Of 700 IT security decision-makers surveyed, only 27 percent
indicated that their enterprises block privileged user access to sensitive
data. This is a major finding of the 2013 Insider Threat Report, which data security firm Vormetric conducted in partnership with Enterprise Strategy Group.
To learn more about the survey and the data-centric view of
IT security, TechRepublic had a conversation with Vormetric CSO Sol Cates. One interesting facet of his resume: Sol
worked in the government intelligence community for 10 years, living in the DC
Mr. Cates stressed again and again the threat of the
“insider” in moving from perimeter-based security to a data-centric posture.
Toward the end of our conversation he said:
our perspective we’ve seen many different threats to data, many different
factors to it. I think the one that is being skipped over and over again is the
insider, because it usually comes down to a question of trust. But it’s not so
much trust of the individual, but trust of the architecture that you have
built. Do you trust how your users interact with your data, how they manage the
data, and can those become compromised and used against you?
metaphor: perimeter defenses only keep “rats” on the outside. Your data is
going rogue: who is watching the watchers?
perimeter defenses: the data cannot protect itself
security: layers of protection closer to the data
need to think about the concept of privileged access—this is what malicious
attackers are after
phases to data security: discovering data, finding it, and protecting it
of spend is still going to the perimeter layer
posture: which individuals actually need to see the data?
do not need to see sensitive information to do their job
information access inside your enterprise reduces your attack surface
TechRepublic: Could you provide an introduction to
Sol Cates: The company has been around for about 12 years.
The technology we originally designed was really for encrypting data at rest,
and we went out to the marketplace. We got some feedback from some larger
organizations both in the government and in the financial service sector. They
said, encryption is great but that’s not really the risk that I am worried
about. They asked, could you find a way to stop privileged users inside my
infrastructure from actually seeing my information? Such as my system
administrators, DBAs, storage admins and so forth. Could you find a way to
actually prevent them from seeing my information but still let them do their
So that’s what we then set out to design—a technology that
allows us to blind the infrastructure from information, whether it’s PCI data,
healthcare data, an Excel spreadsheet, it doesn’t really matter. If it’s your
policy, you should say who should see this information and under
what conditions—what applications, what business processes, what business
users? What need to they have to see that information? So it’s really a
data-centric approach to protecting the data and making sure of appropriate
usage, including the removal of privileged users, to determine who actually
sees that information within the infrastructure.
To wind that back to the Insider Threat survey that we just recently released. The
privileged users are really a piece of that. So there are really two parts to
the insider threats and risk that people can see. One is the intended user
doing something bad. So this could somebody interacting with the information
maliciously, or accidentally, such as a call center operator or somebody who’s
got access to detailed or sensitive information. And that’s one part of the
risk, but usually it’s pretty heavily looked at. So auditing, application
layer, and so on—people feel pretty good at putting some margin of control
But the other part of this discussion is: who is watching
the watchers? Which users actually set up all those controls and actually
govern the environment? Not only can admins and DBAs go rogue, as we saw with
Edward Snowden, but also they are a big target. How do I get information
without setting off a lot of alarms? I would go to the privileged user who set
it up and has access inside all of the platforms.
One of the things we saw with the survey is that there are
two parts to the entire threat. One is the end user or non-technical employee
doing something nefarious. Or it could be your contractors, privileged users,
or administrators—whether they go rogue or become compromised.
TechRepublic: Pretend that I am a CSO, and I come to you and
I say hey—I read the press release about your Insider Threat Report. What do I need to know about
data-centric security strategies?
Sol Cates: The old way of protecting data was putting more
firewalls and perimeter defenses around the data. The problem is the data cannot
protect itself, and those tools were never designed to protect the data. The
firewall will not stop data from leaving the environment if it is allowed to do
so through whatever protocol that permits it. So all of these types of
perimeter defenses were never designed to protect the data. The data has no
mechanism for protecting itself.
So the data-centric approach is where you start to put that
layer of the perimeter closer and closer to the data itself. Inside your
applications, inside your databases, inside your network shares, wherever data
reside inside your environment. You’ve got to put the layers closer to the data
itself. It’s like taking the M&M model that we’ve been using for so many
years—it’s crunchy on the outside and chewy on the inside. Put the crunchy part
around the data and layers on top of that to make it a proper chocolate model.
TechRepublic: M&Ms, OK! (laughs)
Sol Cates: The data is the target, so you need to put layers
closer to the data. You not only limit use of data to appropriate users but
also prevent malicious use of data, by preventing the privileged users from
seeing the information. People who are cloud providers—you are leveraging their
infrastructure, their infrastructure management. How can you prevent them from
seeing your information yet still consume those infrastructure services and
benefit from what they have to offer?
