Cybersecurity can be expensive, challenging, and often unrewarding. Cybersecurity and risk practitioners have faced challenges over the years to find the most effective metrics to show success and return on investment in cybersecurity efforts. Many organizations have taken a strategic approach and started to group security controls into programs. This approach provides those organizations the ability to share the holistic perspective and success, whereas it is more difficult to show success of an individual component. Data protection is one of those areas.
Data protection encompasses many of the security controls prescribed by various compliance requirements. These can include segmentation and segregation, encryption, categorization, classification, Data Loss Prevention, and many other controls. All these controls have the same goal, to preserve the integrity, confidentiality, and availability of the data. When those controls are combined into a strategic group, as described earlier, they begin to tell the whole story of their effectiveness.
In this blog, I’m going to cover a broad scope of ideas to help you better understand how you can adopt a data protection strategy. I’ve simplified them into three main action items for you to take to get started. They are:
Let’s dive in.
To successfully protect the data, it is necessary to first understand the data.
These questions and many others must be addressed during this process called data classification. The person or group of persons who answers these questions are called the data owner. Many organizations mistakenly consider the IT department the data owner. The IT department’s actual role is data custodian, meaning that they are charged with taking care of the data, at the direction of the data owner.
The data owner must also determine the necessary retention of the protected data. All data should have a retention schedule, or “shelf life”. This retention schedule determines when the data should be re-reviewed, archived, or purged. Archived data must also be protected to the same standard as “fresh” data. If the data is marked for purging, then you should follow a written process with a certificate of destruction. Strict adherence to the retention schedule is imperative, especially concerning eDiscovery and compliance. The data owner is responsible for more than just determining the retention period for the data, which we may cover in future discussions.
Compliance standards may mandate controls, such as PCI-DSS requires that stored and transmitted credit card data be encrypted. In general, compliance-driven security requirements should be considered the minimum standard, not the overall goal. It is important to establish and align a security control inventory and align it to compliance requirements. This practice will illustrate what data protection requirements are necessary and what standard of protection. It can also result in the ability to compartmentalize data that needs additional levels of security. You can save money by applying the expensive security controls only where necessary, instead of applying them to the whole network. This compartmentalization process is commonly referred to as “descoping”. This also gives you the opportunity to further separate the data into distinct categories.
Many organizations work with only a few categories, such as ‘sensitive’, ‘public’, and ‘internal use only’. However, by using additional categories, such as Healthcare-PII, Credit Card Data, CUI, etc., you can then prescribe the needed controls to that data. This is further supported by network segmentation and segregation techniques such as VLANS and micro segmentation. Cisco ISE and Cisco ACI can simplify and automate much of this process. Data flow mapping, which is also a requirement of some compliance standards, is a best practice for data protection. Data flow mapping can be a long and difficult process. IE can assist your organization with Data Flow Mapping and many other processes.
Overall, investment in a data protection strategy can pay significant dividends. The return on investment is tied to an improved security posture and reduced attack surface. A data protection strategy also provides the ability to thoughtfully implement security controls, where they’re needed, not just as a whole. It will also provide you with a better perspective of resource consumption and availability. For example, you may learn that certain workloads are more heavily used in general or within certain timeframes, which is a beneficial use case for orchestration.
Nearly every organization would benefit from having a defined Data Protection Strategy. This involves data categorization and data classification, which provides an understanding of the data and the context in which it is used. The data flows (from source to destination) should be mapped, using a logical network or ‘cloud map’. Additionally, you should identify your data owners and custodians, and determine their roles and responsibilities. It’s also important to find an information security expert, like IE, to enhance your Data Protection Strategy, leveraging their expertise and experience to strengthen your organization’s overall data security posture.