How do you reign in data communications, not only between computers, but between humans?

For me, it's defense in depth and least privilege. I hesitate to use the phrase Zero Trust, but it's also entitlement-driven. We have thousands of entitlements in the company. The typical employee can't go to most internet websites, and can't download or install software. You've got to go through an IT process in order to add software, endpoint detection and response (EDR). You can't plug in a USB device, or send documents out without an entitlement. We don't use Box anymore. We don't use Dropbox.

Anonymous Author
For me, it's defense in depth and least privilege. I hesitate to use the phrase Zero Trust, but it's also entitlement-driven. We have thousands of entitlements in the company. The typical employee can't go to most internet websites, and can't download or install software. You've got to go through an IT process in order to add software, endpoint detection and response (EDR). You can't plug in a USB device, or send documents out without an entitlement. We don't use Box anymore. We don't use Dropbox.
2 upvotes
Anonymous Author
An issue we’re dealing with is how we exchange healthcare data, etc. with partner providers. We have 18 different identifiers within protected health information (PHI data) which need to have certain policies assigned to them so they’re not overshared or disseminated unnecessarily. How do we control the data and, if we can control it, where exactly is the measure of shared responsibility between us versus the providers/partners? One thing that helped was having a bastion host between ourselves and the providers so that we can actually strip off the PHI data before it leaves our control, so there are better definitions around what the policy is.
0 upvotes
Anonymous Author
I worked at one pharmaceutical company where we didn't want to leak any data at all. We decided that no file is ever going to leave Box. We disallowed sending file attachments. Everything sent outside the org was in preview-only mode, and external people had to open it up in Box to see it. They could take a photo with their camera, but who cares? We were doing everything possible to protect that document. It was 2014, so it was weird at the time but it worked well and people got used to it. It was Box's idea to keep everything on the platform so that we didn’t need all of the other tools I was looking at. There's everything out there to be secure, but I don't know how to apply the same approach to software companies because everything's pure chaos after coming from pharmaceuticals. In software, it’s crazy trying to reign that all in.
1 upvotes
Anonymous Author
First and foremost, you need to implement and continuously maintain proper *authorization* (AuthZ) policies in addition to (strong) authentication (AuthN) requirements to ensure that there are levels of data access and sharing between end-users. Too often there are "Allow Everyone" policies out of either negligence or laziness. Combine that with proper logging, as well as a regular cadence of communicating the importance of this (aka: "why") to your end users.
3 upvotes
Anonymous Author
We have set up a policy to deal with different kinds of data by resources, We have made clear segregation of duties and we have annual training to deal with data and how to share and whom to share. We define a clear workflow for data which is with human interactions and addressed with the policy and procedures
2 upvotes
Anonymous Author
I think these are two separate (but weirdly related) issues.  The pandemic certainly changed things - people who are very social were stymied and have sought other ways of communicating.  And the primary issue here, I believe, is the separation of work from home. From a computer standpoint, that's the easiest.  Simply map out what directions information needs to flow, set levels of access, and set up enforcement technology.  These are all technology fixes - ACL's end-point-protection, firewalls, etc. But security is only 20% technology - its the 80% people that scares the heck out of me.  According to the Department of Homeland Security, 94% of the breaches last year occurred via a phishing email - so this makes the end point (both the computer and the person) the weakest link. Obviously you start with technology, but then follow it up with strong policies, strong standards, and enforceable actions when there is non-compliance (yes, I'm talking termination).  Smart people do dumb things all the time.  Education is obviously the first step.  I's also recommend including people in desktop exercises - folks who normally wouldn't participate.  It gives them a much larger view of the picture. So, in short - technology, training, but planning is the first step.  And part of that planning needs to include establishing baselines, so you know what abnormal looks like.
2 upvotes