There’s an interesting story from a few years ago. An angry father marched into the corporate office of Target and demanded to know why they were sending unsolicited advertisements for baby supplies to his teenage daughter.
Well, he ended up with egg on his face because, yes, his daughter was pregnant. And, yes, Target knew about it before he did (Father is last to know). All those coupons for baby food, cribs and child clothing were sent directly to his daughter because Target determined her buying and search history made her a likely expectant mother.
Aside from the obvious creepiness factor, it also demonstrates that, in a connected world, much of our digital and financial privacy is gone. Between Internet search engines, online advertisers and, especially, mobile application developers, the wealth of data we willingly give up about ourselves is tremendous.
Why is Facebook free? Why are all those cute games and apps you use on your phone free? Why aren’t you charged to use your favorite web browser that some company spent millions to develop? I think you get the picture. I like to use the phrase:
If you’re not a paying customer, you’re the product that’s being sold.
I could go on, but let’s just acknowledge that much of what you do, who you are and what drives your buying decisions is out there and being used to target your opinions, dollars and time.
Let’s talk about data security. Yes, while I acknowledge that there is data about me that is not private (more that I care to think about), there are certain pieces of information about me that I should be able to expect are secured and unavailable for public consumption or viewing.
Data such as:
Why do I have more stringent expectations around the security of this data? Because this ever-evolving population of personal data can be used to compromise me. If it represents direct access or threats to my financial posture, my reputation or my safety, certain data is now viewed as ‘sensitive’.
And while multiple regulations (GDPR, HIPAA, etc) are coming out and evolving in support of the protection of ‘sensitive’ data, we still see many companies that are turning a blind eye to their exposure to sensitive data breaches, especially in legacy applications such as ERP systems and decades old data storage platforms.
And even the companies that are trying to address the security of this sensitive data, are typically focusing on the back-end storage systems (databases, etc) and working to implement ‘Segregation of Duty’ (SoD) controls. SoD controls focus on the permissions granted to roles in an application, and the roles that are granted to the users of that application. In essence, no role should be over powered in that it has too much control over any given business process. And no user should be granted multiple roles that give them too much power over any given business process. SoD is all about checks and balances. The lack of which brought down companies such as Enron and Lehman Brothers.
SoD is important. But these days, with the advent of mobile and the increased attack surface – i.e. access points – of these legacy applications, access controls are also key. And with the success that modern phishing attacks seem to be having (approximately 4% of targets will fall for any given phishing campaign), application credentials cannot be considered as secure as when just a few select users inside the corporate network were utilizing the application.
Segregation of Access (Soax) is now just as key as SoD. Being able to manage and report on access to sensitive data, even if it is just the viewing of that data, should be a critical component in any company’s security posture.
These are all key pieces of an effective SoAx program.
Contact us to learn how Appsian can help implement an effective SoAx plan.