Risk Management
Why Data Hygiene is Key to Industrial Cybersecurity
How can highly distributed organizations with complex, integrated supply chains defend against cyber threats? By practicing good data hygiene based on zero-trust principles.
If there’s a common denominator to today’s security woes, it’s complexity. Industrial and enterprise IT environments are more open, interdependent, and essential than ever before. Practicing good data hygiene is one of the best ways for organizations to protect themselves, and it starts with a zero-trust approach to network access.
Complexity is a security risk
Part of what makes IT environments so complex today is the distributed nature of industrial and business operations, which decentralizes technology planning, causes “architecture sprawl”, and makes it hard to enforce security policies consistently. Those problems are compounded by growing technical debt as organizations defer upgrades or pursue them haphazardly instead of in a coordinated way.
Virtually every connectivity trend seems to contribute to the growth of complexity, from widespread IoT deployments and IT/OT integrations to hybrid work models that make security conformance challenging, and cloud deployments fraught with vulnerability-inducing compliance and misconfiguration issues.
All of these are amplified when businesses participate in highly interdependent supply chains. No single player has end-to-end control or the visibility to identify where dependencies and vulnerabilities reside. Amid this “vendor sprawl”, even participants with good internal security controls are at the mercy of the weakest link in the chain.
For IT and network security teams already overwhelmed by alert volumes and ever-evolving threats, dealing with so much complexity can seem like a bridge too far. They need to augment their efforts with automation to get some relief.
The catch is that automation tools must be implicitly trustable before organizations can “hand over the keys” for machines to run any part of security operations. That hinges on the quality of the data the systems must work with—which makes good data hygiene fundamental.
Data hygiene depends on zero trust
“Hygienic” data is accurate, complete, reliable, and up to date. Zero-trust principles contribute to data quality by strictly controlling who creates, accesses, modifies, and shares it.
The root assumption of zero trust is that no resource interacting with enterprise IT systems is inherently trustworthy. A “resource” may be an individual, a data set, a corporate or personal user device, and even a cloud service or software-as-a-service (SaaS) solution. Because trust is not inherent or assumed, whenever a resource requests access to corporate data, its security posture must be assessed: no one gets grandfathered and there are no free passes.
At the same time, the approach recognizes that trust is not a fixed state. That means it must be monitored and re-verified continuously throughout a transaction. Any increase in risk profile can cause an exchange to be shut down, accounts to be reset, or other actions taken to contain potential issues.
Several zero-trust precepts follow from all of this:
- Access is always session specific. Trust must be established before access is granted, with only the most restricted privileges assigned to complete the given task.
- Perimeter-only security is not enough. Classic security approaches provide a “single door” for resources to access corporate assets and systems based on their initial network location and identity. But once inside, malicious actors can exploit that access, moving laterally through the network. Location should be always tracked, and privileges should be based not only on identity but also specifically on what a user or resource is there to accomplish.
- Access policies should be dynamic, not fixed. This allows trust to be contextual and adaptable to changing conditions based on business needs, risk tolerance, monitoring data, usage patterns, network locations, times of day, the presence of active attacks, and other variables.
- Authentication and authorization must be strictly enforced. These should be based on a formal identity, credential, and access management (ICAM) system that includes multifactor authentication. Like access, authentication and authorization should be dynamic—with consistent scanning for and assessment of threats, and with policies re-evaluated according to context and real-time conditions.
- Analytics help make security stronger. By collecting information on resource and asset security postures, traffic patterns, access requests, and more over time—and analyzing them for patterns—organizations can strengthen cyber security and data quality on an ongoing basis.
With these aspects of the zero-trust stance in place, organizations can be assured of better data hygiene because the information in their systems only ever comes from trusted sources and is highly traceable.
The benefits of good data hygiene
With high-quality data, security teams can automate confidently, relying less on human judgment to check, approve, or fix automated decisions.
Reliable automation enables real-time security at scale, reinforcing the “everywhere, all the time” zero-trust security context even when thousands of users, devices, and assets are involved. This can be applied to a vast range of security functions. Assessing identity risk is one example: determining if a requesting resource should be allowed to perform a given action based on established risk thresholds, even when the identity of that resource is not previously known, such as a new partner. With zero trust, the data involved in the transaction can be counted on as highly reliable, strengthening the decision to grant or withhold access.
The higher the quality of data an organization can maintain, the less data is needed to inform accurate, trustworthy business decisions. That can translate into faster decision-making—again, with less (or no) human oversight—and even lower IT and cloud costs, because fewer resources are required to process the data, and there’s less of it to store. Those savings can be operational (OPEX), capital (CAPEX), or both depending on the organization’s business model and technology cost structure.
Data hygiene builds the security business case
Separate from providing transactional security assurance, data hygiene based on zero trust has a higher-order role to play in enabling and protecting the business.
According to Gartner, well over half (64%) of board directors recognize digital infrastructure as strategically key to business goals, and 88% see cybersecurity as a business risk. In another report, Gartner predicted that by 2023 nearly a third of chief information security officers (CISOs) will be evaluated on their ability to “create value for the business”. High-quality data resulting from the zero-trust approach makes it easier to create that value by ensuring safeguards without constraining productivity, opening the door for CISOs to raise their board-level visibility.
For organizations that are part of far-flung and highly interdependent supply chains, zero trust eliminates much of the concern about partners’ vulnerabilities or data quality. It doesn’t matter what security models other players employ because zero-trust organizations can be assured of the strength of their access, authentication and authorization controls, and of their own data hygiene.
Implementing zero trust with the necessary automation to ease security teams’ burdens requires a unified cybersecurity platform capable of continuous discovery, assessment and risk mitigation. When that platform is equipped with secure access service edge (SASE) capabilities and extended detection and response (XDR), it provides the controls to ensure good data hygiene and also uses high-quality data to strengthen the overall security posture in a self-reinforcing cycle of defence.
Next steps
Learn more about data hygiene principles, zero trust, and the implications for supply chains by checking out these Trend Micro resources: