Insider Threat and Supply Chain Risk Reduction – in Real-Time

As the head of risk and corporate security, my main focus is ensuring that our work at Ionic (which includes employees, customers, contractors, vendors, and technology) is managed to an acceptable level of risk in support of the goals of the organization. Some of the risk management techniques include tracking and applying evolving policy standards and regulatory compliance mandates, monitoring and responding to external and internal threats, auditing processes and controls, providing security awareness, and ensuring secure code development. 

Two of the biggest areas of concern we see in the industry are that of insider threats and third-party breaches. Gruntled and disgruntled employees unintentionally or intentionally can cause great harm to an organization and its stakeholders. We know that insiders perpetrated 34% of breaches and third-party breaches increased by 78% in 2018 alone. Faced with fast-moving challenges presented by insider threats and complex supply chains, the methods companies have relied on to manage these and other threats are outmoded and even dangerous. Need daily proof? Just wait for the next breach notification to get a constant reminder of what is not working.

Roughly twenty years ago, I was part of the team that rolled out Lockheed Martin’s internal public key infrastructure (PKI) deployment. One of the lessons we learned is that key management is hard. It is also the most critical component of any cryptographic system (compromised keys = compromised data). Encrypting data is actually pretty easy. Decrypting data — for the right user or service, under the right circumstances — can be challenging because managing keys at scale in cryptographic system deployments to provide confidentiality and integrity protections in our connected world, has frankly been an area that many have overlooked. Why? Because many industry professionals have worked with “old school” cryptosystems that were hard to manage. It has unfortunately since become an “acceptable” risk to NOT encrypt sensitive data because organizations have not been willing to set aside the resources (funds to enable an organizational culture change related to people, process, and technology) to do so.

Why did I leave my role on a fantastic team at a great Fortune 10 company? Because Adam Ghetti figured out how to manage keys at scale in our connected world of billions of devices. It has, and continues to be, an honor to help Ionic empower customers that actually care how they protect the data entrusted to them.

So how do we help our customers put their duty of due care into practice with protecting sensitive data? With Ionic MachinaTM . Machina centralizes attribute-based access controls (ABAC) and dynamic policy enforcement into a cohesive service for simple management of even the most granular business logic. We provide visibility into every access request (request to release keys) — whether made by an internal user, service, or someone from a supply chain. Machina offers data protection as a service, reducing internal points of failure and even providing third party risk mitigation for organizations moving data to the cloud.

Machina supports the four-eyes principle by using multiple administrative roles within the organization to enforce workflow rules. Parts of Machina are also built on a massively scalable key management system, which means that policy decisions are backed by high standards of integrity and availability that prevent loss or deletion of keys, even by a rogue insider.

While there are a few other policy management options in the marketplace today, none of them offer seamlessly integrated encryption key management. Data protected by Machina is by default unreadable (fails closed), furthering the risk reduction that comes from employing encryption as a method of access control; users or services must be specifically granted access through Machina policy to decrypt data. 

Back to those breaches mentioned earlier. The rapid adoption of cloud technology increases risks just as rapidly; the majority of the breaches we see today come from accidentally misconfigured or intentionally hacked cloud services. Centralizing visibility and enforcement across those technical cloud silos introduces consistency, which reduces the risk when adopting cloud services for sensitive data. Learn more about how we help simplify key management across cloud providers and all your applications, take a look at the partnerships we have with AWS, Google, and Microsoft.

Ben Halpert, vice president of risk and corporate security for Ionic, is a noted author, speaker, and practitioner of risk management, security, privacy, and compliance. He is also the founder of the 501(c)(3) non-profit Savvy Cyber Kids that creates and delivers age-appropriate security, privacy, bully response, and cyber ethics resources and educational tools that enable youth, families and school communities to be empowered by technology.

Prior to joining Ionic, Ben was the director of risk management and compliance for McKesson and spent over 11 years in corporate information security at Lockheed Martin.