BYOD, mobility, cloud, social media and IoT – these phenomena are causing a paradigm shift in IT based on what users can and where data can live. Gone are the days when data was confined to the data centre and we could put a virtual fence around it and protect it. Now data is everyone with multiple copies of it. This causes a massive headache for CISOs who are tasked with protecting this data from falling into the wrong hands. The question then arises, with data literally everywhere, how do we achieve this?
Before I answer the above question, let’s look at some key fundamentals of data protection and how they allow data to be protected either in motion, processing or storage. These are:
- Authentication – know who is accessing your data and how. Ensure that the right actors have access and those that shouldn’t, don’t
- Authorisation – provided authenticated access to data is not enough. You will have to ensure that the access is strictly governed and defined by who can do what to the data across all components of the data lifecycle (create, store, use, share, archive and destroy). This will typically require creating an authorisation matrix by data type to ensure correct and compatible access while maintaining appropriate segregation of duties. The matrix will then have to be applied to the relevant data types to ensure only authorised access is permitted to data. Data classification is critical here since the value of the data will define who can access it and to what level
- Accounting – things that can go wrong, will go wrong! This is where appropriate logging comes into play. With the right logging based on the data type, you will be able to track who did what and perform root cause analysis to rectify issues, and forensics to determine what happened in the case of a security incident
- Encryption – this is particularly important for data at rest. If the data is encrypted, and the keys are controlled appropriately, then anyone getting access to the data will struggle to do anything with it since it will be undecipherable.
So having discussed the issue of data being everywhere and some basics around controlling security to it, the next point to address is how do you apply these security fundamentals to the data. This is where the rubber hits the road!
The basic premise that applies here is “containerising” the data and applying security controls to the data itself – not users, location, time or devices since the mantra now is access anywhere, anytime from anything.
To achieve the above, one needs to implement tools, processes and technology that can containerise the data and apply the relevant security controls so that if an actor does not have access to the data, they cannot even see it. What they cannot see, they cannot get to. Extrapolating this further, controls need to be applied at the following layers where data tends to exist:
- Network – this the backbone that data uses to transit from A to B. Controls at this layer are important to protect data in motion so that data cannot be intercepted and accessed by unauthorised actors. Appropriate access controls, authorisation and encryption is critical here
- Servers and databases – this is where data is typically processed. Controls need to be in place so that only the right processes are accessing the data in the right manner and that these processes cannot be manipulated to access data that they should not be accessing
- Cloud – data is being moved to the cloud rapidly. It is vital that security controls are maintained in the cloud to ensure that only authorised and authenticated access is permitted and all access logged. Data at rest in the cloud should be encrypted with the key under control of the data owner
- Mobile / IoT – as mobile and IoT devices proliferate, they will hold / access more and more data. Controls need to be in place to ensure access, authorisation, encryption and logging controls are in place for data on mobile / IoT devices
- Analytics / Correlation – adequate logging can only be achieved when logs are captured for all data types regardless of device or user, and analysed and correlated to reveal threats and attacks. Without this level of intelligence in place, it will be difficult to determine security issues with critical data types. An important component here is to ensure that the organisation has an adequate incident response plan that is well tested. The log data should be reviewed ideally in real-time and responded to. If this capability cannot be procured internally, consider outsourcing to the many managed security providers that now exist.
Within this article, I have tried to explain how to provide security controls over data regardless of location, time of access, user or device. The fundamentals of data security still very much apply around data containerisation and application of authorisation, authorisation, accounting and encryption controls. Appropriate application of these controls at the right layers of network, servers and databases, cloud, mobile / IoT and analytics / correlation will allow you to protect your data adequately.