Cyber Security

How to Maximise Control with Secure Enclaves

Cyberthreats are everywhere. However, while companies are scrambling to find better ways to protect themselves, the stark business reality is that not all data is created equal. You must prioritise protection for your companyā€™s most valuable and highly sensitive data ā€“ such as intellectual property, Personally Identifiable Information (PII) and Controlled Unclassified Information (CUI) under the U.S. Department of Defenseā€™s (DoDā€™s) CMMC 2.0 requirement. Secure enclaves are one of the best ways to accomplish this goal.

What is a secure enclave?

In plain words, a secure enclave is an ultra-secure space within a larger secured system. You can think of a secure enclave as a steel-reinforced bank vault within the already-secure premises of a branch office: the bankā€™s premises are already secure, but the vault provides ultra-secure protection.

The use case for secure enclaves has been extended from the storage of physical contents (as in the bank vault example above) to the wider realm of data storage, so that critical digital information can be protected in a controlled, purpose-built environment. Organisations typically classify their data according to its sensitivity ā€“ we will use the concept of data levels here to help explain the classification approach you can partake in: 

  • Level 0 is categorised as public information. 
  • Level 1 is categorised as routine company information.
  • Level 2 is categorised as sensitive company information that may be restricted to a department.
  • Level 3 is categorised as the most sensitive, highly regulated data layer that is often restricted to key executives or critical employees. Generally, data in Level 3 benefits the most from storage in a secure enclave environment.

A simple use case would be your organisationā€™s need to safeguard consumersā€™ and employeesā€™ PII to comply with the requirements of EUā€™s General Data Protection Regulation (GDPR) and/or UK GDPR. Access to such sensitive information should be restricted based on a userā€™s ā€œBusiness Need to Knowā€ and not made available to your regular IT users. Even executive managementā€™s access should be limited based on their demonstrated need to utilise the information since senior executives are more frequent targets of spear-phishing attacks and tend to have more permissive IT access rights. 

The benefits of using a secure enclave 

Common sense tells us that it is extremely expensive to apply the same level of protection to all of your companyā€™s data. A secure enclave can provide a cost-effective alternative for you to protect data that truly requires specialised protection, without the need to invest significant capital by covering all of the everyday data that flows in and out of your organisation.

By minimising the scope of a Level 3 data repository, you can streamline compliance procedures by reducing access and security controls on one small element across your entire IT infrastructure. Since not every employee requires access to sensitive data in their day-to-day roles, they wonā€™t need to be subject to additional security restrictions and superfluous policies. Moreover, monitoring and reporting data become simpler and more focused in the context of a reduced cyberattack surface.

As you consider a secure enclave solution, hereā€™s what to look for:

  • A trusted collaboration workspace: In an era where companies are balancing Work from Home and Work from Office environments, users need to collaborate productively in a secure environment wherever they are located. Flexible document search and version control policies across multiple devices are paramount. You can make it easier for users by relying on applications that theyā€™re already familiar with, such as Google Workspace, Microsoft 365 and their related content collaboration solutions. These solutions enable sensitive data to be shared, annotated and edited under careful control. In addition, features like preview-only, time-limited links, document watermarking and user revocation help you to closely monitor employeesā€™ collaboration efforts. 
  • Advanced cybersecurity and access controls: Secure enclaves require enhanced controls to protect your data and authenticate usersā€™ access, including encryption, auditable activity logs and role-based access controls (RBAC). Advanced analytics should also be incorporated to recognise and prevent unauthorised access and detect anomalous user behaviour. Furthermore, tools that can automatically identify sensitive data and automate content lifecycle policies, including retention, archival and deletion (RAD), are critical to ensuring a legally defensible retention policy.
  • Enhanced sensitive file lifecycle management: Stale, obsolete and duplicate files present a multi-pronged threat by taking up valuable space and increasing your overall cyberattack surface. Thatā€™s why companies should introduce a process to automatically delete and/or archive files after a certain timeframe whilst pursuing a maintenance policy that enables you to preserve files that need to remain available to users. By automating RAD policies, youā€™ll relieve your administrative teams of a significant burden.
  • Flexible deployment: You should consider a solution that can be easily configured and scaled as your company grows without impacting business productivity. Many organisations select a SaaS-based, pay-as-they-go model to validate that they only purchase the volume of storage and licenses for the number of business users that they need. Such SaaS-based solutions often include native, intuitive migration tools, which makes data migration to a new secure enclave a straightforward process.

These are only several of the considerations that you should keep in mind when your company is evaluating or building a secure enclave of its own. Ideally, a versatile cloud-based environment ā€“ which supports common repositories and can scan and identify sensitive data where it lives ā€“ will help you create a secure and controlled environment where collaboration prospers, but not at the expense of data security.

Author

Related Articles

Back to top button