Automating Policy Enforcement in an Era of Regulatory Expansion

In March, President Biden released his Cybersecurity Strategy which brought a new emphasis on the use of regulations for improving the United States’ cybersecurity posture. The strategy has entire sections dedicated to regulations, including sections titled: “Establish Cybersecurity Regulations to Secure Critical Infrastructure” and “Harmonize and Streamline New and Existing Regulations.” By incorporating this strategy along with updated regulations from states, such as the New York Department of Financial Services and California Consumer Privacy Act, companies are going to be flooded with new regulatory requirements over the next several years.

This increase in regulatory requirements represents a major cost and risk increase for businesses of all sizes. Most of the regulations have new reporting requirements, and the fines associated with non-compliance with these regulations can be measured in tens of millions of dollars. 

In the following paper, Evolver, along with our partner, Galaxkey, will describe an innovative method for meeting the increase in regulatory requirements. The approach builds automation into everyday systems, such as email, that automatically enforces policies. Thus, policy enforcement is no longer just relying on staff to follow written guidance, and enforcement can be built into everyday activities. Moreover, this is done with existing tools and applications. This approach offers auditability and reporting that can directly be applied to meeting the increased regulatory demands as well.


Current Regulatory Compliance is Backward Looking


Today, meeting regulatory requirements demand a combination of complex policy generation, regulatory reviews, log collecting, and auditing. The process takes a standard, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, creates policy documents, and distributes them to all applicable staff. From there, training is performed with the hope that all employees, both technical and operational, follow the policies. 

To improve the likelihood that policies are met, data collection and logging applications are put into place to monitor actions so that there is a record of meeting the objectives. Regulators will also review all policies and log data to determine whether organizations are meeting the legal requirements. For large organizations, there may be integration with a Security Information and Event Management (SIEM) tool to alert them when a security issue may have occurred.

What’s the issue with this approach? It is after the fact. The main methods of compliance are training, hope, and punishment. A company can train staff and hope they follow the guidelines. If policies are broken, there are negative consequences which are designed to incentivize better behavior. The problem with this approach is that it does not grasp the enormous scale of current operations. A company can hope that one employee out of thousands, or tens of thousands, does not share sensitive information via email, file sharing, text, or the myriad of other options. In addition, there is hope that all systems are configured properly, and no policy violations are broken by technical staff on a daily basis. This current policy enforcement approach is unreliable and unpredictable – it does not scale to the current information technology (IT) environments. 


In the End, It’s About the Data

The regulations, ranging from the Transportation Security Administration (TSA) guidelines for Pipeline Companies to the Health Insurance Portability and Accountability Act (HIPAA), are fundamentally based on the loss of data. Even if data is not captured by an attacker, the improper release of data to the public or unauthorized parties is the measuring stick of the regulations. Though having good policies and practices might help in reducing fines, the bottom line is that if data is improperly shared, it is a violation of the regulations. Therefore, having strong policies and enforcement is crucial to any cybersecurity and privacy program because even just one employee or one misconfigured system can result in critical data loss and regulatory violation.


Automating Policy Enforcement

What if enforcing the policy was more than just hope and training? What if policy enforcement could be automated so that employees could not break them? What if this could be done with little impact on their current workflow and operations?

There have been attempts to automate policy enforcement by building rules into applications such as Microsoft 365 (M365) or Enterprise Resource Planning (ERP) tools. However, the problem with this approach is that all the employee has to do is use a different application, such as Google Drive or Dropbox, and all of that automation is meaningless. Similarly, there are Data Loss Prevention (DLP) technologies that monitor networks, but this only protects data on specific network flows not moving around cloud services, personal email, Universal Serial Bus (USB) drives, and other data sharing methods.  DLP is a network approach to a data issue.

