Securing Your Digital Transformation: Data

You might be thinking “Amy, you talked extensively about security transformations from the identity perspective in your last article (here for those of you that missed it), so what else is there to cover?” Well the answer is ‘lots’! But this article will look specifically at how your security transformation programme should protect another of your most valuable assets: your data.

Information is one of the most valuable commodities in the world. That's why hackers exist, right? Yet every day we put our data in the hands of the riskiest link of any organisational chain: our users. So, what we can we do to protect it (and support our people in the process)? Well, let's take a look..

Housekeeping

We used to be a nation of shopkeepers. Now? We're a nation of hoarders. I don't mean the kind of people who stack up twenty-year-old newspapers in their kitchen and can't bear to throw out the tin their baked beans came in.

No, I mean the kinds of people who hoard reams and reams of data. When was the last time you really needed to know the middle name of a contact? I bet they're in your CRM somewhere regardless.

When we're storing data, one of the first (and most crucial) things we need to think about is whether we really need said data. It's great to have a good understanding of our clients, but why spend time and effort protecting data that we’ll likely never use?

If you protect your diamonds and paperclips with the equal vigour… you’ll soon have more paperclips and fewer diamonds. – Dean Rusk, US Secretary of State 1961-1969

With the above quote in mind (it’s a good one, no?), one of the first things we should do is examine what data we’re even holding, and then assign appropriate risk levels to those data sources. Our most critical applications and our most critical data should have the tightest controls, whether this means being able to be accessed only via specific users, in a specific IP range, or specific devices (e.g. not via BYOD).

So, what’s best practice?

The Security Perimeter

Firstly, we need to understand where our data is, and where we can implement controls i.e. we need a firm understanding of our security perimeter. It’s a big ask in a world where, thanks to remote working and BYOD, our security perimeter now moves around with our users on a daily basis (here’s one I wrote earlier).

Our perimeter - previously rigid - needs to become elastic. Where we once had the relatively easy task of protecting only our network, we now have a myriad of mobile devices out in the big wide world which are open to threats, from careless users losing their iPhone in a café to malicious parties working through unsecured wi-fi networks. Our perimeter has expanded, and so should our understanding of the associated risks. We need to become more proactive in our approach to data security.

Data Classification & Discovery

Secondly, we want to classify our data and ensure that appropriate access controls are applied to it. Automatic classification takes the onus away from our users (thankfully, in some cases!) and means that policies are applied to documents and data based on business rules. We can lock down files to be accessed by specific people or groups of people, and we can control what they can do with those files (e.g. removing the ability to forward an e-mail or print a document).

Complementing our ability to classify our documentation, having the facility to discover where data is being stored is a big help. Monitoring SaaS applications with a cloud app security broker (CASB) enables us to have a continuous method of discovery for accidental data leaks and to pinpoint data transfers down to the user and IP level.

Securing Our Identities

Finally, the third piece of the puzzle is securing our identities. No, this isn’t another blog about multi-factor authentication, it’s about a wider set of security tools than that. Working towards a zero-trust model should be the next big thing for your business. Using capabilities such as conditional access policies to assess the session risk of a user sign-in based on their device health, their location, and the data they are trying to access is a huge step forwards for your information security practices.

Our users are inherently risky. Their credentials can be breached through phishing scams, vishing scams, shoulder surfing, password sprays, third party breaches… so implementing a model where you don’t automatically trust that the user is who they say they are can be the difference between a good day and a bad one.

With the risk to data rising in line with its inherent value, it makes absolute sense for your business to do it all can to protect its data – and that approach should form a significant aspect of your digital transformation strategy.

If you’d like to discuss any of the above, I’d be happy to have such a conversation – and feel free to share your thoughts in the comment section below.