How to protect data in an increasingly insecure environment?

Protecting data is becoming increasingly difficult. Are CIOs ready to safeguard critical corporate assets?

[[271011]]

If data is the lifeblood of an enterprise, how can an enterprise protect it? Michelle Finneran Dennedy describes five stages of protecting data in the information age in her book, The Privacy Engineer’s Manifesto:

1. Firewall

2. Network

3. Extranet

4. Access

5. Intelligence

The question is, what role does the CIO play in protecting data?

Should CIOs focus on creating a more secure fortress? Or protecting data and setting limits on who can access it?

There are clearly two distinct schools of thought among CIOs. Some believe that while the fortress is a mentality of the past, it is still very important. They believe that the fortress represents the first line of defense, but that restrictions on access and usage need to be part of the overall solution.

These CIOs assert that you shouldn't completely abandon your perimeters if only to protect against junk traffic and DDoS attacks. They believe that perimeters are extremely important. These CIOs believe that data security and access rights are the next things that IT organizations need to do better. They continue to say that while the fortress must be impenetrable, the human factor is the weakest link in protecting enterprise security. If someone gains access to an employee's credentials, especially if they have the employee's phone and crack a weak password, they can control multi-factor authorization. The security fortress is breached.

However, other CIOs view fortress thinking as similar to the "French Maginot Line." These CIOs say fortress-style security is doomed to fail. They believe that traditional security models are like eggshells. They are strong when squeezed from the ends, but they break if squeezed or stretched. For this reason, they believe that fortresses throughout history have proven to fail.

These CIOs say we should stop focusing on fortresses. While they recommend creating good perimeter security, they also say the focus needs to shift to pattern- and behavior-based security. They recommend IT leaders move away from the current static security approach and move toward more active and continuous assessment. These CIOs believe data security is about classification and usage characteristics. They favor "security by design" for applications that are backed by data.

These CIOs view identity and access management as a perimeter guardian. For this reason, they say, it's important to protect data by understanding access layers and external entry points. At the same time, they believe it's time to move beyond just holding onto data. We need to protect data while making it available to the right people through the right APIs, they say. The tighter you hold onto data, the more it will slip away, they point out.

Governance and cybersecurity around data is obviously hard. But that’s what makes it so interesting and challenging. These CIOs think we all recognize that there is no way to keep everyone out. So the key to protecting data in an insecure environment is to control who has access to it.

Given this, it is important to manage risk appropriately. In general, CIOs said they are comfortable with different layered encryption approaches and security police/monitors at each layer. In addition, they agree that different users – partners, users or consumers – should have different trust levels and data engagement rules. Incidentally, one CIO said they had heard of another CIO starting to tear down firewalls in favor of more complex solutions. They thought this was counter-intuitive, but interesting.

Can CIOs better protect data by regulating endpoints?

CIOs say it's important to take a zero-trust stance and own the idea that everything can be compromised. They argue that the ability to extract data through inappropriate means, like BYOD, means current approaches can only stretch so far. With every design or policy decision you make, you have to design around accessibility and flexibility constraints versus security requirements.

CIOs say you can't ignore endpoint security. They say it needs to be a relentless effort, but it should be based on a strategy you can afford. They say protect data at the source first, then work your way back to the transport and device level. IT organizations need to stick to the endpoint security basics (covering administrative passwords, putting them on different VLANs, etc.), but "policing" beyond that can become more expensive, especially for smaller organizations.

CIOs said endpoint security (and encryption in transit) is a must. Auditing SaaS and COTS to see what caching/saving/protection data can have on the endpoint should be part of the process. One CIO believes traditional policing has little effect and proactive policing is a better solution. One CIO said start with least privilege, but always verify how much traffic is flowing.

Other CIOs say that unless 100% of your customer base, technology vendors and applications are behind the same firewall, policing endpoints alone won't prevent breaches. You need digital rights management, encryption and access control. But be clear about whether data can be viewed on a screen and whether it can be captured using a smartphone.

CIOs say most compromises today come from phishing and social engineering, not technical vulnerabilities. Therefore, a new approach is needed. CIOs say endpoint policies will not prevent social engineering attacks. Therefore, the ability to protect through encryption, tools to aggregate and improve risk are becoming increasingly important. An education industry CIO said that more control over user devices is possible, but in higher education, most endpoint devices are BYOD. Therefore, they say to protect at the access layer. In summary, CIOs say to regulate endpoints, but protecting data is separate from that.

How should CIOs implement data governance to truly protect data?

CIOs say data governance is at the heart of this and can be one of the most difficult areas to get a lasting, workable solution in. However, through governance, requirements for design and architecture work can be set.

CIOs believe that IT leaders must understand their organization. They need to have the ability to regularly assess the needs of the organization and handle change. This involves planning, execution and evaluation. CIOs should be happy for their leadership to strengthen and improve governance and management. They also need to understand that data governance is not an overnight thing, but a long journey. CIOs believe that the enterprise must own data governance and management. Otherwise, CIOs will fail.

