by Peter Fell
Posted on July 14, 2022
Customer protection and data security regulations vary significantly across industries and compliance requirements vary with them. Rigorously controlling sensitive data and safeguarding it against misuse, exposure and exfiltration, however, is a baseline requirement for virtually all industries – healthcare, financial services, education, utilities and many more.
Compliance has never been simple but today it is more complex than ever before. The pace at which regulations are issued and updated has vastly accelerated, spurred by well-publicised cyber breaches and data leaks. In this work-from-home era, the increase in outsourcing and remote work, spurred by financial savings and simplified staffing, have made compliance even more complex. Numerous breaches have been traced to remote employees and 3rd party workers, who often access organisation resources and apps via their unmanaged personal devices.
Faced with the risks, IT and security professionals strongly prefer to lock everything down. Ideally, to bring users back to the office. Failing that, they’d opt for access to be limited to managed devices. The business side of most organisations, however, is adamantly in favour of maintaining the flexibility and cost savings associated with remote access and allowing access from all users from anywhere, so that the business can continue without these barriers.
These conflicting positions and trends put compliance professionals in a tough spot. Regulations are being strengthened, business practices are growing more inherently risky, and the fragmentation of the application environment, combined with the shortage of cybersecurity professionals and acceleration of update/patch cycles, makes compliance ever more difficult to achieve and maintain.
With organisations increasingly moving to cloud operations, the ease with which corporate apps can be used from anywhere, on any device, has increased exponentially and along with it, the pressure on compliance teams. Whether the unmanaged endpoints are BYOD devices used by employees or laptops used by 3rd party or gig workers, without device-based controls, it’s a significant challenge to enforce essential elements of compliance:
Without controls on a user’s device, sensitive data from apps – even those requiring strong authentication – may be downloaded and stored on the device, in clear violation of regulations governing industries such as healthcare and financial services. Unmanaged devices may be infected with malware that enables a threat actor to exfiltrate data from enterprise or SaaS apps. Or malware on an unmanaged user device may be uploaded to an app when the user connects. In a recently exposed example, an Office 365 flaw could allow a logged-in user’s web session to be hijacked, enabling threat actors to change SharePoint settings and encrypt files in a ransomware attack.
While in-app controls may address some of these issues, procedures for promptly updating policies and patching apps are notoriously lacking or weak in most organisations. Moreover, the web application firewalls (WAFs) that organisations depend on to keep their apps safe have proven to be insufficient for the task. Recent studies by organisations like Ponemon Institute have found that organisations are frustrated with their WAFs, citing the large numbers of false positives they generate while failing to issue alerts for the many actual attacks.
To adequately address the operational, financial, security and compliance needs of modern distributed organisations, compliance professionals and the security staff that support them need to:
Because unmanaged devices cannot be trusted, a Zero Trust approach is essential when considering a secure way to enable access to apps and internal resources. That means that rather than trying to ascertain whether an unmanaged device is safe enough to allow its user to access sensitive information, access modalities should ensure that data and apps are protected despite the assumption that the device is NOT safe.
Ericom Web Application Isolation (WAI) works on that precise principle. It airgaps untrusted devices from corporate applications, including private web apps and public SaaS apps like Office 365 and Salesforce. Users view and interact with applications through application isolation, delivered via the ZTEdge Global Cloud. Granular, policy-based controls protect sensitive data by restricting uploads, downloads, copying and pasting, printing and other functions, while affording each user the access they need to accomplish their tasks. Additionally, applications are effectively turned “dark” to anybody who is not accessing them through the ZTEdge platform. This dramatically reduces the application’s attack surface, securing them from data-loss vulnerabilities like those included in the OWASP Top 10.
With WAI, organisations can allow trusted users to connect via untrusted devices yet maintain critical control of corporate apps and sensitive data, with audit trails to verify data security compliance. Discover how ZTEdge isolation-based solutions addresses the complex compliance challenges of today’s distributed business environments. Contact us for a demo today.
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.