Data is the most crucial value-creation asset for any organisation, writes Helge Husemann, data security architect, Getvisibility.
Today, almost every industry is wrestling with exponential growth in data, and over the last decade, data has become one of the most powerful tools an organisation can commercialise.
However, data brings with it opportunity and risk in equal measure. A common concern is that digital transformation is outpacing companies’ current organisational security practices, leaving them and their data vulnerable.
“By equipping their companies with several data points, business leaders can make decisions with context, thus enabling a correct, fit-for-purpose, risk-based approach to the application of controls and protection of data”
Simultaneously, remote work is reframing how and where employees do their jobs. These trends also expand the attack surface and eliminate the previously discernible “perimeter” that was the traditional security blanket.
There are also many scenarios where there is a lack of clear understanding in terms of the difference between cybersecurity and data protection. Although most decision-makers are aligned on the rise in the use of cloud collaboration tools and security tools, they are split when it comes to their approaches for keeping data secure.
Specifically, data protection is the process of protecting data throughout its lifecycle – from data creation and processing to modification, transmission and destruction – and the old way of thinking about it isn’t fit for the digital transformation era. Considering the value of and risk surrounding data, it’s never been more crucial for companies to get their data protection strategy right (and make it robust) from the start.
Getting to grips with data
Firstly, businesses need to know where their data is stored – be that in the cloud, in the network or on the end-point – and also how it should be classified. Data Sprawl is a serious challenge. Therefore, knowing where data is located is the core of creating a data-centric approach to data protection and cataloguing same. Moreover, it is a critical input to a broader data governance strategy. After all, how can a business protect something when they don’t know where it is?
Once the data is discovered, that data then needs to be classified to reflect its sensitivity. Classification starts with defining the protect surfaces, also known as the crown jewels. The protect surface is the most valuable data-relevant asset to any organisation. When the protect surface is defined, it becomes much easier to build a robust plan around specific data sets.
Data mapping and flow is the other element which allows companies to better understand, monitor and manage their data. Getting this right ensures that an organisation has all the information and intelligence at hand and in real-time to enable it to understand the impact and dependencies for making informed decisions.
Implementing policies for protection
Determining what access policies are assigned to data sets enhances the Identity and Access Management (IAM) capability of any company. This information can then be used to strengthen existing IAM practices, such as any Role Based Access Control definitions. In addition, it enables businesses to identify anomalies that require investigation and potentially corrective action – both in terms of end-user and privileged access.
Granular access control is imperative to minimising the potential damage caused by a cyber breach. Having this visibility means an organisation can limit access to critical data and applications, thus reducing exposure and risk.
By equipping their companies with several data points, business leaders can make decisions with context, thus enabling a correct, fit-for-purpose, risk-based approach to the application of controls and protection of data.
Utilising the power of Artificial Intelligence
When taking a data-centric approach to security, it’s imperative to understand and identify the most critical data by assessing sensitivity and criticality. Due to the enormity of this challenge, the future of data protection requires the consumption of technologies utilising Artificial Intelligence (AI) or Machine Learning (ML). These tools make this challenge manageable.
The considerable advancement in AI/ML and Natural Language Processing (NLP) has been tremendously valuable in data security. These technologies provide a means to discover and classify data in near-real-time automatically. For instance, the problematic part of IP detection and classification is accurately finding it and attributing a sensitivity tag to a complex piece of information. But the ability to consume AI at scale and the seamless use of Named Entity Recognition (NER), an application of NLP, is a highly effective way to locate and classify many different protect surface types.
Accurately discovering and classifying data at scale enables organisations to implement zero-trust policies and facilitate real-time visibility into the daily interactions with their data. Understanding telemetries such as data sensitivity, identity, application source, device and user behaviour, and using advanced reporting to enforce the appropriate actions (allowing, deny, restrict, redirect, etc.) is a core foundation of an authentic zero trust architecture. The more telemetry businesses can analyse and the more knowledge they have when it comes to their data, the better risk decisions they make.
To protect against ransomware, because it’s the main target of such attacks, organisations need to either encrypt their “crown jewels”, or exfiltrate or change the data – or do all of these things. There is a reason why companies are still using tape backups and the reality is that this technology is becoming more interesting, but it only works if a business knows what data it’s holding and where it resides.
Moreover, it is impossible to be compliant with local privacy regulations or industry specific regulations without knowing what data is there and where it is. In this case, hope is not a strategy! The result of an effective data protection strategy is finding the right balance between enabling the business, managing the risk portfolio, protecting data, and upholding compliance. Whilst it can prove challenging, it is absolutely critical.