X

Data security: Safeguarding the data you control — and don’t control

Data security is a tough nut to crack, even for those who’re in all-important digital security roles, employed in the best of enterprises. The pressure of a data security job is immense because you are accountable and responsible for systems you directly supervise as well as systems you don't have much to do with. Unfortunately, this is part of the game at times. So if there is a data leakage or a security breach, the buck stops with you.

Lack of control over processes and systems is one of the biggest hurdles of anybody in a leadership role within the data security think tank in any business or organization. Unknown processes and systems, irresponsible users, troublemakers, internal data theft perpetrators, cybercriminals, datacenter breakdowns, and server vendors — there are too many variables for one person to be in control of.

Just watch a season of "24" and you may get an idea! The move "Blackhat" is another amazing winner under this jurisdiction. Someone may play with pork futures and affect the stock price – that is not good!

Data security leads, hence, have to embrace the uncertainty and lack of control and brace up for steering even the most caustic of situations toward a state of stability. This attitude, along with the understanding of some basics of data safekeeping, will help you remain in control.

We will let you take care of the "attitude" bit, and will take care of the rest. Read on.

The cloud is not automatically more secure

One of the common misconceptions that blind data security decision makers is that cloud-based data storage solutions automatically take care of security considerations. To some extent this is true, but not really an underlying assumption you can afford to make. If you store a lot of organizational data in the cloud, you need to be wary of the security.

The cloud, inherently, is based on the idea of dynamism. Virtualization is a core element of cloud-heavy infrastructure. Plus cloud-based solutions are dynamic enough to add workloads, change settings, and remove instances, within minutes. Cloud-based solution providers market the ability to quickly scale up and down as one of their USPs.

On the other hand, security configurations depend on the idea of repeatability and stability. They’re process-oriented, and can’t automatically keep up with the dynamic changes happening in the cloud. Of course, it can be automated to a certain extent, but that’s it. Always, tasks can be automated, but the decisions taken to drive these tasks are contextualized, and hence, need human control.

Proper updates to security configurations to reflect the updated state of cloud storage ecosystem could take days, weeks, and even months. Who has time for that? The party is next week! OK, back on topic. The three most important data security considerations associated with any major cloud data storage-related decision are:

  • The need to update policies.
  • The need to implement right levels of firewalls.
  • The approvals for policy and firewall updates.

So, avoid the unintended security compliance violations by addressing the security requirements of the cloud.

Umbrella policies, without exceptions

A question — who’s responsible for every security breach? If you’re on the security upkeep team of your enterprise, it’s you! That is the uniform you are wearing, right? Leave everything else aside — it’s in your own best interests to implement super-strong security policies with no room for exceptions. This is not the time to go eat some donuts and take the chance of the right security updates not being made or the right security protocols not being taken. You can eat those chocolate bars and old-fashioned glazed donuts later!

On a more practical note, consider a situation where you decide to look the other way when you find out some of your employees are sharing the same system login credentials. This effectively means that even if your enterprise discontinues the services of one of them, he or she will be able to use the other person’s credentials to go into the system and extract information, or worse still, delete information. Again, if this happens on your watch, you are going to be in trouble.

You are not their friend. You are the team leader for a reason.

This is where the need for strict implementation of security protocols and policies becomes obvious. Data security is not about convenience. It’s not even about balancing convenience and security. It’s focused on creating the most impenetrable security coverage for the most valuable organizational asset — data.

From ‘trusted’ to ‘verified’

Conventional data security measures have been castigated for being peripheral and superficial in their approach, and rightly so. The basic assumption of traditional measures has been keep untrusted access requests out, and everything within the boundary will be safe. However, the moment a violation takes place, the entire model comes tumbling down like a house of cards. And speaking of "House of Cards," kudos to Netflix for continuing the show even without Kevin Spacey. OK, back on topic, again.

This is where the concept of "Zero Trust" saves you. Implement security policies that focus on verifying the authenticity and safety of every access request, even within the periphery of the company’s secure network. The idea is — move from “trusted vs. untrusted” to “verified vs. unverified.” Until verified, network traffic has to be treated as unverified.

With time, you can implement tighter controls based on user profile, data criticality, and geo-location. These parameters help you implement a micro-segmented security approach. This enables easy detection of anomalous traffic and access requests and helps you prevent data leakages.

For instance, a customer service representative could have access to the customer’s purchasing history, but not the customer’s credit history.

An HRIS (human resources information system) admin will need the organizational data of an employee, but won’t really need to change the system settings pertaining to employee performance dashboards. Such a security approach requires the information request to “prove its need to know” more info than what’s available by default.

Harking back to what was explained in the last section, security is not about anybody’s conveniences. As long as you have a request approval hierarchy in place, every exceptional need can be accounted for, even if it takes time. Ask yourself — what would you rather live with — a few days’ delays in special information requests? Or bad press about how hackers took out thousands of customers’ credit card information from your business’s databases?

Is data security an illusion?

Going back to what was stated before, data security leads have it rough; they’re in charge of keeping data safe when the internal and external variables working against them just can’t be predicted and controlled.

Still, by keeping your basic security parameters strong, and your approach is in line with the suggestions presented in this guide, you will be able to remain in control. John McAfee famously remarked how security is an illusion. It’s your job to disagree with him, and it’s your responsibility to do everything possible to make him wrong.

Photo credit: Shutterstock