tech Accord, which is a global group of companies that work with governments and the EU and the United Nations, all kinds of stuff around protecting PII and that kind of stuff. And for what you just mentioned, one of the defenses is you should always be encrypting personally identifiable information, no matter where it is. Almost nobody does that within their enterprises. But that is a possible way.

Bill Tolson:

And I've been recording podcasts on the Archive360 podcast channel and talking to, in the United States, state legislators who have, who are working on privacy bills or have actually passed privacy bills that have become law. And one of the things I ask them is why doesn't your privacy bill or law stipulate that personally identifiable information should be encrypted while in transit while at rest. And it's not like it's new technology, it's existed for a long time and they don't have necessarily a very good answer, usually a political. And I understand why they're saying this, but it's one of these things where they're saying, "Well, we need to take little steps to get these bills passed because there's a lot of people that will push against it that will fight against it, especially industry. And we need to do it in little chunks so that in two years we can amend it and add something else and we can add encryption."

Bill Tolson:

But I have been pushing and many, not just me, but have been pushing that with ransomware and extortionwear and cyber and all kinds of other stuff, PII should always be encrypted and you can get into some pretty interesting technologies like field level encryption and secure multi-part computation and homomorphic encryption kinds of things. And we don't need to get into that here, and even as I talk to the state legislators and some subject matter experts, both in Europe and here, everybody thinks they're slowly going to move that way, but we're a ways off. So there are ways to get to it, but it needs, I think almost culturally, it needs to be done slower than probably I would like.

Michael S.:

It's interesting to me that the two technologies mentioned in GDPR are encryption and pseudonymization, which are different ways of protecting data. There's not a lot of other technology that is explicitly called out apart from the general catch all phrase of make sure you have appropriate technical solutions in place. But if the data is encrypted and it's encrypted with strong ciphers, it means that if it is breached, then it's unusable and therefore it doesn't trigger a data breach notification requirement. It doesn't trigger the threat to your organization from loss of customer trust. It doesn't trigger the threat to an individual of the release of personal and confidential and sensitive health information.

Michael S.:

We actually just yesterday published a new report on privacy compliance and the United States status and progress in 2022, given the increase in state level privacy bills that are in progress, but also the three states that had them when we ran the survey, although we released the report yesterday, I see that Utah released something at the end as, but that was too late for us for the survey, but definitely respondents to the survey said that they are using data masking, encryption, pseudonymization, tokenization, those kinds of things through the data life cycle in transit and at rest use of those technologies are higher than in use.

Michael S.:

But there are systems, like you've mentioned, homomorphic, encryption and pseudonymization and so on that provides ways of protecting the data while it is being used by an employee. So that strong protections are enacted at all points through that data life cycle.

Bill Tolson:

Well, and the other technologies like field level encryption or secure multi-party computation, where you encrypt data fields and make them available to different parties so that they can't see the hole or they can't see what the other guys are seeing. And that's there. I'm heartened to hear you say that some of the people you're talking to say, "We're using encryption in transit and while at rest." And I think a lot of people use it in transit. I haven't seen many actually use it as they're storing data and I hope they are. And I hope they move that way because it is pretty straightforward.

Bill Tolson:

And like you mentioned, with the GDPR, at least it provides a benefit. It doesn't say you must encrypt PII, but it does say, like you mentioned, if the data's encrypted and you suffer a breach and obviously the encryption keys weren't accessible then to the GDPR, a breach did not happen. And the bridge notices don't trigger, which can be costly, obviously, and a big hit to a company's reputation. So at least GDPR did that. But the state in the United States, the state privacy laws do not, they all use almost exactly the same language and they all say you must use reasonable practices to ensure data is and so, and so, and so, and so.

Bill Tolson:

And it's like, well, any first year lawyer can get by the term reasonable. Who's determining that? How do the authorities basically enforce and go after somebody with the term reasonable, who determines reasonable? So it is one of those holes in the United States, especially, to where they need to really tighten up on that and really start demanding certain base level types of security practices.

Michael S.:

Yes, Bill, it makes me think actually of a report that we released last month on cybersecurity and financial services. And in South Africa, I think it was Standard Bank. The privacy regulation in South Africa says something like, if you have a data breach, you must notify regulators and individuals within a reasonable time. So Standard Bank discovered an issue. They took nine days to figure out what was going on. They then notified the regulator, and I guess, the customers as well, and the regulator find them for taking a longer than reasonable amount of time, reasonable is not defined.

