The threat of data loss looms over modern IT operations, making it vital for every organization to grasp the fundamentals of information security.
In this video, Tanner Johnson, principal analyst of data security and IoT cybersecurity at Omdia, offers a way for IT professionals to wrap their minds around data security. It involves splitting data security into three categories: data discovery, data governance, and data protection. Within each category, Johnson outlines key concepts and best practices.
Transcript follows below. Minor edits have been made for clarity.
Tanner Johnson: As a principal analyst for data security for Omdia, I have had to approach the challenge of data security and develop a taxonomy that makes the most viable sense. And so, I've developed what I believe is to be kind of a barstool, a trinity of legs, that supports all of data security.
The components fall under three categories:
- Data discovery -- the fundamental component of knowing where your data exists.
- Data governance -- putting controls in place on that data.
- Data protection -- the obfuscation, encryption, tokenization, and masking of the data.
When it comes to most information security efforts, the first step in any strategy is establishing visibility into and across the scope of the information collection, processing, and dissemination environment.
This concept can sound simple on paper, but the actual practices is no simple task. For example, if simply asked to identify where an organization's data is located, many IT administrators would likely struggle to answer confidently. An organization's data can be housed in countless locations any given time simultaneously: connected hardware components; various networks, storage, servers, integrated clouds or edge devices; on-premises, off-premises, hybrid cloud deployments. And so, this evolving ecosystem is what makes locating data assets a significant challenge.
Despite the complexity of this initial task, no definitive information protection effort can possibly be implemented if the assets that you're trying to protect are not first initially recognized and identified.
The overall data discovery and classification process can seem daunting, but this essential first step is necessary to firmly establish what the most value data assets for an organization are. And only that organization will know. I use the term “Crown Jewels” -- these are just the mission-critical data assets and repositories that are crucial to a company's continued operation and would likely cause severe damage if compromised. However, it's likely that only a select group of individuals within any organization are even aware of just what these assets are.
Properly labeling these assets and is a separate challenge in and of itself.
But, once a consensus surrounding the establishment of criteria for the assets and the labeling associated is achieved, the process begins by tagging any located data according to these pre-approved characteristics. And it's this data tagging that makes the data itself far easier to track and search index.
One of the additional benefits of this process is that duplications of data can be discovered and addressed far more efficiently.
Once the established visibility into an organization's data environment has been conducted, effective information security demands granular control over the comprehensive handling of data throughout its entire lifecycle. That’s create, process, store, transmit and destroy.
As organizations generate an ever-increasing volume of data, proper data handling requires a comprehensive understanding of how data lifecycle activities impact their own data footprint and their respective responsibilities throughout each step of the overall process. As this data footprint increases in size, so too does the necessity to implement protective controls at each stage.
Once controls over each stage of an organization's information lifecycle have been thoroughly established, then additional data governance steps can be taken.
Through the systemic implementation of visibility, classification, and lifecycle management, an organization should develop and deploy comprehensive internal processes and policies that enforce these controls in order to regulate the data and its behavior. This is another area of data security that requires significant effort on the part of the organization.
While some advanced data security solutions can utilize artificial intelligence and machine learning to recommend specific data governance policies based on observational patterns, the organization is ultimately responsible for dictating the specific policies by which its own data adheres.
So, through the creation and enforcement of these policies, an organization can establish a solid baseline of acceptable data behavior. And this baseline will allow organizations to more easily detect and respond to threats stemming from abnormal data interactions.
And lastly, the third pillar is data protection. While data discovery and governance are our essential components, the resources invested in these challenging endeavors can be negated if the data itself isn't protected from compromise.
While unsanctioned exfiltration of data is practically impossible to completely prevent, there are options available that make the data effectively worthless to those who extract it -- namely, when it's concealed through various cryptographic methods. These include encryption and tokenization, masking, and other concealing or obfuscation techniques. But each of these tools provides a unique capability to conceal the exact contents of the data by demanding additional components, such as ciphers or keys with which to decode and decrypt the information so it is once again legible.
But, sadly, despite the widespread availability of products that offer encryption capabilities and solutions, many organizations have encountered significant challenges in their own data protection strategies.
One of the most fundamental methods of protecting data compromise is through the utilization of encryption throughout an information environment. The process of encryption transforms clear text data into an illegible form known as ciphertext, using an algorithm to encode the data with a cipher or a cryptographic key. The number of keys involved in the process determines whether the encryption is symmetric (it shares one key) or asymmetric (it uses separate keys in tandem). While there are various benefits associated with a deployment of either strategy, the ultimate objective is to provide for the secure concealment and trusted delivery of sensitive information.
So, regardless of the technical approach chosen, without some form of obfuscation all data is ultimately susceptible to compromise. However, organizations that have widely implemented consistent encryption strategies are still in a minority, sadly.