Since it is highly unlikely that my wife will read a blog on data security, I think I can safely share that she is a snoop around birthdays, anniversaries and holidays. My wife cannot stand the suspense of not knowing what gift might be in store. The gift’s value is not relevant; it is the not knowing that kills her.
My strategy is to hide her gifts in my son’s room, which is a catastrophic mess of toys, papers, books, clothes and random objects. I can almost put a gift in plain sight in his room, since she isn’t likely to see it in the chaos. Every once in a while, she may be lucky enough to uncover the gift, but the clutter of boyhood hides most evidence — as a security practice, it is fairly resilient.
What Does This Have to Do With Connected Data?
An organization’s data landscape is like my son’s room, with disconnected databases and data warehouses stored haphazardly across the enterprise. The ‘data catastrophe’ also has a certain measure of security resiliency built in. Although it is certainly possible for some valuable data to be compromised without being noticed — whether that compromise is accidental or malicious — distributed, disconnected data silos provide a modicum of resilience, as it is difficult to extract data at scale.
Think about it. How difficult would it be to steal the names, addresses, phone numbers, social security numbers and credit card numbers from people if you had to find each piece of data one at a time? It would be even harder if the data was in multiple formats and multiple places. The same struggles that an organization faces working with disconnected data stores is the same that a cyber miscreant will have trying to exfiltrate data. This is because a lack of connection makes data hard to find. When faced with this dilemma, an attacker may choose a different, softer and better organized target.
The Pros and Cons of Connected Data
The days of disconnected data stores are numbered, though. Digital transformation initiatives are utilizing artificial intelligence (AI) and machine learning (ML) to metamorphize unstructured data into structured data, unlocking a data analysis gold mine. Organizations are turning to governed data planes in order to solve long-standing issues around connectivity and productivity that prevent them from reaping intelligence from their data. AI technology has matured to the point that it can now collect and organize data, providing data scientists with the ability to integrate, cleanse, catalog and govern data. These new enriched and structured data sets are then fed into advanced analytics models.
The promise of new data riches can also bring with it a new threat vector by accident. Enriched and properly curated data can provide equally rich potential to malicious actors as it does to the data owners, since it provides bad actors the chance to breach data at scale. Now that you’ve widened employee access to your company’s data — all your company’s data — an unintended consequence is that you may have provided that same access to malicious actors in the event of a breach.
Malicious outsiders comprise only half of our concern. Well-intentioned insiders may be accessing or editing sensitive or regulated data inadvertently that they could not access before data sources were connected on the platform. By democratizing access to your organization’s data, you are removing some of the previous barriers to access that made addressing compliance much easier.
For example, if you have personally identifiable information stored only on a handful of separate databases on-premises, controlling access and data use is not a complex task. Once your organization connects all the data stores via a platform that facilitates easy access, you must deploy sophisticated controls to ensure least privileged data access.
Integrating Data Security with Data Governance
The key point is data governance is as important as data security. You better be sure that only authorized users access the data permitted by their roles. Users must access sensitive, private and/or confidential data in a manner that is compliant. In addition, being compliant is only half the job. You must also be able to prove compliance in the eyes of a regulator. As a result, no part of a data enrichment process is complete without tying data security and data governance together.
I am not pushing for a strict approach that places so many protections around curated data that its value is limited. That is so last decade. Good data security and governance are not about blocking access to data, but about enabling proper access. Least privileged access is always the goal. However, we tend to emphasize the least privileged part, rather than the access. Data riches, after all, cannot be enabled without governed access.
What are the Basics of Data Governance and Data Security?
The basic elements of data security and data governance are the same regardless of whether your data is housed in walled-off data stores or easily found on a cloud-native data plane. The key elements include:
- Discovering and classifying sensitive data across all environments. Visibility is binary; you either know what data you have, or you don’t
- Monitoring in real-time suspicious behavior and vulnerabilities, integrating with security operations center tools of your choice
- Taking action in real-time, whether policy dictates an alert, a block or quarantine
- Providing pre-built compliance template workflows
What Makes Security and Governance Different, then?
The difference between data security and governance for an integrated hybrid multicloud data platform verses disconnected data stores is that data governance for a platform puts the usability of administrative tools at a premium. Today’s data initiatives cannot survive yesterday’s reality of users being managed as if they were each unique cases, having custom roles. Awkward and cumbersome data security administration does not scale. Instead, it brings today’s data plans to a halt. This is an intolerable reality for initiatives whose raison d’être is about data democratization and access. Thus, data security and governance in the modern, connected world have additional requirements.
The first is integration. All vendors have easy-to-use application programming interfaces (APIs) before purchase; the usefulness of APIs can vary after purchase. Make the vendor own the problem and demand pre-integrated data security and governance.
Next, pay attention to centralized policy enforcement and management across data landscapes. Write policies once and allow the platform to orchestrate rolling them out.
Next, use preset, automated compliance workflows for audit reviews and approvals. Being compliant is not enough; you have to prove it to lawmakers. Let’s face it: no one wants to do this by hand.
Lastly, conduct orchestration and remediation through integration with IT and security operations tools. Data security and governance should fit into an organization’s processes and tools, not the other way around.
Connecting Your Siloed Data Safely and in Compliance
The evolution of siloed data structures into connected data platforms has great promise. It will facilitate a new wave of innovation. However, it is not a plan that can be put into motion without care. Done properly, the future is bright. Without robust, integrated and easy-to-use security and governance tools, not so much.
Program Vice President, Security & Trust, IDC
Frank Dickson is a Program Vice President within IDC’s Cybersecurity Products research practice. In this role, he leads the team that delivers compelling ...