At the end of the day, the data-centric model is really
about putting layers of controls closer to the data, not relying solely on
protection at the perimeter layer.
TechRepublic: Let’s say I am still that CSO—we are still
relying on perimeter-based approaches, and why is that not enough these days?
Sol Cates: What’s interesting, a little over 54 or 56
percent of what is spent, if I remember correctly, is going to perimeter
defenses. They were never designed to protect the data, only the network and
the assets. So from a design perspective, they were really there for making
sure appropriate connections and appropriate protocols worked in exchange between
different sites and users. Never were they designed to protect the data itself.
So I think from a spend perspective people are starting to shift a little bit
towards data security, which is good. But there is going to be a shift for a
while. If you had to go out and protect sensitive information for your
organization, would you just put more firewalls around the information, or
would you find ways to actually protect the data itself? We are so used to the
perimeter approach, and I think it is starting to shift.
TechRepublic: Based on the survey and your experience, how
far are companies into that process? What are your respondents saying about the
shift to a data-centric approach?
Sol Cates: There is still a lot of spend going towards the
perimeter. One of the parts I saw from the survey was pretty interesting—73
percent of the respondents that we surveyed are not blocking their privileged
users. If you do then they don’t get to see your sensitive data. So 73 percent
haven’t heard anything about that yet, let alone looking into things like
encryption or tokenization. There are different techniques that help combat
this. A big portion is putting controls around their data itself, and the
people who administer it.
The insider going bad, that’s piece of it. But bad actors on
the outside want to become the insider. And who’s the most attractive target?
Is it the secretary, or is it the administrator that manages your databases?
It’s not so much the individual. It’s the concept of the account itself, the process
or the privilege itself, not the individual, that you need to worry about.
TechRepublic: What sort of threats are coming from malicious
insiders? What do IT security departments need to be planning for?
Sol Cates: There are really three phases to it. First off,
is the discovery. Usually when you’ve got data, unless it’s regulated, you
probably haven’t gone through a discovery process yet. What’s considered
sensitive? What does need to be protected?
The second phase is finding it, and a key problem for a lot
of organizations is that it’s everywhere. They’ve gone through mergers and
acquisitions, rapid growth and so forth. So finding all the pieces that are
considered sensitive—how do you do that quickly?
The third part is actually protecting it. From this
perspective, what are the risks to the data? There are multiple layers. If you
look inside the traditional architecture, they are five layers of data access.
One is storage, which is physical in nature. You access the physical media. One
is operating systems, because everything runs on an operating system, whether
you’re SAP or an Excel spreadsheet. Then you’ve got your database, and your
application tier, and on top that is your network connection.
The majority of the spend is still going to the endpoint or
perimeter layer. They are not focusing on the other layers, where your data is
actually designed, consumed and produced. So you’ve got to look at all those
layers and put counter-measures in for each one. You’ve got to look at all
those different layers, because as you do that, you reduce your attack surface
TechRepublic: How does an enterprise actually respond to
these insider threats?
Sol Cates: As you go through the discovery and actually
classify your information and find where it is, once you identify it, you need
to start taking a posture of, should individuals see the information? Which
individuals for various reasons should see the information? Once you start
getting pretty granular into business owners and business users, it gets pretty
complicated, because there are so many different types of business users for
There are two that are pretty easy to establish early on.
One is, should a database administrator, the person who runs the
infrastructure, ever see your sensitive data? The answer from the survey is no.
Do they actually need to see the data inside the database to do their job? We
assert no. Right there, you reduce a big part of your attack surface, because
right then your operating system and database layers are rendered useless to an
attacker or an insider. They just don’t have access to the information any
more. They can run the infrastructure and not see the content.
And then you can focus on the business line user or process
user that needs to see data for their job. So that’s where you need to do the
classification. Do you need to see the data to do your job, or do you not? If
you can limit the people who don’t need to see it, because they are in
administration, we highly recommend that. You can reduce your attack surface,
and then focus on the business users who do need to see the data to complete
TechRepublic: Who do you believe stands to benefit from
reading the Insider Threat Report?
Sol Cates: The people we actually surveyed were a little
over 80 percent Fortune 1000, larger enterprises, and the majority were
The people who can benefit from this would primarily be
larger organizations that have multiple touchpoints and have lots of data. It
is the larger organizations that are wrestling with this the most, because they
have lots of data, they have lots of systems, and lots of individuals in
business and administration that actually interact with the data. They see that
they’ll get a lot from it. The paradigm shift that I think needs to happen is
that we have to move our resources away from chasing the rats, and start
protecting the cheese. Those larger organizations understand that a little bit
can learn more about Vormetric at their company site.