Over the last decade, organizations across the globe have become increasingly more conscientious about the importance of data security and privacy, not least because many of the new data privacy laws come with hefty fines for non-compliance. After COVID-19 arrived on the scene, large numbers of employees began working from home, which in turn came with a plethora of data security challenges.
The ongoing pandemic has forced companies think about data security in a different way. Now, instead of relying solely on perimeter-based security solutions to keep the bad guys out, they are required to adopt a more data-centric approach, which involves knowing what data they have, who has access to, who should have access to it and how the data should be accessed.
This allows for a more flexible approach to data governance, without compromising on security and privacy.
What is Data Governance?
According to the Data Governance Institute, data governance is “the exercise of decision-making and authority for data-related matters”, and describes “who can take what actions with what information, and when, under what circumstances, using what methods”.
In addition to improved data security and privacy, the benefits of having a well thought out data governance strategy is that it enables better decision-making, reduced operational friction, standardized and repeatable processes, and more.
It’s worth bearing in mind that there isn’t really a one-size-fits-all data governance strategy, as organizations will want to customize their strategy to suit their specific business needs. As already mentioned, we need a flexible approach to data governance, otherwise we will run into issues regarding accessibility, which will in turn lead to reduced productivity, and thus reduced revenue.
The Importance of Data Classification
As we know, not all data is equal. Some of the data we store is strictly confidential, and a breach of this data could have financial and legal repercussions. Some of the data we store is not strictly confidential, although disclosure of this data to the public could result in a moderate amount of harm to the company in question. As such, we need a data governance model which reflects the varying degrees of sensitivity we might encounter.
Before we can effectively classify our data, we must first ensure that we know exactly what data we are responsible for. After all, unstructured sensitive data can find its way onto all kinds of drives and devices. It is often sent in emails and may be spread across servers in different geographical regions. It is crucially important that you have a data classification solution in place which can automatically scan your repositories (both local and remote) for sensitive data.
Once you know what data you have and where it is located, you are now in a position to classify the data according to how sensitive the data is. A good place to start is to create a spreadsheet, which defines your classification schema. A typical classification schema would include data that is: public, internal-only, confidential, and restricted. However, you can customize the schema according to your requirements.
These days, many Data Security Platforms provide data discovery tools out-of-the-box which will automatically scan your repositories and classify sensitive data as it is found. Some will also classify the data at the point of creation/modification. They will provide you with pre-defined schemas, which are customized according to the types of data you are responsible for. For example, if your company is covered by HIPAA, the solution can be configured to automatically discover and classify Protected Health Information (PHI).
Access Control Techniques
A crucial part of data governance is access control. In other words, who is allowed to access what data. Whatever the circumstance, there is one principal that companies should try their best to adhere to, which is: The Principal of Least Privilege.
The Principle of Least Privilege (PoLP)
PoLP simply stipulates that users should only be granted access to the data they really need to perform their role, and nothing else. The downside of PoLP is that creates accessibility issues, which is what we are trying to avoid.
Of course, if an employee needs access to data which they don’t have access to, they could simply send an email to the administrator, and the administrator can grant them access to the data for a specified period of time.
This approach will probably work for small companies, where the administrator knows who is who, and what their role is. However, for large companies, elevating privileges on an ad-hoc basis may prove to be disastrous.
Role-Based Access Control (RBAC)
A commonly used method for controlling access to data is Role-Based Access Control (RBAC), which is where access rights are assigned to roles (groups) and users are assigned to those roles. Roles are typically based on a combination of department, location, and job title, although companies can defines their own roles where necessary.
RBAC is less granular than other access control techniques, and thus it may be considered less secure. However, RBAC simplifies the process of assigning access controls, which can make it less prone to errors, and thus more secure. Whichever access control method you use, it should coincide with your chosen data classification schema.
Real-time Monitoring of Sensitive Data
A crucial component of a data-centric approach to security is monitoring access to sensitive data. In fact, a term that is often used to describe this approach is Data-Centric Audit & Protection (DCAP).
A DCAP solution will provide you with a single intuitive dashboard where you can see who is accessing what data, and when. A DCAP solution can aggregate event data from multiple platforms, whether on-premise on “in the cloud”. A DCAP solution won’t just keep track of important changes, it will also use machine learning algorithms to learn patterns of behavior. When usage patterns deviate beyond a given threshold, the administrator will receive an alert, prompting them to launch an investigation to determine the legitimacy of the actions performed. A DCAP solution can also detect and respond to events that match a pre-defined threshold condition, such as when user fails to login multiple times, or when x number of files have been moved or encrypted within a given time-frame. Finally, it should also be noted that most sophisticated DCAP solutions provide built-in data classification functionality, which can be customized to meet the requirements of most data privacy laws.
To conclude, in order to achieve the maximum level of security without making your data inaccessible to those who need it, visibility is key! The more visibility you have into what sensitive data you store, where it is located, who has access to it and what they are doing with it, the less you need to rely on the traditional moat-castle approach to keeping it secure – thus ensuring that your employees have access to the data they need, when they need it, wherever they are.