Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
As the AUKUS deal exposes nations to new cyber security threats, a data security specialist says providing context-driven access to data is critical in an organisation.
Ahead of the inaugural Cyber Security Summit 2023, Tony Howell, global chief architect, defence and intelligence at archTIS, said most threat actors are seeking to access and disrupt data.
“Data is the new oil. It’s the lifeblood of how we run our economy, as well as defence and military capabilities. It’s prolific,” Mr Howell told Cyber Security Connect.
His comments preceded the Cyber Security Summit in June, where he and a panel of speakers will unpack what enterprise security is and why it matters, and how organisations could roll out a strategy that protects data while aligning with its goals.
ArchTIS specialises in data-centric security, which leverages the zero-trust architecture, a security model that assumes that no party is verified or can be trusted at any point.
This means that instead of implementing a set-and-forget security system, everyone and everything must be verified continuously before access is granted.
“The reality of traditional access control models is that they generally have set-and-forget type controls, which means it’s defined upfront what policies apply for access. The information is typically classified or categorised and then it meets that rule, which is sticky for the life of the object,” Mr Howell said.
Conversely, data-centric policies adapt over the life cycle of the data as its risk profile evolves from creation to retirement and disposal.
“For example, in defence, when a new report is released from the field of an ongoing mission, it’s highly sensitive or top secret,” Mr Howell said.
“But five years after the fact, that sensitivity is likely to be greatly diminished. As such, the controls on day one are going to look different to five years later.”
Types of threats to watch
Ongoing monitoring is essential amid growing cyber security threats, particularly in defence, according to Mr Howell.
While the more traditional threat actors are foreign state actors that engage in espionage, emerging threats could risk exposing secrets of the AUKUS submarine deal that Australia has agreed to (a deal that could cost up to $368 billion by the 2050s).
Issue-motivated groups like terrorist organisations also pose threats, alongside groups in the nuclear space, including those with environmental or proliferation of nuclear threat concerns.
“Another segment is non-traditional or asymmetrical threats such as commercial espionage where there is intellectual property,” Mr Howell explained.
“This could include multinationals or foreign national entities, or commercial entities trying to steal designs of chips and guns for either a commercial or national advantage.”
Why is data-centric security the way to go?
Implementing a data-centric security framework that focuses on data could combat these threats, including where data is located and how it is being accessed and used.
The framework helps organisations see what data is collected, stored, accessed, moved, shared, modified, and removed.
Within this data-centric security framework is the term zero-trust architecture, which requires all users and processes to verify their identity at all times before accessing secured data or resources.
The National Institute of Standards and Technology (NIST) has defined the zero-trust architecture model as “an evolving set of security paradigms that narrows defences from wide network perimeters to individual or small groups of resources”.
It is based on the assumption that an attacker could be present in any environment, and as such, an enterprise must embed protections to reduce the risks to its assets and business functions through constant monitoring and evaluation.
“Ultimately, it’s flipping the model from protecting the networks and systems to assuming that they are compromised or untrustworthy, and focusing the energy and effort on securing the data,” Mr Howell said.
The focus of zero-trust architecture is on establishing contextual-based access to information, which moves beyond simply allowing or denying access to the information or a system based on membership in the user group.
It examines the context of the transaction that the user wants to conduct and the type of information they intend to access.
“We want to know the user’s clearance, nationality, and where they come from. We want to check other network and system conditions to determine if they’re coming from a trusted network or device,” Mr Howell said.
“On top of that, it’s not simply a tick-in-the-box exercise before allowing access to information. You’ve also got to apply appropriate treatments for that transaction based on the risk.
“For example, a user may be trying to access information from a personal device. That might be acceptable for the nature of the information they’re trying to access. But we may restrict them by only allowing them to view it through a secure reader or ensure that it’s encrypted or watermarked.”
He concluded: “From our perspective, a key enabler is context-driven access management.”
To hear more from Tony Howell about why organisations must implement a comprehensive enterprise security strategy to protect their data, come along to the Cyber Security Summit 2023.
It will be held on Thursday, 1 June, at Hotel Realm, Canberra.
Comments powered by CComment