Michael S.:

To your point, if you have this loose language, it doesn't give the clarity that an organization needs. We're seeing now in the financial services sector, I think it's from April the first of this year, so what's that 13 days ago, the breach notification timeline is 36 hours. Once you have seen something and you know it, if you're a bank, if you're a credit union, if you're in that sector, if you're insurance, it may be insurance as well, I'm not entirely sure on that one, but definitely banks and other financial institutions directly have 36 hours to notify the regulators that something's happened. There's no muddiness with that.

Bill Tolson:

Wow. That's amazing. 36 hours. Wow.

Michael S.:

It means that there's a level of maturity and discipline that's required by an organization to be able to go, what has happened? What optics do we have to be able to see what data has been compromised? And we then need the organizational processes to spin up very quickly to go notify this person, notify this person, get PR organized, brief the CEO, tell the regulator, trigger these other things. It's a big job to be ready for that.

Bill Tolson:

Well, and that triggers one of my kind of pet peeves that I've been pushing for years now. And I think the privacy regulations, the bills, the laws that are being passed around the world, I think are starting to, but will eventually force companies to get a better idea of what data they actually have. Because if you get a DSR, data subject access request, which all the laws have some form of it, I can email company X and say, "What data do you have on me?" And they have to respond in some period of time, but they have to know what data they have on me. Not just, "Well, we think we have this." Or, "We think we have that." It's, what do they have?

Bill Tolson:

And that's the problem that I've seen is, or I've been talking about for quite a while now is, are companies managing all of their data or are they only managing that stuff that they deem as records, which is anywhere from five to 10% of any amount of data within company, 90 to 95% of the data that the company has absolutely no idea it's even there sitting on laptops and works stations, on removable media and external hard discs. And if you get a request to say what data you have on me, but 90 to 95% of the data, you have no idea that's even there because individual employees have it. How can you respond to a request, much less a request of a right to be forgotten. I want you to delete all my data and if you don't delete it, then you're looking at some possible large fines, especially in the EU with the GDPR.

Bill Tolson:

But the idea, I think we're quickly reaching, I'd like to get your opinion on this. I think we're quickly reaching a point where companies are going to have to get their arms around all of the data their employees are dealing with. Not just that relatively small amount that the enterprise collects, but the terabytes of data on my laptop and here and there. And with all the employees, that's going to be a huge cultural issue for employees. But I think with the privacy regulations, I think we have to get there.

Michael S.:

We did a survey in research paper last year on CPRA, the update in California. And as I said, we just released one on privacy compliance more broadly in the U.S yesterday. And this idea of being able to discover and classify the data that you have invariably, in the reports that we have done, we see very, very low maturity and adoption of tools for doing these things. For example, in the privacy compliance report that we released yesterday, figure 14 is called approaches for handling privacy regulations. And it asked respondents to indicate for about 16 different issues, how well they were addressing the issues in their organization.

Michael S.:

So 66% of respondent said that we are addressing the control. We control access to files with confidential or sensitive data. 66% said, we're doing that well or extremely well. And then there's about 16 other things. But one at the very bottom of that only 33% of respondent said, "We're doing this well was, we maintain a real time or near real time data map of our data assets.' And you've got 67% of organizations. Therefore that's saying we're doing an ineffective job at knowing what data we have, where it is, who's got it, if it's protected or not.

Michael S.:

And these underlying data disciplines are critically important to get, right? Because if you don't know what data you have, then how do you protect it? And as the, you mentioned, DESA the right of access, we also asked in this most recent report, how effective are your abilities at delivering the data subject rights? Only 60% of organizations in the U.S. were able to say that they had effective or extremely effective ways of doing the right of access, but less than half were able to say they were able to have the same level of confidence for things like right of deletion or right of correction or right of data portability.

Michael S.:

It's not just in terms of the deletion one. If you contact my organization and say, "Hi, I want you to delete the data on me." It's not as simple as going, yes, I will delete it. Even if you do have a perfect classification of every instance where Bill is in our system and all of that, there are other provisors around whether I can delete or not, if there's contractual obligations, which mean that I have to hold onto that but I can't actually enact to the full right of deletion that you have asked me to do. If it's purely a consent issue, then maybe I have greater latitude to be able to do that. All of this requires a level of data maturity, a level of maturity with data disciplines that too few organizations currently have, and it's going to be a costly nightmare.

