[Robert O’Connor is currently the CISO for Maricopa County, Arizona, the 3rd largest county by population in the U.S. He has over 28 years aligning global information infrastructure to business requirements incorporating cyber and physical security. Maricopa County is a Symantec customer.]
Leading security-minded organizations see the need to develop their cyber security strategy from strictly network-centric toward a more mature data-centric. With the boom of cloud services and a fully realized mobile workforce, there is no longer a secure perimeter.
A data-centric strategy uses classification and encryption to protect data wherever it moves. Where it resides becomes less important. Critical to data-centric security is that content is analyzed at the point of creation to determine its sensitivity. Then it must be restricted appropriately so that only those individuals with the proper business need can use it. This mindset marks a significant maturity in the approach to information security. We must pay more attention to identifying sensitive data so that it remains secure no matter where it goes.
This is not to say data movement and availability are unimportant. A 2015 report from Accenture and the Ponemon Institute noted that proactive firms are prioritizing network traffic anomalies, identifying vulnerabilities, and limiting unauthorized data sharing. Monitored access, encryption, and application-specific firewall rules can severely reduce malicious movement inside a network. When data passes through a secure application perimeter, application owners can easily monitor and isolate traffic and prevent unauthorized access.
Creating a Data-Centric Security Infrastructure
In a multi-platform environment, sensitive information may no longer be completely under our control. It could be on any device, shared in unauthorized locations, or accessed by the right people in the wrong way. This raises the need to manage every facet of what is being accessed, by whom, when, where, and how.
There are 7 major components to make this happen.
1. Data Discovery. You cannot protect what you cannot find. A comprehensive data discovery system makes it possible to find data, no matter its location – cloud, mobile, local network, etc. Once you know what your data is, you can get a handle on protecting it.
2. Visibility – Data Flow. Get a complete picture of the path data travels over time. For example, a patient record originates with the primary care doctor, travels through the insurance company, and later ends up within the network of the specialist.
3. Classification. Decide what data to protect and how – automatically or manually – based on specific rules. An efficient classification system recognizes data context – such as credit card numbers, PII, PHI, and automatically protects it.
4. Identity Management. Identity and access management is all about defining trust. Data access can be granted according to multiple facets: on a person, an application, a service, a place, and device awareness. Trust may need to be established rapidly and be temporary. Accurate and up-to-date directory information, Multi-Factor Authentication (MFA) and tracking of changing roles in an organization all become paramount. This is especially the case for people or services with elevated privileges to guard against mistakes, identity theft, insider threats or other malicious behavior.
Decide what data to protect and how – automatically or manually – based on specific rules.
5. Encryption. Encryption countermeasures should be applied to protect against un-authorized users trying to access data when it is not directly under your control. Applied correctly, it can also protect against authorized users accessing data in unauthorized ways or places. Activating encryption should be based on specific conditions, ensuring the entire process is transparent to the end user, without damaging the user experience.
6. Access Control. Data must be managed from the 30,000-foot level, not file-by-file. Data access should be based on roles with specific permissions and privileges. Rules must be applied based on person, place and device awareness. Access control mechanisms on the file/data/information itself and, possibly on the endpoints, will define who can and cannot access information after it has left an entity. Digital Rights Management (DRM) unifies the elements of classification, identity, encryption, control, and governance for data down to the file level, and now may be extended further to the object level for elements of web transactions in a ReSTful architecture.
7. Governance & Compliance. Now that you can track who is doing what, when, where, and how to your information, you need to be able to show it. A good governance system will enable data tracking, ensuring you know exactly where the data has been and who has touched it. It will also be able to demonstrate compliance with any regulatory requirements by pulling very clear reports about the who, what, when, where, and how of file access.
Cyber Redefined: The 2018 Symantec Government Symposium
Evolving threats, aging legacy systems, budget constraints, workforce gaps, mandate upon mandate – you’ve heard it all before. Agencies have been battling these challenges, day. Join the best and brightest in government cyber and IT at the 2018 Symantec Government Symposium to take on these challenges.
We encourage you to share your thoughts on your favorite social platform.