Major security breaches over the past few years, including Saks Fifth Avenue, Target, JPMorgan Chase, and Equifax, plus the emergence of GDPR and other privacy laws, have pushed data security to the top of the agenda for enterprises. Successful data security strategies go way beyond stronger passwords and/or restricting access. Strategies should serve as more than a check in the box for compliance sake. Security-aware enterprises follow a logical series of steps that identify the holes in data protection plans, and establish ongoing processes to treat the data like the critical resource hackers consider it to be.
Here are nine strategies to avoid being the big breach or the compliance failure of 2018:
1. Create and implement data protection management policies; from data classification and handling policies to data retention and data governance policies.
Data can’t all be weighted or treated equally. Some data is more sensitive than other data, different parties have specific levels of access to different data stores, and certain data assets move around becoming more sensitive as it is aggregated with other data, as in a data lake for instance. Companies need to create policies that include data classification, data handling, data retention and destruction, and data governance policies, standards, and procedures. However, don’t get too creative. Consider ranking data into categories such as “highly confidential,” “confidential,” “company,” and “public data.”
Defining the policies is the first step. To effectively manage data, you need to classify it, you need to define the policies’ goals and objectives and present them clearly to the affected stakeholders. Working with the data owners, you should balance the security and privacy of the data with the business use and integration requirements of your affected stakeholders. You need to establish the scope of the risk, considering issues such as how far you need to integrate into partners’ and other third-parties’ environments.
2. Discover all sensitive data and its risks.
Once you determine how you’re going to classify and manage your data, next you need to understand how you can discover the data you need. Digital Guardian’s Thomas Fischer, an advocate of data classification strategies, points out that data discovery could take many forms, evaluating everything from personally identifiable information, health and financial records, and business IP to source code and proprietary formulas. My advice: Data governance is critical – gather everything, assess everything, classify everything. Label data according to sensitivity and regularly validate data’s usage and status. Also analyze sensitive data risk: Consider how the data is used, its classification, access volume, how the data is protected, and how it proliferates to rank the data by risk.
3. Determine where data is stored, archived, and backed up.
Most companies’ data is stored electronically and has been for a long time. The addition of SaaS and cloud-based solutions adds a new level of complexity because the data is stored somewhere to which you do not necessarily have direct access. And in many cases, the data is stored multiple times if it is archived or backed up. To properly protect data, you need to find all the permutations, because even when data is deleted, in many cases the archive or backup is one directional and the deletion doesn’t cascade through all systems where the data has migrated.
4. Make sure sensitive information in your metadata is not exposed.
Adding metadata to digital files provides a huge short-cut for workers needing to apply that data to a particular project. The problem is that metadata has grown and can include personal, business, and proprietary information even without having access to the underlying information file. The richer the metadata, the more business or personal risk is created. Treat metadata with the same protections as the data. Your data classification policy needs to include metadata and have specific rules to ensure that companies aren’t oversharing in their efforts to streamline data usage.
5. Determine who has access to what and manage that access.
The quickest way to keep sensitive information away from unapproved employees at work is to “wall off” access. The problem with this approach is that these technologies and procedures do not take into account the common use cases of data usage and can inhibit business-critical actions. Today, the majority of companies use systems they do not own nor directly manage (e.g., SaaS, cloud, mobile). And the number of different types of data being created by people, systems, and applications is overwhelming. Enterprise security strategies need to move from focusing on just access to including data usage and the ontology of data being used. Consider implementing identity governance to refine access, authentication, and data usage to fully understand where, how, and why data is being used.
6. Know who’s doing what: Monitor, log, alert.
To protect data, it’s critical to know who’s accessing the data and what they’re doing with it. This puts a premium on maintaining logs and audit trails and monitoring them continuously. Details, such as who viewed what data, when, why, and whether the data is changed, must be logged, monitored and unusual behavior must be alerted on and investigated. It’s crucial that business leaders educate their employees fully on the importance of data protection protocols and drive home the consequences of short-cutting the security standards.
7. Do a thorough job of data masking, cleansing, and encrypting.
Companies need to look holistically at their data and think of it across its lifecycle. In this approach, the data risks should be identified by how the data is stored, used, transmitted, exposed internally or externally, and integrated or accessed. There are some new and interesting solutions coming to market that go beyond traditional data security, masking, and cleansing to help identify and access data security risks in the area of security intelligence. The concepts of security intelligence are solutions that are meant to create a measurement of security risk and identify issues so that they can be addressed before becoming a big problem, and automated procedures can be put in place to improve the level of security or bring the solution up to the desired level of security.
8. Diligently dispose or archive sensitive data.
Data grows exponentially, year over year, and it’s easy to lose track of what’s been scrapped after it’s been updated. A proper data security strategy includes provisions for regular data cleaning to reduce duplicates or errors in data. IT staff or department leaders can handle these cleanings, but organizations need to create a system to ensure that only authorized personnel are presiding over the disposal of sensitive data (e.g., HR or financial records). This is particularly important because data disposal and archiving need to comply with data retention policies and regulations.
9. Manage data risk on an ongoing basis.
The most important part of the implementation of a data security strategy is to understand that it’s not a one-time project. Data itself changes continuously, and companies’ use of data evolves nearly as quickly. Companies need to regularly evaluate their data protection programs and make sure they are aligned with the business. Institute a process to continuously discover and govern data management.
Without these strategies in place, sensitive data is at risk. Whether an unauthorized employee gains access, data gets lost in archives, or it’s stolen by hackers, a lackluster security strategy is essentially putting mission critical data and personal information in the hands of the wrong people.
About the Author:
Roger Hale is Vice President and Chief Information Security Officer at Informatica. In this role, Roger and his team are responsible for Informatica’s global information security, risk and compliance.
Roger has more than 25 years of experience working in the high-tech field and brings specialization in merging information security, customer advocacy, and service delivery with the agility of cloud services. He has a proven track record of delivering effective strategies that align information lifecycle management with business objectives, information assurance, and risk management.