Since it is highly unlikely that my wife will read a blog on data security, I think I can safely share that she is a snoop around birthdays, anniversaries and holidays. My wife cannot stand the suspense of not knowing what gift might be in store. The gift’s value is not relevant; it is the not knowing that kills her.

My strategy is to hide her gifts in my son’s room, which is a catastrophic mess of toys, papers, books, clothes and random objects. I can almost put a gift in plain sight in his room, since she isn’t likely to see it in the chaos. Every once in a while, she may be lucky enough to uncover the gift, but the clutter of boyhood hides most evidence — as a security practice, it is fairly resilient.

What Does This Have to Do With Connected Data?

An organization’s data landscape is like my son’s room, with disconnected databases and data warehouses stored haphazardly across the enterprise. The ‘data catastrophe’ also has a certain measure of security resiliency built in. Although it is certainly possible for some valuable data to be compromised without being noticed — whether that compromise is accidental or malicious — distributed, disconnected data silos provide a modicum of resilience, as it is difficult to extract data at scale.

Think about it. How difficult would it be to steal the names, addresses, phone numbers, social security numbers and credit card numbers from people if you had to find each piece of data one at a time? It would be even harder if the data was in multiple formats and multiple places. The same struggles that an organization faces working with disconnected data stores is the same that a cyber miscreant will have trying to exfiltrate data. This is because a lack of connection makes data hard to find. When faced with this dilemma, an attacker may choose a different, softer and better organized target.

The Pros and Cons of Connected Data

The days of disconnected data stores are numbered, though. Digital transformation initiatives are utilizing artificial intelligence (AI) and machine learning (ML) to metamorphize unstructured data into structured data, unlocking a data analysis gold mine. Organizations are turning to governed data planes in order to solve long-standing issues around connectivity and productivity that prevent them from reaping intelligence from their data. AI technology has matured to the point that it can now collect and organize data, providing data scientists with the ability to integrate, cleanse, catalog and govern data. These new enriched and structured data sets are then fed into advanced analytics models.

The promise of new data riches can also bring with it a new threat vector by accident. Enriched and properly curated data can provide equally rich potential to malicious actors as it does to the data owners, since it provides bad actors the chance to breach data at scale. Now that you’ve widened employee access to your company’s data — all your company’s data — an unintended consequence is that you may have provided that same access to malicious actors in the event of a breach.

Malicious outsiders comprise only half of our concern. Well-intentioned insiders may be accessing or editing sensitive or regulated data inadvertently that they could not access before data sources were connected on the platform. By democratizing access to your organization’s data, you are removing some of the previous barriers to access that made addressing compliance much easier.

For example, if you have personally identifiable information stored only on a handful of separate databases on-premises, controlling access and data use is not a complex task. Once your organization connects all the data stores via a platform that facilitates easy access, you must deploy sophisticated controls to ensure least privileged data access.

Integrating Data Security with Data Governance

The key point is data governance is as important as data security. You better be sure that only authorized users access the data permitted by their roles. Users must access sensitive, private and/or confidential data in a manner that is compliant. In addition, being compliant is only half the job. You must also be able to prove compliance in the eyes of a regulator. As a result, no part of a data enrichment process is complete without tying data security and data governance together.

I am not pushing for a strict approach that places so many protections around curated data that its value is limited. That is so last decade. Good data security and governance are not about blocking access to data, but about enabling proper access. Least privileged access is always the goal. However, we tend to emphasize the least privileged part, rather than the access. Data riches, after all, cannot be enabled without governed access.

What are the Basics of Data Governance and Data Security?

The basic elements of data security and data governance are the same regardless of whether your data is housed in walled-off data stores or easily found on a cloud-native data plane. The key elements include:

  • Discovering and classifying sensitive data across all environments. Visibility is binary; you either know what data you have, or you don’t
  • Monitoring in real-time suspicious behavior and vulnerabilities, integrating with security operations center tools of your choice
  • Taking action in real-time, whether policy dictates an alert, a block or quarantine
  • Providing pre-built compliance template workflows

What Makes Security and Governance Different, then?

The difference between data security and governance for an integrated hybrid multicloud data platform verses disconnected data stores is that data governance for a platform puts the usability of administrative tools at a premium. Today’s data initiatives cannot survive yesterday’s reality of users being managed as if they were each unique cases, having custom roles. Awkward and cumbersome data security administration does not scale. Instead, it brings today’s data plans to a halt. This is an intolerable reality for initiatives whose raison d’être is about data democratization and access. Thus, data security and governance in the modern, connected world have additional requirements.

The first is integration. All vendors have easy-to-use application programming interfaces (APIs) before purchase; the usefulness of APIs can vary after purchase. Make the vendor own the problem and demand pre-integrated data security and governance.

Next, pay attention to centralized policy enforcement and management across data landscapes. Write policies once and allow the platform to orchestrate rolling them out.

Next, use preset, automated compliance workflows for audit reviews and approvals. Being compliant is not enough; you have to prove it to lawmakers. Let’s face it: no one wants to do this by hand.

Lastly, conduct orchestration and remediation through integration with IT and security operations tools. Data security and governance should fit into an organization’s processes and tools, not the other way around.

Connecting Your Siloed Data Safely and in Compliance

The evolution of siloed data structures into connected data platforms has great promise. It will facilitate a new wave of innovation. However, it is not a plan that can be put into motion without care. Done properly, the future is bright. Without robust, integrated and easy-to-use security and governance tools, not so much.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…