The Evolution of Data Security
A great friend of mine, who also happens to be a former Fortune 50 CISO, once told me, “I am responsible for two things: assuring the delivery of services to our customers, and protecting the data that those services consume.” A lot goes into those two responsibilities.
It’s no easy task to assure service delivery to customers when you have to contend with hybrid infrastructures, the internet, global distribution, regional regulations, and increasingly sophisticated attackers. My friend knew that, just as he knew that the ability to identify his top objectives is critical to enable his organization to successfully align on their priorities.
Traditionally, security teams have tried to circumvent “the data problem”. The logic has been that if a security team can keep their infrastructure patched and monitor their network for threats, they can maintain awareness and security. This approach does not require any understanding of the data a company manages - rather the infrastructure components of hardware, networks, applications, and identities.
In today’s reality, data breaches are a daily occurrence. Regulators respond with increasingly stringent controls and higher penalties, and users are left to deal with both service disruptions and privacy violations. This only continues to prove that a data-blind approach is no longer an option.
Why Our Approach Must Change
Data is undergoing enormous changes. Not that long ago - when Google started in the late ‘90s - data was transferred by hand, using floppy disks with 1.44MB storage. Today, terabytes of data routinely cross continents with the swipe of a finger. “Big Data” used to mean a gigabyte, whereas today petabytes are being generated and consumed every day by enterprise companies.
Microservice architectures and data analytics have transformed the enterprise from relying on owned data centers that housed data warehouses, to managing data across hundreds of data store varieties across a myriad of IaaS, PaaS, and SaaS clouds. How we secure our data must change, because how we use it has changed.
The modern distributed workforce relies on collaboration tools to do their jobs. Companies are hiring workers who are granted access to sensitive information they access wherever they come online, using multiple devices, whenever they have the opportunity to work. This makes it critical to apply security controls with an understanding of your data’s context.
For example, applying the appropriate controls to a spreadsheet with your employees' birthdays versus one with your employees’ salaries. Setting the appropriate access rights, permissions, encryption, hashing, and more requires the context of the data in the spreadsheet versus applying a general approach to spreadsheets. Both of the spreadsheets have employee data in them. But sharing the file with birthdays is benign, whereas sharing employee salary information would wreak havoc across your organization.
How Data Security Management is Changing in 2023
Consistent visibility and a deep understanding of data are foundational requirements for the security program of any forward-looking enterprise.
Security teams must be able to answer these questions:
- How can we implement a risk-based approach, and determine where to focus our resources?
- How can we prioritize remediation efforts for exposures that can have a direct impact on our business if exploited?
Answering both of these questions starts with establishing a clear inventory of your most valuable commodity: data.
Effectively, security in the cloud era requires always knowing:
- where your data exists, both the value and the risk it represents
- who has access to it
- how it is exposed to external and internal risk
Today’s business climate and workforce will not abide by legacy security constraints; today’s security controls must be as transparent as possible.
Security teams must operate knowing that data has left the vault, and is everywhere. And that’s a great thing! Using data to collaborate and develop new business opportunities is driving tremendous business value for organizations. But to enable this value creation without exposing the business to risks that will threaten that value creation, security programs must evolve to make data their priority.
Automation, speed, and scale are critical to deal with the pace of data creation and consumption. And an effective classification and contextualization capability to implement the appropriate and effective controls are a must. Leveraging cloud-first principles, as well as harnessing the advancements in machine learning have made this possible, and even simple. What remains is for security teams to embrace the present and adapt to the future by putting data at the center of our security programs.