Organizations are shifting their focus to a core set of principles around protecting their credentials and data, but they struggle with a starting point. In this 5-part ‘Checkbox Compliance to True Data Security’ blog series, we will provide a foundational blueprint. The series will cover an overview of Data Access Governance (DAG) and introduce the 5 phases that will help shape a true data security program.
In an interview with Dark Reading, Brian Christensen, head of global audit for Protiviti says, “Whether it is dealing with new cyber-attacks or changes in technology that makes things obsolete at a very fast pace, the ability to have conversations around that (risk) both from a business-process owner standpoint and from an auditor standpoint is a leading standard by which we would expect organizations to abide by.” Compliance should be the result of a well-executed data security program that balances the prioritization of protecting data with the needs of running the business.
With the abundance of data breaches and Equifax’s 2017 data breach being the largest to date, affecting approximately 147.9M people, there is an apparent need for true data security. Although this data breach was one of the most recent, it was certainly not the first and will not be the last.
Despite the prevalence of these data breaches, data security is an unaddressed to-do item for the Information Security community. Data Security is the last line of defense against theft of an organization’s data. Unfortunately, many organizations are treating data security as a checkbox exercise through the lens of compliance standards that are meant to simply provide a framework for the bare minimum. Compliance should fall under the jurisdiction of risk within your data governance program, rather than being the sole guideline that your data security program is built upon. Checkbox exercises quickly become outdated which results in inadequate data protection and fails to align to the spirit of the regulation.
Our CTO, Jonathan Sander, researched file system attacks where he uncovers the most common techniques adversaries use to steal your data. He also documented just how these fraudsters exploit your file system vulnerabilities to gain access to your company data. Every day those techniques evolve, which is why it is so dangerous to have a checkbox approach to data security derived from under-evolving regulations.
In this 5-part ‘Checkbox Compliance to True Data Security’ blog series, we’re going to help your organization chart a course to proper Data Access Governance (DAG). Here are the key areas of DAG the series will cover:
Pinpoint where data lives to obtain a complete view of your data footprint
Sensitive data (PII, PHI, etc.) is a primary target in virtually every breach scenario so organizations are shifting their focus to truly understand their data footprint. Companies can’t begin to tackle the issues around data security until they know exactly where data resides across their entire organization. Starting the data discovery process for structured and unstructured data in file shares, servers and systems will help better prioritize DAG initiatives over time.
Collect and Analyze
Review relevant data points to answer critical questions (e.g. sensitivity, access, ownership, age, etc.)
Assess your structured and unstructured data you found during discovery to collect information and analyze it to see what is actually at risk and the conditions that make it risky. Understanding the access model your organization wants to move to is a big step in the direction of true and effective data security. The goal is to assess relevant data points to answer critical questions like what’s the sensitivity of the data, who has access to it, who owns it, and what’s the age of that data.
Observe activity to understand user interactions with sensitive data
Once organizations have pinpointed where their greatest risks exist during the collect and analyze phase, they’ll need to monitor the activity to understand how users interact with that sensitive data. In DAG organizations will need to identify data stakeholders (e.g. HR, cross-functional teams, finance), owners and stewards, who mostly use the data. With their support companies will be able to determine why the data exists as well as who has access to it, who created it, what’s in there, and how it is being used. They will be the future data custodians that will assist organizations with their data governance efforts.
Adjust permissions to achieve Least Privilege Access and position for effective governance
Restructuring permissions will help organizations achieve a Least Privilege Access model and will enable them to effectively govern their most valuable assets like intellectual property, financial information and customer data. Organizations can then begin to mitigate risk by removing high-risk conditions like Open Access and refining a better process for permissions. Implementing a least privilege access model enables employees outside of security to have controlled access to File Shares and other data repositories. This model will have them well positioned to perform the key tasks associated with any effective Data Access Governance program.
Control access to ensure security, compliance and operational standards are met
Once data custodians have been established in the monitor phase, and the access model has been restructured to allow for secure provisioning and de-provisioning of data access rights, true governance can begin. Periodic entitlement reviews, self-service access requests, and other workflows like sensitive data reviews and stale data clean-up can be instantiated to keep data and the places data lives clean, secure, and compliant with internal and external standards.
Doing all the above will lead to data specific compliance with virtually any regulation so that operational standards are being met. Each phase is crucial and should be followed prior to moving on to the next. The next blog post of the series will help you get a true understanding of your organization’s data footprint.
See upcoming blog posts in the series below:
- POST #1: Moving From Checkbox Compliance to True Data Security
- POST #2: Prioritizing Data Governance Initiatives Through Discovery
- POST #3: Collect and Analyze Relevant Data Points to Assess Risk
- POST #4: Monitoring Sensitive Data Activity and Identifying Data Owners
- POST #5: Restructuring Permissions to Achieve a Least Privilege Access Model
Don’t want to miss any blog posts in this series? Subscribe to be notified as new posts are added to this series, here.
Also, watch the 1st webinar in the series here:
Join Adam Laub, SVP of Product Marketing at STEALTHbits Technologies, for Moving from Checkbox Compliance to True Data Security, the first webinar in this 3-part series, where he’ll give you a brief overview of Data Access Governance and its 5 phases. At the end of this webinar, you’ll have a deeper understanding of why the 5 phases introduced in this blog are crucial to creating a true data security program that will lead to compliance and greatly reduce data risk.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Latesha Lynch began her career working on VoIP technology, distributed antenna systems (DAS), and voice biometrics before delving into application and data security. Latesha can be found on Twitter @lateshalynch.