Over the past 5+ years we have seen the shift from Data Center walls to a lattice work of the Data Center, Cloud Services, and Contractors. More and more of our IT services are handled by other parties, and our own organizations are often confused on their role in how to manage and secure the business.
Our collective employees are key contributors, and often the weakest link when it comes to securing our systems and data. As most of you know security comes down to people, process, and technology, yet when all 3 of those are split across so many locations and interested parties, it’s a recipe for potential risk. Education is a great tool, however one must also empower ownership from the top down. Just educating your Finance department on when not to click on a suspicious document, doesn’t protect the developer that needs to download libraries from an open source project. Your developer bringing in unknown libraries is introducing just as much risk.
I think most folks are now starting to wake up to the fact that we must look at the data itself. Data is a series of 1’s and 0’s, that live in many forms, systems, and environments. It is created, edited, and viewed, by people, applications, and services.
When you shift your gauze away from the firewall, and towards the data, I recommend you follow these simple steps: Classify, Discover, Protect.
Classify your data - Classifying data is not a new practice, however lots of organizations try to create too many classifications, and then find it hard to educate, and enforce across the organization, and its partners. When classifying start with bringing in all the stakeholders that own and the use data regularly. Create a manageable classification strategy that each stakeholder can agree to and re-enforce. There are some data types that are easy to classify, like PCI, HIPPA, which is very prescriptive. Yet make sure you also take your customer data, and Intellectual Property into account as well. Try to keep it simple, as 3-4 levels usually works for most organizations.
BTW, If you have classified every type of data as Sensitive Data… then you are doing it wrong.
Discover your data - Once the classification is agreed upon, don’t let those stakeholders diminish and go into the west. You will need to empower them to help you discover where the data is produced, stored, and consumed. Discovery tools will help here, but tribal knowledge is worth its weight in gold. Work with the stakeholder’s team to identify the systems, and users of data in a given classification.
Protect the data - After discovering the data, you will want to begin to restrict access based on “least privilege”… If your job function doesn’t require access to it, then you shouldn’t have access to it. Often we do this easily by department, but when we have individuals like executives, consultants, and administrators, that may have elevated access to data across the organization. This is a huge risk, because guess who are the biggest targets of a breach?
With engagement from stakeholders bought in to these concepts, employees empowered with tools that help them understand what is sensitive and an organizational strategy that implements least privilege access to sensitive data you've readied your organization for protecting critical data in today's extended enterprise.