We recently hosted a webinar with guest speaker Heidi Shey. We continued the conversation by asking Heidi for her thoughts on the data security landscape, and approaches to improving a company's data security posture.
Q: What are the top challenges businesses face with data discovery and classification for cloud technologies?
A key challenge is scoping the cloud environments – SaaS, IaaS, and PaaS – that matter to the business. It is important to define the environments that can have an impact on either revenue generation, revenue protection, or both.
The next challenge is aligning the scoped cloud environment requirements to what technology providers can address. Businesses need to clearly define their requirements to ensure they can align their needs with the appropriate tools to meet those needs. Are there specific types of cloud data repositories and platforms that the business needs these technologies to cover? Or a particular focus on unstructured data versus structured data, or both?
A third major challenge is capability sprawl. They may have multiple technologies that already exist within the enterprise environment that can discover and classify data. Some capabilities may overlap, while others are siloed capabilities. When this happens, gaining a unified view across their environment is difficult and cumbersome.
Q: What is the role of artificial intelligence (AI) and machine learning (ML) in the future of data security?
AI and ML in data security are promising in several ways. The future is already here in some places, and will become a standard component of certain technology solutions over time. From a data classification standpoint, we can expect AI and ML to help with continuous learning and automation to improve performance. For example, robust AI and ML data classification could more accurately classify data that was previously difficult to identify, such as intellectual property or other sensitive corporate data that is unique to an organization.
For data security overall, beyond helping us understand our data, AI and ML can also help to enable smarter decisions and policies about what to do with data and how to protect it. For example, automating responses to anomaly and threat detection, informing risk-based DLP response actions, and identifying when to kick off an automated response workflow versus when to escalate an issue to a human for investigation.
Q: How can a business evaluate the efficacy and impact of emerging automated data security technologies like data security posture management and cloud DLP?
Put the technology to the test, starting with the known knowns for sensitive data in your environment. Ideally this test will also shine a light on some of the unknowns of data stores and sensitive data. Seeing the technology in action will help you gauge its efficacy and performance for identifying sensitive data and its ability to highlight and prioritize the relevant risks to that data. Don’t make the assumption that because a capability seems commoditized or appears to overlap across many tools that the capability functions the same way across all providers.
While this initial visibility and understanding about data and data risks is valuable, it’s what comes next that helps you to achieve an outcome for a particular use case. Determine what remediation capabilities are available and what level of automation is truly present, and what it would take to automate a response workflow. This includes assessing what happens after an automated action is taken, and, if applicable, the level of involvement required from a human to achieve the outcomes you hope to see from the use of the technology.
Q: As security teams adapt their processes and controls to cloud environments, what is the best advice you can offer them to balance proactive controls and resilience, with real-time response and being responsive to the business?
Recognize that you’re operating within a system. You should approach and think about controls and risk mitigation across the entire system. The data-centric security controls you implement are only one part of that whole, and not all exposures represent the same level of risk or can have the same level of impact. With this system, you’re looking at
1) privacy strategy and data minimization efforts on the front end where and when data collection happens,
2) security controls you enable that are applied to cloud infrastructure environments where data is processed and stored, and
3) access controls that you implement for your workforce, partners, and customers.
You likely do not have the time, resources, or budget to address everything. The understanding of what data is sensitive, where it is located, and how employees need to access and use that data is critical. This will help to prioritize your controls, as well as identify the appropriate controls to focus on, that will mitigate the biggest risks.
Q: What opportunities exist for security teams to partner with and enable their business counterparts to leverage data securely?
One opportunity is to have stakeholders from across the business partner to identify how the company defines “data” and the value that data represents for the company. This expands your view of what constitutes sensitive data and value so you can prioritize protections. For example, data can be source code, photos, algorithms, IoT sensor data, and more.
Also take off your security hat for a moment. Embrace your business counterparts’ need to use data, understand why and how they use it, and where that data comes from. Ultimately data has value when it is used. Understanding the journey data takes in your business environment will help you better identify the points in the journey, from access to use to the end of its useful lifecycle, where you can and should apply controls.