What’s your most critical business data? And do you really know where it all is and whether the controls and protection you have in place are adequate? Chances are, if you ask around the business, most people will agree that data about your products and services would be near the top of the list. And the National Data Breach Notification Scheme has put Personal Identifiable Information (PII) in the spotlight.
Check up and you’ll quickly discover that your critical data - your corporate crown jewels - extends to general ledger and accounts data, information in payroll and HR systems, source code and other intellectual property and business intelligence systems. And with many of those applications and services now using Software as a Service (SaaS), you may find that critical data is spread much further and wider than you ever expected.
For example, you might have customer information in your accounts system. Some of that might be shared or duplicated into a Customer Relationship Management (CRM) application that is connected to an email marketing platform. All those critical business systems could be hosted by third parties or you may have a mix of internal and external systems. When that data is shared between services, you are potentially open to several different compliance and data protection challenges.
When data from the Australian Red Cross Blood Service was accidentally leaked by a third party, the problem wasn’t that the data was copied to an inherently unsecured service. The issue arose because the security controls for that data were not set correctly. The data was leaked through a misconfiguration - not a weakness in the systems.
When we use cloud services without fully understanding all the controls and setting them appropriately for our businesses, we are leaving our corporate crown jewels open for exposure.
Four critical steps to take
It is possible to understand the scale of that exposure in SaaS and other systems and mitigate the risks.
Start by talking to the business and asking them what data they use, where it is and who has access to it. That will allow you to build a model of what you have and confirm that the right people have the correct level of access to the data.
Standards such as ISO 27001 and NIST can help with categorising data. For example, a framework such as public, internal, restricted and confidential may be useful to help everyone in the business understand the different sensitivity of various types of data.
Once you know what data you have and where it is, you can look at what controls are in place and what controls are available. For example, if two-factor authentication is required, you can check that each SaaS in use has that as an available control and apply it as needed for each different class of data or user.
Depending on which countries you operate within, you will need to comply with different rules and laws. That means ensuring controls are in place to meet your obligations.
Why is this hard?
Finding the appropriate security controls and configuring them is not as easy as it sounds. For example, the controls you need might be available but can only be enabled or configured the way you need them if you upgrade from a free or low-cost service to a more costly subscription. And it’s not always easy to know this unless you have tools that can interrogate and report back to tell you if there’s a potential risk and how to mitigate it.
Many SaaS solutions provide automated ways to check and enable many settings using APIs and other methods. But doing this across multiple applications and services serving lines of business such as IT, business operations, engineering, sales, marketing, HR, finance, product management and customer support is not easy.
Adding to this challenge is that all these applications are constantly evolving and the items that need to be configured, monitored and managed are in flux.
So, despite your best intentions, it’s possible that your corporate crown jewels - the data that your business depends on - might be more exposed than you think. And even if that information was safe and protected by the right controls yesterday, the same might not be true tomorrow.
Businesses need to find ways to automatically configure, monitor and adjust their cloud security to ensure their business data is safe. Whatever solution you use though needs to work across all the most critical places information is kept and it needs to alert the right people when things change.
Do you have such a system in place? Are your crown jewels exposed?