I recently stumbled across this story about a council employee who, after learning he was being made redundant, stole sensitive customer details in order to help him set up his own company. Typically, the Data Protection Act holds the "data controller" accountable for data protection. In this case, however, it turned out that the council took adequate precautions to protect the data, included restricting access to employees with a "need to know." The offending employee had a need to access data in order to do his job. Since his role gave him access the data in question, the ICO found it was his illegal act of stealing the data, rather than negligence of the council in protecting it, that was to blame. They fined the former employee accordingly.
This is an interesting conundrum that virtually every firm faces – treading the (very) thin line between provisioning a high level of security and not having that security prevent people from doing their jobs. The best way for organisations accomplish this is by first focusing security on the data, then putting in place clear access policies and monitoring activity for unusual behavior. Here's what that typically looks like from a process standpoint:
The first step in deploying data-centric security is data discovery and classification to help you understand what you need to protect, why you need to protect it, and how you are going to protect it. As a starting point, you should consider the type of data being processed and logged. Though this data classification process can be largely manual, it is essential that you figure out what to protect and, more importantly, how.
After you know where the juicy bits you want to protect are located, you need to think about the layers of protection you can deploy. For databases, this category is sometimes called “Database Audit and Protection” (DAP), and it includes assessment, monitoring, and protection. Some security layers we see deployed are encryption and access control at the system level along with database activity monitoring (DAM) inside of the database. Next, the DAP solution feeds Security Intelligence to your favourite Security Information and Event Management (SIEM) system so that unusual behaviours can be easily identified and addressed.
Incidents like the one involving the council employee show us is that there is an increasing need for finer and finer controls around data and access policies in order to close off as many potential security loop holes as possible. What is your organisation doing to ensure that your sensitive data is safe from a data breach but that you're not impeding employees from doing their jobs?