CIO upfront: The 10 commandments of data protection
- 02 October, 2017 06:00
Manage just the data that matters
As organisations undergo continued evolution as part of their own digital transformation efforts, data security has become more complex. Good custodians of data are starting to integrate a number of elements in place to keep it safe. Excellent custodians of data are going even further and putting in place integrated systems that bring together technology, process and human behaviour.
This got me wondering if we could find 10 commandments for data protection, and this is what I explore in this blog.
Know your data
If you can’t define what data is sensitive, then there is nothing to protect! Ensuring you can identify all your sensitive data is achieved using the best that people and technology can offer. Certain data is easily defined so technologies such as Data Loss Prevention or Cloud Access Security Brokers do a great job of finding it - at rest, in motion or in the cloud. Enlightenment comes when you bring the power of people into the mix. Allow your data owners to also tag sensitive data and you have a complete way to classify data from creation throughout its existence.
Protect what’s rightfully yours - consistently
Now you have a comprehensive view of your sensitive data, make sure it’s kept safe. The best way to do this? Encryption of course. Using your data classification to determine the need for protection ensures that you always apply the appropriate protection based on the level of sensitivity, saving you from ‘re-inventing the wheel’ every time.
Provide omnipresent protection
Things are not always black and white so how can you apply protection in shades of grey? For example, it might be OK for someone to open a document, and even for them to edit it, but not to print a hard copy. Take encryption to the next level and incorporate Digital Rights Management to give you better flexibility and control.
Give your cloud a silver lining (or take it to Cloud Nine)
The cloud represents the best, and worst, in humanity. It allows open collaboration and individuals to demonstrate the generosity of human spirit. But this generosity can lead to data being overly shared, and that’s where trust can be eroded. There is a better way. Protection that follows the data – even into the cloud - ensures that wherever, and with whomever data resides, a generous spirit can always a good thing.
Don’t let just anyone, unlock your secrets
A decryption key, in the wrong hands, can be dangerous. How can you control who can access your data? Well, instead of just relying on the decryption key, why not embed a user’s identity into the process. And, if you add the third dimension of multi-factor authentication, you can be really confident that when a user opens a document, it really is them and not an imposter. This is how you start to reduce the risk of account takeovers.
Keep an eye on your flock
Just as a good shepherd has the ability to watch over his flock, you can keep an eye on all your data users – especially when they might not even be part of your organisation and be located on the other side of the world.
As users authenticate to access a document, you know have a means of watching who is accessing what, from where. You can encourage good behaviours, and intervene before anyone strays too far from the right path. Help your users to respect sensitive data, and you’re well on the way to full protection.
Control at the data level, for protection everywhere
You no longer need to fear the unknown. Even if data has been scattered to the four winds, and is stored multiple times in the cloud, on a plethora of devices, across multiple countries and users, data centric security keeps it safe. For example, using identity based authorisation at the data level keeps you fully in control. You ensure that only the right people have access, and you can step up (or down) security by being context aware. For example, if users are accessing data remotely, on unmanaged devices you would ask for additional levels of authentication.
You can revoke access to the data anytime
What happens when people change? How can you take back what you’ve given them? Well, now you have the ability to track who is accessing what data, you can see when data is at risk of abuse. By using a cloud hosted service, that can both track and control access for users from inside and outside your organisation you have a system that delivers ‘actionable intelligence’.
What I mean by this is that if a user starts acting out of character, or you know that they should no longer have access, then you can limit or even remove their access. So whilst you can’t make all copies of a document disappear (we haven’t yet found a way to deliver that miracle!), you can make that document unreadable by effectively locking it, and throwing away the key!
Manage just the data that matters
Here is the interesting dilemma. Not only do we have more data to protect, but the way we protect data creates even more data! A data squared problem! How are we meant to monitor every single piece of sensitive data, understand whether it’s moving to the cloud or has been accessed by mobile users and devices. It’s impossible, so we need to focus on the alerts that really matter – but how do we know that?
Take this example. If your systems are set to protect sensitive data that leaves the organisation, then this is safe and you do not need to do anything? But if your data protection systems work in isolation they may generate multiple events, and that can quickly overwhelm your team.
The intelligent integration of data protection systems solves this problem. We imagine a world where a data operations centre is established that collates information from various systems (eg DLP, CASB, information centric encryption, authentication) to help you act on the events that matter, helping you separate the wheat from the chaff.
Make threat protection personal
Account takeover is a big problem, when a legitimate account is being controlled by a malicious actor then you have problems – your security systems can be easily bypassed because the attacker has now got the key to your front door.
Monitoring not just who is accessing your data, but how the access it unlocks tremendous insight. Being able to mine the data in your cata operations centre and correlate it with user behavioural analytics will show where your risk lies. Not only can you find user accounts that may have been compromised, but also well-meaning users that are inadvertently putting your data at risk. The key? Being able to act on this information quickly to contain the risk and even stop a breach before it happens.
Into information-centric security
By following these commandments you take data protection to a higher plane. You get the best of technology and people, and allow people to share, support and encourage each other whilst eliminating some major risk areas.
We have based our whole information centric security approach around these tenets to ensure that you don’t stop the flow of information, but you have the power to control with who and how it is shared. This allows you to maintaining both visibility AND control, even with outside users.
Protection can be dynamic as you can revoke access over time. We don’t want to flood you with data, so we use telemetry much like Noah’s Ark, to rise above the flood and help you protect what matters, and smart analytics ensure you can take fast and decisive action before, or just after a breach occurs.
So, to recap, the data protection 10 commandments are:
- Know your data
- Protect what’s rightfully yours – consistently
- Provide omni-present protection
- Give your cloud a silver lining (or take the cloud to Cloud Nine)
- Don’t let just anyone, unlock your secrets
- Keep an eye on your flock
- Control at the data level, for protection everywhere
- You can revoke access to the data anytime
- Manage just the data that matters
- Make threat protection personal
Nicolas Popp is the senior vice president, information protection at Symantec.
Follow CIO New Zealand on Twitter:@cio_nz
Sign up for CIO newsletters for regular updates on CIO news, views and events.