The best way to start the conversation is to ask the business to define what is critical, what is not critical, and the extent to which they want IT to protect it. IT organizations should not make these decisions on their own. Similarly, CIOs said IT leaders should let the business take a data management role and build processes to get good data quality. CIOs can demonstrate their value by providing intelligent analysis of data.

It’s generally a good practice to prioritize properly cleaning up processes where appropriate. In addition to cleaning up approved business processes, removing social security numbers should be reviewed annually, CIOs said. They advise IT leaders to look for opportunities to optimize older processes. At the same time, it’s critical to uncover data issues, select data owners, and then implement data governance.

One CIO in higher education said the strength of governance comes down to industry culture. They envy businesses that can tell users what they can and can’t do and what devices they can and can’t use, but they said that’s not the way things work in higher education. Another CIO, meanwhile, said data governance ownership is the biggest issue they’ve encountered in their careers. Unfortunately, if you lead the discussion, you may end up leading the initiative, they said. CIOs need to develop plans that allow the business to take the lead because data governance is critical.

In general, CIOs say data governance discussions can involve a lot of technical jargon. This needs to be avoided if you want to gain understanding and buy-in from business leaders. CIOs say the right people need to determine what exists and what is needed. The legal team, records management, DBAs, product owners and HR need to be involved. CIOs believe it is important to establish an information governance professional who understands data and content, and can guide the organization through the process of identifying and protecting data assets.

CIOs say data inspection is important, especially if leadership is demanding their databases be in order because someone could be hiding something. Given this, CIOs need to facilitate business conversations about data definitions, types and risk profiles. CIOs need business leaders who have a basic understanding of these issues.

One CIO said something surprising about this. He said that in many industries, very little data is proprietary. Given this, he said it is important to focus the business on what needs to be secured. IT leaders should remember that data protection is not just a binary. There is always another row, field, hierarchy or usage context to consider in data governance.

CIOs say usability and convenience often dictate behavior. If data security is too hard, they say other approaches emerge. It's important to ensure data owners are part of the solution from the beginning. For some CIOs, moving to the cloud represents an opportunity to make things better. They see it as a chance to use more and more security and encryption features more comprehensively. They see it as an opportunity to create better end-to-end security by design.

At the same time, a transparent process is also important. Many organizations discover data protection issues and don't report them. One CIO angrily stated that in every security review they have done recently, they found some vulnerabilities that were quietly resolved by the IT department without the knowledge of business leaders.

How is privacy protected and how can CIOs ensure data is protected and designed?

"As part of data governance, you often need to design around the systems and applications that use the data," CIOs said. "You need policies, good awareness and training to have a chance. If only we had decent privacy laws in the U.S., here's one CIO saying."

CIOs insist that privacy should be designed into the application experience. While it is semantic, GDPR is independent of the data itself and is more related to its use, storage and availability. Therefore, privacy is in the methods, processes and technologies, not in the data itself. CIOs believe it is very important for applications to have a security model. One CIO said they appreciate the intent and concepts of GDPR, but implementing them has been a challenge. It requires the solution design of any new functionality to be easy to manage.

CIOs say it's important to start with a philosophy that if you don't need it, don't collect it, and always provide users with a way to view and delete their own data. Obviously, if you don't have a lot of data, privacy is a more manageable thing. At the same time, CIOs say it's important to do role-based design well in application design. You need to increasingly move internal trusted roles to partners and then to consumers or externally. The hard part is making sure your partners' privacy is integrated with your own policies. This may involve contract management and auditing with partners.

At the same time, you shouldn't be negligent and allow the DBA to hold all the keys. Hackers have gotten smarter and started social attacks against these people. We need to change the mindset of data protection and privacy by default with security frameworks. In short, if you don't need to, don't collect/save it. And share the knowledge of "why" publicly and persistently collected.

What 10 things should immediately be on a CIO's data protection investment checklist?

There are many items on a CIO’s data protection checklist, but here are 10 of the most important ones:

1. Employee education and training

2. Inventory and review data, understand how data is accessed, and assess risks

3. Executive Support and Ownership

4. Effective internal communication

5. Evaluate what’s working well, including governance, policies, and team member skills

6. Governance executive, responsible for integrating and applying ongoing changes and risks

7. Pay attention to external privacy

8. Excellent tool for aggregating risks to narrow response and spending focus

9. Excellent tools to protect data (data encryption, network pattern analysis, device protection, threat detection, malware removal at the network edge, endpoint protection, multi-factor login, etc.)

10. Provide secure coding training and a zero-trust attitude to your employees

CIOs are clear about the need to protect data through great people, processes and technology. They realize they can’t do it alone. It takes a great environment and culture that includes business leaders and all employees. With this, along with good policies and governance, IT organizations can help their businesses better protect data in an increasingly insecure environment.