Bill Tolson:

I absolutely agree. And in those respondents that were saying 66% or whoever said, they're doing a decent job of managing all of their data, i.e. including PII. Did they really take into account all of the kind of free form data that they have no way to know about? Meaning, again, workstation data, laptop data, even smartphone data that is all corporate related and might have restricted information on it. And the problem is I think most corporations, most CISOs, most IT folks, when you ask them, "Do you manage all your data?" They're thinking about their enterprise, not that other stuff that has potentially all kinds of regulated data on it.

Michael S.:

One of the other questions that we asked in the survey that just was published yesterday was around what percentage of data are you able to classify? And only 16% were able to say that they could classify 100% of it. So what's there 84% are saying something less 16% may be an overstatement as well. I don't know, but even if 16 is the top number, it's still a very small number. The other issue that I'm concerned about with the exercise of data rights is how does an organization confirm or verify that the person asking for right of access is actually the individual whose data is implicated in that? Can I masquerade as you? Can I impersonate you in requesting access to your data, which then means that the organization is an unwiting willing participant in doing a data breach.

Michael S.:

And just in the news in the last couple of weeks, there was something around Apple and Meta, and various other tech companies facing a very similar issue to this where threat actors were using the emergency data request provisions that does not require a judge to sign off on getting access to an individual's data and were causing a data breach that data on someone was being released and it wasn't covered it, it wasn't the right thing for the tech company to do. So this is a big issue that's going to go forward. My comment in our papers is always something to the effect of, if you're only relying on a username and password for verifying a customer in order to allow them to exercise their data, you're asking for trouble.

Bill Tolson:

Absolutely agree. And on the subject of DSAR, I've written about that somewhat over the last couple months, and I've really positioned it in my opinions and in my writings as a potential huge problem companies are going to be facing because I've run across some market research data from two very large market research firms. I'm not going to name them, but they came up with very, very close numbers. And the numbers around DSAR were, and this was in 2021 when only the CCPA California's privacy bill and the GDPR really were the two driving this, that the average number of DSARs or data subject access request that overall companies receiving was in the hundred and 47 per month range, which seems a little high to me, but it's probably higher in the EU, but it's starting to show up here, but 147 per month, the average cost to respond to the DSAR was $1,400.

Bill Tolson:

So a total of $200,000 per month, just responding to these DSAR requests. And my basically comments were, and I just focused on the United States as more of the states develop privacy laws. And they will all have the ability to query a company about that and do DSARs, how much are companies going to be spending in just responding to data subject access requests from 30, 40, 50 states, plus GDPR, plus Brazil, plus China, all these other ones, the cost could be huge. It could be, be in the millions of dollars per month, where they're having to hire very large departments just to respond to these things on an ongoing basis.

Michael S.:

In our CPRA survey and white paper that we published in December, we asked the question around how long, what's the average time that it takes for you to respond to a right to know, or right to have access requests. And the average across the respondent was 25.6 hours. And my comment in the paper is at 25.6 hours, one full-time employee, you can process only one and a half request per week. That's incredibly expensive.

Michael S.:

As soon as you're paying someone 50, 60, 70 plus overhead for fully burden cost for that, you'd be much more efficient to look to tools and technologies that will be able to go, "What data do we have? Where is it? How do we classify it? How do we pull together the package for this individual, but also, how do we ensure that the individual requesting this is the individual to whom it is appropriately related to? There's this whole challenge around identity and verification and making sure that all of that stuff is right as a fundamental first step before you even start handing out data, because otherwise, it just becomes a vector for data breach.

Bill Tolson:

Yes. And what we're starting to see now also is at least mention that DSARs are being used as an offensive weapon to do exactly, and you inferred this, you could have bad actors putting in lots and lots of DSARs, just to cause a company all kinds of costs and things. We also, in the United States, we're starting to see some occurrences where DSARs are being used for e-discovery, it's not forbidden, but it's frowned upon by the legal system. So people are putting in a DSAR about, "What do you have on Bill Tolson? I want to see all the information instead of going through the official e-discovery process."

Bill Tolson:

So this whole thing, companies, I feel sorry for them because it's going to be hard to get your hands around. It's going to be hard to change culprit culture when it comes to this kind of data and the costs I think are going to be monumental. And it's just, boy, I don't think too many people yet see that coming. Obviously, you wrote about it, I've written about it, but I think in a year or two from now, it's going to be an ongoing kind of major story about how these rights.

Bill Tolson:

And in the EU with the GDPR, they basically, they state that data privacy is a human right. And they get very serious about it, which I'm sure you've know about. Probably written about as well. So, Michael, we talked at the beginning of the podcast about the recent Osterman Research report you wrote on Zero Trust. Can you explain what a Zero Trust architecture or design is and how it helps secure, sensitive data?

