Looking at recent breaches and scandals, it’s not a mystery why organizations put a premium on good data security and governance practices. Yet, there is one aspect of data security and data governance that proves elusive.
Sure, organizations have data activity monitoring (DAM) solutions, extended detection and response (XDR) tools, governance programs run by their legal departments and SIEM. But discovery and classification of sensitive data — especially in the cloud — has proven difficult.
Solutions were often incomplete. They might discover structured data but not unstructured, or data-at-rest but not in-motion. Instead, many organizations resorted to pushing the identification of sensitive data onto line-of-business owners. In extreme cases, the experts we spoke to at CISO ExecNet claimed that “it is not my responsibility if sensitive data is compromised since we expect the owners of the data to enforce compliance.”
Now, this is a job for the data owners themselves to a degree. But, as one security pro asked us, “Who gets fired if a breach hits the news?” It’s a valid point. Let’s take a look at how security and IT can better understand their data.
Where Is Your Data?
First, answer some basic questions. Who actually owns the data? Who should sit at the top of the responsibility pyramid? Maybe a team outside of IT owns the data. Even so, security still needs to know where the data lives, how it moves and what to do when there’s a problem.
There is a multitude of business reasons to understand sensitive data. How can you more easily utilize data to develop products, build better customer experiences and optimize business processes?
Compliance and Privacy Require Visibility
This is not a surprising use case. Compliance and privacy regulations — from the general to the industry-specific — show no signs of slowing. The General Data Protection Regulation, the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act are just a selection of the growing alphabet soup of rules and requirements.
Further, sensitive data is not a monolith. It’s not enough to know, for example, that the sales department handles sensitive data. That does not mean the same compliance policies and security measures apply to every piece of data in that department.
Personally identifiable information, such as addresses or phone numbers, is different than financial transactions. These are, in turn, different than passwords or usernames. Depending on the regulation, there may be different rules for each type. Further, those rules may change depending on how people use that data and who those people are.
What Does ‘Advanced’ Really Mean?
A useful solution here is the advanced discovery and classification of sensitive data. But what does advanced mean? Consider the current approach many organizations take in meeting the first steps of compliance. It is largely manual. Success is dependent upon surveys of department data owners, who are expected to know where each piece of sensitive data lives. This is massively time-consuming and can be inaccurate and quickly out-of-date.
Compliance requires both accuracy and currency. You need to know what sensitive data you have and exactly where it lives.
To this end, advanced discovery and classification were created. It’s a more reliable way to not only discover but also understand sensitive data in a widely distributed environment. As an example, a solution like IBM Security Discover and Classify can accomplish this through continuous scanning at the data source and network level, coupled with the implementation of artificial intelligence (AI) and machine learning, to dynamically process each piece of data. This helps compliance teams understand what type of data is moving internally and to third parties. Third-party risk is a key aspect of many compliance mandates.
Advanced discovery and classification provide the visibility to craft more effective compliance policies. Security and compliance professionals can then improve their compliance posture and quickly adapt as requirements change.
Consumers Expect Better Data Handling
There is no shortage of studies finding that consumers demand better data security from organizations that handle their personal data. Major breaches perpetrated by outside malicious actors tend to make the news. But those are the result of a long chain of security and governance blind spots.
A common challenge is how to securely share data. Different parts of the business often maintain different data. These departments, for the sake of data security, often function in silos.
This siloed approach may provide confidence to customers that data is in good hands. At the same time, it limits the ability of that firm to use data cross-functionally. This issue harkens back to one of the business use cases mentioned earlier: building better customer experiences.
Share Data More Easily
How can an organization secure sensitive data at the same time as sharing data across functional boundaries? Customer success teams need to share data with product teams. They, in turn, must share data with development to deliver products and applications that delight customers. But if someone mishandles data along that chain, customers will not be delighted. Advanced data discovery and classification once again prove their worth in this scenario.
Known and unknown data sources — both internal and external — can be discovered to determine what data is being stored and processed using a variety of solutions available on the market. Once data is discovered, a solution could be used to build a dynamic data map to help teams visualize where sensitive data is located throughout the organization. This level of granularity means once data is shared, it is easy to understand where it has gone, how it is used and how to avoid data ‘exhaust’ (i.e., log files, temporary files and other items that are no less critical but are not typically documented or tracked). From there, tools such as DAM and XDR can help to secure the data in its new home as it flows across departments.
Manual Processes Slow Down Responses
All three of these use cases have a common thread. Current data discovery and classification methods rely heavily on manual processes and trust.
While trust is an invaluable resource, manual processes should no longer be the norm. Rather, automation is critical, given the explosion in the volume of sensitive data organizations collect, worsening cybersecurity skills shortages, limited time to respond to things like data subject access requests (DSARs) and an expanding data threat landscape.
Organizations frequently lack the tools and resources to respond to high-priority DSARs within the expected timeframe. This can lead to regulatory penalties. It can also create negative customer sentiment if they feel their data is not in safe hands.
There are several common themes across these three use cases. Each includes the preservation of customer data privacy, adherence to complex regulations and unlocking the value within the volumes of data. So, it is logical that the solutions are similar.
Once more, advanced data discovery and classification can achieve the speed expected in a DSAR scenario. This situation requires a combination of continuous scanning to discover sensitive data, AI to understand and contextualize it and data lineage mapping. All of these work together to build a profile for a given data subject, facilitating a quick, complete response to requests.
More to Discover
This is only a small sampling of use cases and only a brief explanation of the next generation of data discovery and classification tools. Data and data sources will continue to multiply as organizations grow and transform. More challenges will arise in terms of trying to handle sensitive data, compliance and data privacy. But it is a great place to start, especially as IBM Security and 1touch.io are partnering on the IBM Security Discover and Classify tool.
IBM Security Discover and Classify integrates with IBM Security SOAR and IBM Security Guardium to support data privacy, data threat response and zero trust initiatives. The tool is an important, timely addition to the IBM Security family. To learn more, visit the product page.
Former Product Marketing Manager, IBM Security Guardium Insights for IBM Cloud Pak for Security
Ryan worked with IBM from 2016 to early 2022 in a variety of roles and across an array of solutions - from sales to marketing and endpoint management to data...