Victoria Blake, Senior Director of Product at Zapproved, discusses macro data security trends, and how they apply to the legal realm and beyond.
CCBJ: Let’s start by talking a bit about the intersection of corporate legal teams and data security.
Victoria Blake: It’s part of a macro trend that’s been gaining speed over the last 10 or 20 years — the move from on-premises installations to the cloud. I did an analysis of our recent prospects to look for security-related issues that come up in sales cycles, and what I found is that while there is still a percentage of folks that have a no-cloud policy, that percentage is decreasing over time. Decreasing, yes, but more slowly than you’d think. Ten years ago, there was a general assumption that everything would be in the cloud by now, but the transition has actually been a lot slower than everybody originally assumed. A big part of the lag is, I believe, the trust–or lack of trust–in the security practices of cloud vendors, despite the massive gains in cost and efficiency that the cloud can provide.
Running parallel to that, corporate legal departments are not just responsible for legal operations anymore, but now moving into governance, risk management and compliance, as well as information technology and info gov, those kinds of functions. The growing understanding is that data is an artifact of business – and as an artifact, it is a legal artifact as well.
Now, legal still mostly cares about data at a trigger event, but there’s a present and growing awareness of the whole lifecycle of data. And if we’re talking data, we’re talking cloud, and if we’re talking cloud, we’re talking security.
Can you tell us about the types of security threats facing corporate legal teams today?
Security threats are not specific to corporate legal departments. Threats are part of the digital landscape. In my analysis, threats can be bucketed into several primary categories — things that are most likely to occur.
At the top we’ve got everything related to individuals and identity. The primary threat is phishing and account takeovers. We’re all pretty familiar with that already – who has access to what data and when. Lack of a federated identity management is part of that problem — knowing who somebody is and making sure that they are who they say they are. And, of course, there’s malware. I hate malware. With malware, we all know what that threat is, but the access point is, again, part of phishing and account takeovers. That’s the primary access point for malware. But there are also threats from within, so what we do is build controls to make sure that the data is safe in the event of a breach from within, due to a malicious actor inside the company itself.
Talking about data, the concept of data location is really interesting – you start thinking about data ownership and the concept of jurisdictions, and how much jurisdiction specific governments or localities do or do not have over your data, if it’s in transit or in storage. That’s an interesting concept in and of itself.
Disaster recovery is crucial as well, so that even when something bad happens, your business can continue to function. Business continuity is so important. Disasters don’t happen frequently, but when they do, companies need to be prepared.
Finally, there’s lack of transparency and a lack of robust SLAs. Those are two different ones, but they speak to the ability of vendors to be open and honest, and to clearly communicate with you as a customer about what you can expect and to make sure that the vendor is in compliance with what you, the customer, require.
So those are the primary categories of security threats that we’re seeing. Again, these are not specific to legal, but really they’re part of the macro trends that we’ve been discussing.
Can you tell us more about the privileged user concept?
I know that the word “privilege” has a different meaning in the legal community than it does in software — they overlap, but they have specific meanings. In software, “privilege” refers to the amount of information an individual can see inside of that application. What you want to do is give as little privileged access to users as possible, so that if there is a breach or security event, there’s a wall up around that person or that access point. This is really important when we look at things like the phishing and account-takeover threats. There’s a stat from a research company, Fishing Box, that says that 29 percent of breaches involve stolen credentials, and 94 percent of malware is delivered over email. That’s just an example of this concept of how a single user can be an access point, and really what you want to do is to control the amount of exposure you have if that single user’s account gets compromised.
A lot of the security features that we’re building and talking about, their maturation over time is about control of the access, if and when a breach happens at the single user’s access point. Not to put too violent a metaphor on it, but if there’s a single access point breach, then your other security features kick in to control the blast radius.
Controlling single-access point breaches is difficult because of the number of users in any given system. If you look at each one of those users as a potential access point, you can get overwhelmed. Or you can look at it and say, “OK, this is part of the threat landscape that we’re dealing with, and we just have to have the right controls, the right visibility, and the right security features set up around it.”
How can legal teams address these threats while still maintaining their day jobs?
I don’t want anybody in the legal department to have to worry about security. There’s no action or activity that a person working their day job, doing the good work of the legal department, should have to do beyond the normal course of business to be safe. I mean, don’t click on that link in that spam email. Wear your badge. Rotate your passwords. That really should be it.
Security should be part and parcel of any kind of vendor relationship. It is a relationship based on trust and validation. Customers say, “We’re signing up with a company. We have validated that the security controls match our own internal security controls, and we know that these are the best practices in order to keep our data safe.” Ideally, the person who is doing their day job shouldn’t have to worry about security threats at all.
Inside of that, though, it’s important to recognize that there are really two major approaches to security threats. One is on the product side, security features that are actually built into the products or into the technology. The other is on the operations side, and that involves things like badging and credentialing and making sure that when there is a physical person at a physical location with physical access to data, that person is who they say they are.
What are the key cloud-based features that address the data security threats that you’ve mentioned?
One of the key security features that folks should be looking for is multifactor authentication. That goes hand in hand with secure sign-ons. Granular roles and permissions. Session management. All the security features that help with the user-access threats.
A really basic one? Password reset controls. Our understanding of what makes a secure password is evolving and maturing over time, so being able to work with a vendor that has password reset controls inside of the application, and allows those controls to match your internal IT policy, that is really important.
And the last one I want to mention is user access audit logs. Good logging is part of a good security stance, so that if and when there is a breach, you actually have the information you need in order to address that breach.
Where does the cybersecurity industry go from here?
We have to recognize that we are in the first 20 years of what’s going to be a massively long time horizon for the maturation of our digital tools, and for our digital ecosystems. Security is going to continue to evolve and change as the threats evolve and change, and that is a never-ending dance. In fact, it’s a never-ending dance that’s been happening in one way or another for the history of mankind.
We’re taking a snapshot in time right now about the primary threats and how to address them. In the year 2030, it’s going to be different. You’re going to have different threats and different tools, and part of the role of any vendor or any company working in this space is to be able to look out into the future and say, “What threats are coming? And how do we have a security stance that is safe and secure and sound – but also able to grow and evolve over time.”