I believe that data is the most crucial value-creation asset for any organization. Today, almost every industry is wrestling with exponential growth in data, and over the last decade, data has become one of the most powerful tools an organization can commercialise.
In my frequent conversations with data owners from many companies across different industries, they know this data brings with it opportunity and risk in equal measure. A common concern (We wont mention Uber) is that digital transformation is outpacing their firm’s current organizational security practices, leaving them and their data vulnerable. Simultaneously, remote work is reframing how and where employees do their jobs. These trends also expand the attack surface and eliminate the previously discernible “perimeter” that was the traditional security blanket.
I’ve also encountered many scenarios where there is a lack of clear understanding of the difference between cybersecurity and data protection. Although most decision-makers are aligned on the rise in the use of cloud collaboration tools and security tools, they are split across their approaches to keeping data secure.
For the purpose of this blog, data protection is the process of protecting data throughout its lifecycle, from data creation, processing, modification, transmission and destruction. I believe the old ways of thinking about data protection aren’t fit for the digital transformation era, and I want to share my experiences with the companies and strategies that get it right from the start.
Effective data protection strategies have five key pillars that are crucial to ensure the robustness of a plan. Having worked with hundreds of companies to implement these strategies, the ones who stick to these five pillars nail the programs.
Data Sprawl is a serious challenge. Knowing where data is located is the core of creating a data-centric approach to data protection as an organization catalogues all of its data. This is a critical input to a broader data governance strategy. Ask yourself, how can you protect something if you don’t know where it is?
Once the data is discovered, that data needs to be classified. I believe classification starts with defining your protect surfaces, also known as the crown jewels. The protect surface is the most valuable data-relevant asset to the organization. For example, IP, PHI, PII, CODE etc., when you have defined the protect surface, it becomes much easier to build a robust plan around these specific data sets.
This is necessary to ensure that the organization has all the information and intelligence at hand, in real-time, to enable it to understand the impact and dependencies for making informed decisions.
Being able to determine this enhances the Identity and Access Management capability of an organization. This information can be used to harden existing IAM practices, such as any Role Based Access Control definitions example, in addition to identifying anomalies that will require investigation and potentially corrective action. This will apply to both end user and privileged access.
Granular access control is imperative to minimize the damage from a cyber breach. Having this visibility enables an organization to minimize access to critical data and applications, which reduces the exposure and, thus, the risk imposed. (harden the protect surface)
The organization is now equipped with several data points, allowing them to make policy decisions with context, thus enabling a correct, fit-for-purpose, risk-based approach to the application of controls.
When taking a data-centric approach to security, it’s imperative to understand the most critical data by assessing sensitivity and criticality. Due to the enormity of the challenge, the future of data protection requires the consumption of technologies that provide access to AI/ML. These tools make the challenge manageable.
The considerable advancement in AI/ML and Natural Language Processing (NLP) has been tremendously valuable in data security. This technology provides a means to discover and classify data in near-real time automatically. Consider IP data classification from an AI/ML perspective. The problematic part of IP detection is accurately finding it and attributing a sensitivity tag to a complex piece of information, e.g. recipe, code, or schematic. This is due to the fact that these can be unique pieces of data. But the ability to consume AI at scale and seamless use of Named Entity Recognition (NER), an application of NLP, is a highly effective way to locate and classify many different protect surface types.
Having accurately discovered and classified data at scale enables the organization to implement zero-trust policies. From my perspective, this is often the first time that the organization has experienced effective alignment between the data security folks and the cybersecurity teams. Facilitating real-time visibility into the daily interactions with an organization’s data is truly powerful.
Understanding telemetries such as data sensitivity, identity, application source, device and user behaviour in real time and using advanced reporting to enforce the appropriate actions (allowing, deny, restrict, redirect, etc.) is a core foundation of an authentic zero trust architecture.
The more telemetry my clients can analyze, the better risk decisions they make. The result is finding the right balance between enabling the business, managing the risk portfolio, and protecting data.
Speak to one of our experts