Michael S.:

Bill, they used the term perimeter, in perimeter security also at the beginning of the time that we've had together today. And thanks for the opportunity to be here and talk through these issues. Probably the listeners could hear that these are issues that we're both really interested in and fascinated by, and it's things that we could talk about for a long time.

Michael S.:

So in terms of Zero Trust, the previous dominant model was a perimeter based one. If we can stop threats getting inside our organization, then everything inside the organization can just be treated as being safe and secure. And we can just be one happy family. However, we've seen things like credential stuffing attacks, where people use breached credentials to hack into systems, guest system details. We've got credential compromise through things like phishing attacks, which give threat actors and external parties access into systems and accounts.

Michael S.:

We've got malware that compromises devices and leaks and exfiltrates data. So perimeter security is a great idea in theory, but there's all of these new threats that are coming through that have diminished the effectiveness and efficacy of those protections. So Zero Trust says, rather than just looking at where the individual is located or the device is located inside the perimeter or outside of it, let's take a much more fine grained approach to figure out what access rights should be extended to any given request.

Michael S.:

And the fundamental idea is that you don't trust anyone at any point. So it's don't trust, but verify, we want to verify that the person who is requesting is the person that should have access to it. But in addition to that, there are other things like, can we look at the device that this request is coming from? Is it a device that's known to us that we've seen before that's managed? And if so, then we assign slightly higher points to that in deciding whether to get access to it or not. Is the data that is being requested sensitive or confidential data? And in combination with the network that the individual is connecting to the organization over, in combination with things like the time of day in combination with things like the average baseline behavior of this employee or the employee's peer group.

Michael S.:

Is this an appropriate request that is coming through based on all of those factors and are waiting across those factors, we either extend or don't extend the data, or we extend the data passion. One of the examples that's in our Zero Trust report is about an executive who's traveling who wants access to a document and SharePoint. So she's overseas, she's in a hotel, she's on hotel wifi, she's on a corporate device. So when she makes the request to get a particular document out of SharePoint, the Zero Trust approach would go, "We can see that the network is untrusted to us or is new to us. We can see that the device is managed. We can see that it is a valid user, who's accessing this. And she has also passed the multifactor authentication, prompt that we've given her.

Michael S.:

However, because there's some risky attributes to this request, we will only give, read only access and a browser to this. Alternatively, if the executives in the office on the corporate network, on a corporate device, during standard business hours, the executive would be given full [inaudible 00:48:35] access to that. So Zero Trust seeks to take into consideration and into account a whole lot of additional attributes about requests and characteristics before deciding whether or not to extend access to data. And by implication that increases or elevates the protections that are in place around sensitive.

Bill Tolson:

That's really interesting. I've also heard it referred to as least privilege. And an interesting thing that I've written about here lately is that in the United States, first half of last year, president Biden put out an executive order 14028, that is targeted at all federal agencies, not outside the federal government, but targeting all federal agencies to say within a certain period of time and it was relatively short, as I recall, we're talking 18 months or something like that.

Bill Tolson:

All further agencies have to adopt Zero Trust designs and architectures. They have to adopt multifactor authentication. They have to adopt encryption very quickly and move to the cloud as part of that whole thing. And then they brought in NEST and the department of defense and all kinds of other parts. They helped to help create this new much higher security enterprise system within government agencies to start raising the security levels, which I thought was really interesting.

Bill Tolson:

And, and I've been trying to get more information as to have the checkpoints been met, those kinds of things, but it was a very relative for the government. It was a very short timeframe that the executive order was, was given. So Michael, the Osterman Research white paper on Zero Trust included a user survey, which I think you referred to a couple of times. Can you touch on some of the findings you saw in the survey that you thought, obviously, you thought it was all interesting, but in the time we have left that you can at least highlight for people?

Michael S.:

Bill, it's been a little while since I've looked at the report, but I think it's something like 25 to 30 pages long. So it's a fair chunk of data that someone could sit down and go through. I think there's lots of charts in it and bullet points and so on to try and make it accessible and digestible. One of the early questions that we asked in the survey and that we report the paper was around why organizations are embracing Zero Trust. Things like high profile ransomware incidents like colonial pipeline that we've talked about or JBS or [inaudible 00:51:04].