The key is to build security into the data itself, at the file level. This is where Galaxkey plays a major role. Galaxkey is a data protection company, providing a portfolio of corporate data protection products to support enterprises and individuals secure their data and adhere to multinational data compliance regulations. Headquartered in the United Kingdom (UK), Galaxkey has a global footprint through their regional offices, channel partners, and customers. Their solutions are built on the foundation of a unique three-layer encryption, assuring their customers complete control of their keys and no back-door vulnerabilities. This unmatched security is supported further with a comprehensive platform architecture, simple user experience, and low cost of ownership. This platform approach covers all common unstructured data types, which is critical to securing data after it leaves applications and databases.


More than Encryption at Rest, Encryption at Transit and Secure Applications – Data Security Independent of Network, Device or Application

The first mention of encryption usually brings statements such as “I already encrypt my data at rest” and “I use an encrypted email service.”  These technologies are dependent on the devices and network for security.  Current data at rest capabilities work by encrypting drives and folders on devices.  If the encrypted location is breached (either through user credential or other method) all of the data on that drive or folder is compromised.  Similarly, encrypted email encrypts the communication path, not the underlying data.  In all of these cases, if the data is removed from the device, network or application, it is available to be breached.

The Galaxkey approach encrypts each file and the security goes with the file.  So if data is taken from a computer drive, email or application such as a managed file system, the security goes with it.  If there are two people authorized to access a file in a Google Drive, only those two people would access it through Teams or an email message.

Through Galaxkey’s advanced encryption techniques, it is now possible to secure data to only those authorized to access it, regardless of the application or communication method. For example, if a patient’s record has a policy that it can only be shared with the doctor and authorized users (i.e., companies with a Business Associates Agreement (BAA)), the patient will be able to send this encrypted file securely through any application or communication method. Even if an attacker was able to gain access to the file from the patient, hospital, or authorized users, they still would not be able to view the patient’s record. Again, the encrypted file can only be accessed by authorized users who gain access to the file through secure methods, like multi-factor identification.

In addition to providing policy enforcement, this approach presents a monumental leap in meeting the growing number of privacy regulations. These regulations are focused on control by the data owner. This includes requirements, such as data retention limitations and the “right to forget,” which force companies to limit how data is stored and deleted across an entire enterprise. The use of encryption at the file level provides a logical and simple method of deleting all data related to a single person – just delete the encryption key and all data related to that person is now effectively gone.


New Technologies and Policies

The application of data security at the file level makes policy creation and enforcement significantly more straightforward. Currently, in order to meet regulatory requirements, there is a complex web of controls that needs to be established and monitored to prove compliance. This is reflected through the copious amounts of controls in NIST 800-53 Rev 5. To prove that data is not being shared improperly, companies must show that every system has properly addressed user access, network access, data storage, data at rest, application integration, configuration settings, vulnerability management, patching, and more. Not only must organizations assure this for their systems, but they also have to do it for their cloud providers, software as a service (SaaS) applications, mobile devices, cameras, printers, and any other devices.

In the “security at data level” approach proposed here, the policy would be straightforward; this file can only be accessed by the following people and/or groups. Furthermore, the monitoring would be straightforward because there would be auditability as to who actually accessed that file. Today, monitoring and auditing requires the capture of massive amounts of log from network systems, devices, applications, cloud providers, etc. and, in the end, there is still no way to identify where the data was sent to.


Yes, It Scales

The first response to this approach is almost always that this cannot be done on a large scale. The technology developed by Galaxkey has achieved data security at the file level through the use of federated key management and combination of multiple encryption methods. It has been shown to support organizations ranging from large government agencies to major financial institutions. Evolver provides additional support by being able to develop policies that directly take advantage of being able to control data at the file level.


New Policies and Regulations

As we have discussed, the President’s new Cybersecurity Strategy will force regulations to grow significantly over the next few years. If the regulations focus on how data flows, instead of how systems are designed, both compliance and enforcement would be made more effective. Organizations can use the data security approach, as described in this paper, to likewise meet those regulatory requirements in a logical, affordable, and provable method. It is time for this change, and Evolver and Galaxkey are able to deliver this cutting-edge approach to meet the new regulatory environment today.