The more the organization scales, the more proliferated its data becomes, making it harder to protect the data, keep it secure, and keep tabs on who has access to what.
The stakes are high when it comes to securing expanding volumes of distributed data, as every business is dependent on data confidentiality, integrity, and availability.
Organizations may lose customers, violate a compliance standard, or make an ill-informed business decision if data is compromised.
Meanwhile, cybercriminals use data to gather intelligence on a target, access unauthorized systems, or extort victims.
Claude Mandy, chief evangelist of data security at Symmetry Systems, says data sprawl is a headache for security teams because they have historically designed their security to protect the systems and networks that data is stored or transmitted on, but not the data.
“As data proliferates outside of these secured environments, they have realized their security is no longer adequate,” he says. “This is particularly concerning when the traditional perimeter that provided some comfort has all but disappeared as organizations have moved to the cloud.”
He adds organizations are being forced to wake up to this issue due to increasing privacy rights such as enacted by California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA), which allow individuals to request organizations to provide information on what data they hold about it.
“Responding to such requests is really highlighting that organizations don't really understand where their data is and need to invest in modern data security or data privacy tools to discover, classify and monitor data flows within their environment,” Mandy says.
Data Security Means Data Visibility
In the new era of data security, CISOs must have the ability to learn where sensitive data is anywhere in the cloud environment, who can access these data, and their security posture and deploy these solutions.
“Traditionally, data security has been the ultimate goal of infosec organizations,” says Ravi Ithal, Normalyze CTO and cofounder. “As the volume of data increases and the number of places where data exists increases -- data proliferation -- the number of ways in which it can be accessed and misused also increases.
Ithal points out that while other business units and IT organizations happily reap the upsides of having data available in more places, the burden of securing it squarely falls on the infosec organizations. “It behooves security organizations to treat data proliferation as their problem in order to get ahead of the game of securing it,” he says.
Shira Shamban, CEO of Solvo, notes data proliferation is a problem because while the data is moving around, the security mechanisms and guardrails are usually not.
“That means even if you have a good security practice in one environment, once the data is duplicated into another environment, it is not handled in the same way by default,” she explains. “Now the security team must find it, protect it and add mechanisms to make sure it is treated the right way -- a cycle, which is endless.”
CISOs Develop Data Governance Frameworks
To better secure data, organizations are creating and implementing data governance frameworks.
“Some of the initiatives we have seen include guidelines on how to define what crown jewels are for the organization, how to classify data into levels of importance and confidentiality, clearly defining access policies - which organizations can access what types of data,” Ithal explains.
Ithal adds the first step to take to get a handle on the proliferation of data is to have improved visibility into the existence of data stores and classification of data that's contained within those data stores.
While implementing a visibility program, ensure that you also get visibility into who has access to those data stores including the types of access (i.e. Read/Write/Manage, etc).
Shamban says organizations usually need help in detecting different data resources, understanding if it’s a proliferated copy or maybe a new volume, and then making sure that proper security measures are in place.
“These are all things that can be done automatically today, so there’s no reason to do them manually and take the risk of missing anything of importance,” she adds.
Securing Data While Avoiding Silos
Organizations need clear guidelines on the roles and responsibilities of everyone involved in the lifecycle of the data that they are protecting.
Clearly defining it requires participation from everyone involved, with contributions from each party involved in the best way possible.
For example, the DevOps team might be responsible for onboarding all datastores to a visibility platform, a data security analyst may be responsible for ensuring accurate classification of the data, and a security analyst may be responsible for ensuring there are no attack paths that lead to the most sensitive of data.
At a strategic level, there needs to be a general understanding of the ROI of a program that improves the data security posture of the enterprise. “That allows for proper budget allocations that will eventually result in improved security and efficiency for the IT systems overall,” Ithal says.
Shamban says in the cloud it’s almost impossible to work in strict silos because environments, applications and processes are connected by APIs and IAM roles. “This way, data is accessible to anyone with the right permissions,” she says. “The actual challenge lies in putting the right silos or guardrails in an effective way that will support the business logic of the application and not create frustration with the users.”
She adds one of the biggest challenges security practitioners face is enforcing policies without creating high friction with the development teams.
“The important thing is to consider ourselves as business enablers,” Shamban says. “We’re not here to say 'no' and prevent access. Instead, we need to figure out the right way to make sure our data is available and safely accessible to anyone who needs it, when it is needed.”