Michael S.:

Now that was the most significant issue that was driving the intent and decision to go after Zero Trust, not surprisingly work from home workforce was the second highest issue or trend that was driving that given the rapid pivot that everyone suddenly had to deal with in managing a remote workforce, over insecure networks and insecure devices and unmanaged devices and access at all times of the day, as people suddenly had to try and manage childcare and homeschooling or schooling at home, and also working from home under really difficult situations across the world. People having to work in school, out of homes and apartments that had not been bought provision for that purpose. And then there's a bunch of other things that were driving that.

Michael S.:

We also asked around where organizations were focusing their design modifications and sorting out identity and access management was the top ranked issue of focus for 73% of organizations saying that this is the key design point that they were focused on. Application access management was another issue. Dealing with who has access to what in applications as organizations embrace a multi-cloud world is a growing challenge. And then there's a bunch of other things around dealing with supply chain partners and external parties and customers and so on.

Michael S.:

Disappointingly for me, the issues around data classification and flow management, as we've talked about already, were the fifth and sixth issues or design modifications that were on that chart. And we've talked already that if you don't have your hands around your data, then it's very difficult to be able to protect that in an appropriate way. So if I put my rose tinted glasses on and give you my best interpretation of it. So in the best case scenario, it looks to me like organizations are dealing with and addressing in the immediate short term issues that should have been dealt with a long time ago around identity and access management and tightening up application access.

Michael S.:

And I hope that when those issues are more fully resolved, that organizations will then pivot to these more fundamental disciplines around what data do we have, how do we manage it? How do we make sure that it doesn't move out of compliance? Merely because someone in a department has spun up an unsanctioned cloud storage account and has put data on there that is, and the account or the infrastructure is misconfigured from an access point of view so that people can get in, or there's a vulnerability in it so that people who should not have access do have access. I really hope that, that becomes an issue that is addressed better in the days to come. So, there's a couple of data points, but there's a lot of stuff in that report.

Bill Tolson:

No, like you say, it's a extremely full report within it, touches on a lot of subjects that you've been talking about a lot more than we have time here. So I want to remind our listeners that this Osterman research white paper on Zero Trust can be downloaded from the Archive360 website on the resources page for free. So for those of you who want to dig deeper into the data that Michael is talking about, and like I say, it's the survey, the charts and graphs and the outcomes and stuff like that are just absolutely fantastic. So please go to the archive 360 website and download it. And I think you'll be really, really satisfied with it.

Bill Tolson:

So, Michael, I know we've reached the end here. So that wraps up this edition of The Information Management 360 Podcast. I want to thank you specifically for this insightful and important discussion today on the very important subject of Zero Trust for data security and data privacy. I learned a lot, I had a lot of fun and I thought it was just absolutely fantastic. If anyone has questions on this topic or would like to talk to a subject matter expert, please send an email mentioning this podcast to info, I-N-F-O, @archive360.com or you can send an email to me. My email address is bill.tolson, T-O-L-S-O-N, @archive360.com. And we'll get back to you just as soon as possible. You can also email Michael directly at Osterman Research at Michael, M-I-C-H-A-E-L, dot Sampson, S-A-M-P-S-O-N, @ostermanresearch, all one word .com.

Bill Tolson:

Also check back at the archive 360 resources page for new podcast with leading industry experts and legislators in a lot of cases on a regular basis. In fact, we'll be publishing a podcast within the next week or so that recorded last week with the author of the recently passed Utah consumer privacy act, Utah State Senator Cullimore, really interesting discussion. He basically drove the adoption of the Utah law, which was just passed, I think last week or the week before making it the fourth U.S. state to adopt by the way, real quick fact, within the first two months, 2022, just within the various, the 50 state legislatures, there were 33 privacy bills introduced from approximately 17 states. So it's, obviously, picking up and it's going to be really interesting to follow. So check back with us, but again, thanks, Michael. It was fantastic. And really appreciate you taking the time to do this.

Michael S.:

And in terms of having so many state level privacy bills, hopefully we could get a federal regulation because this just becomes a nightmare for organizations to deal with and a more consistent and coherent and harmonized approach. As Europe has set an example for the world on how you do this across 28 member states would be a great thing to see coming out of your federal government.

Bill Tolson:

And by the way, that's a question I asked all of the state senators and none of them think that our Congress, our federal Congress is going to get their act together anytime in the near future, possibly a three or four years from now. But bottom line is they need to put out a federal privacy law that supersedes the state laws, so that companies have one lot of, to be compliant with at least in the states versus 51. So it's going to be very interesting, but on the federal side, it's not going to happen quickly. So we'll keep everybody up to date on that. But again, thanks, Michael. It's been great.

Michael S.:

Thanks, Bill.