In today’s world of ever diminishing IT perimeters, trends like increased adoption of cloud based services, shadow IT setups created by businesses to meet product GTM pressures, and increasing reliance on partners to deliver critical services is making the traditional model of infrastructure centric security inadequate and less relevant. Pace of information creation is also accelerating where Organization is generating the heaps of data in various formats (structured, semi-structured and unstructured) as it is becoming information centric and traversing towards digital.
As a result of this blurred perimeters and digital journey, organization data is changing the hands between the internal and external entities and often finds itself residing in new/unknown repositories. The data life cycle of ‘creation, update, transfer, retain, archive, delete’ is getting extended outside the organization and making it difficult to track the data existence.
Ever tightening data protection regulatory pressures and heavy penalties of data breaches are making Security leaders to track this data life cycles and extend the appropriate protection. However, it is proving quite an uphill task for Security leaders to get the visibility of such disparate data, classify it and extend appropriate protection. Traditional infrastructure security is proving insufficient, as it confines to the organization boundary and works at infrastructure layer.
Security leaders have to certainly augment the infrastructure centric focus to data centric and start adopting the holistic approach of data centric protection at every stage of the data life cycle within the new formed boundaries. They have to start addressing this situation by framing the enterprise level Data Security Strategy as part of overall Information Management strategy.
As part of this strategy, multipronged risk based approach as suggested below, is recommended to be adopted by organization to overcome these issues and enable business to harness the power of ever increasing commoditization of IT and IT services;
- Establish a Data Security Governance Program as a subset of existing Information Management Governance Program that deals with protecting the organization data
- Develop Data centric policies, management processes and security controls across data silos
- Assign incremental responsibility of Data security to existing Information Management Stakeholders i.e. to Information Owner, Data Stewards, Data custodian, Partners, and Service providers
- Embed the key data security processes (data discovery, data classification, data protection, data retention and archiving, data deletion) as part of business processes
- Perform the Data discovery of the organization data (structured, semi-structured and unstructured) across the data repositories present on-premise and outside (Cloud, Partners, Service Providers), classify this data and create a data inventory
- Evaluate the business processes which are handling the critical & sensitive data for current data protection controls and the data handovers to external party
- Perform the threat modelling to identify the relevant threats and attack vector for the organization’s critical and sensitive data, evaluate the adequacy of existing controls and highlight the risks
- Identify the appropriate Data centric protection technologies ( data encryption, tokenization & masking, information rights management, data leakage prevention,) and monitoring technologies ( data access governance, database audit & protection) to minimize the risk
- Also explore the possibility of augmenting current infrastructure security controls to be ‘content and context aware’ with capability of protecting the data at rest, in motion and in use
- Measure the performance of the data protection measures against the reference maturity levels and draw the roadmap towards maturing to industry maturity level
Organizations should consider commencing an assessment exercise to review the current status of data security governance and data protection across the data silos and draw a road map towards improving the controls.
Augmented focus towards data centric protection will help organization in multiple ways;
- Enabling the business agility by allowing to safely use the IT utility services and vendor provider services by ensuring the appropriate data protection
- Reduce the risk of data breaches by applying the necessary data protection controls
- Assurance towards regulatory mandates, subject to deployment of appropriate protection
- Knowing what data you hold and where all it is currently stored, its current protection level
- Visibility of current data exchanges within the business ecosystem (partners, suppliers, service providers)
- Current risk to your data and inputs to prioritize investment areas for data protection
In light of the blurred perimeters and increased reliance on external service providers/partners, organization should prioritize efforts on protecting the data across the life cycle and across all touch points, internal and external to the organization. Organization should adopt a holistic Data Centric Protection Program as part of Information Management Program and deploy consistent data protection policies across the data silos. Traditional infrastructure security controls should be also augmented, wherever feasible, to protect the data within perimeter.
- Gartner’s “Market Guide for Data Centric Audit and Protection” published on 21st Nov, 2014
- Microsoft “ A Guide to Data Governance for Privacy, Confidentiality and Compliance” , Jan 2010
- ISACA Guidance on Data Security Governance
Authored by Prashant Deo