P.T. Barnum may or may not have said “there’s no such thing as bad publicity”; however, even he would likely agree that corporations are done no favors by achieving front-page status through a data breach. With the financial impact of an incident reaching into the hundreds of millions of dollars, it’s obviously important to protect your company. But what does implementing “Data Protection” really entail?
At a high level, there are five pillars to an effective Data Protection program. They are:
- Discovering and categorizing existing data and its owners
- Ensuring the right people have access to it and the wrong people don’t
- Monitoring access to and movement of the data
- Categorizing and protecting new data appropriately
- Preventing unauthorized exfiltration
Each of the above bullets could easily be a topic for an extended discussion—especially when you look at the marketplace and product capabilities—but we’ll try to keep this high-level. With the complexity and depth of crafting a mature Data Protection program, it is imperative that the security staff responsible for operationalizing the tooling has executive sponsorship. With the discovery of your organizations data (structured and unstructured) and wrapping policies around accessing that data, a company-wide cultural shift must be adopted in order to ensure success of these practices. Taking data discovery and classification into consideration, your organization must also take into consideration if it needs to adhere to any specific regulatory compliance – such as HIPAA, PCI, GDPR, etc.
There are a few things to be considered when categorizing this data. For example – how do you plan on categorizing the data? How restrictive and granular do you and your organization plan on being with this discovered data? Typically, we see organizations begin from zero policies to simply wrapping a “public” vs. “private” categorization to restrict access to data that is considered sensitive to the organization.
The next major hurdle that we see often is having the proper staff to support the deployment of this tooling – as well as supporting it moving forward after deployment. With the cultural shift required to employ a well-tuned Data Protection program, maintaining and editing policies, and properly operationalizing this tooling to integrate findings and alerts in to whichever flavor of SIEM your organization has chosen to run with – it is imperative that your organization commit the proper resources to this program. Likewise, committing resources to tend to the care and feeding of your Data Protection program will ease the cultural shift required to make this operation successful.
When your organization begins its journey towards launching and creating an internal Data Protection program, it must be recognized that this is a layered effort. When most Security professionals and IT administrators hear “Data Protection”, they typically think of a DLP solution. In our experience, DLP should be the last line of defense in your overall program. We typically begin by asking some simple questions around the data that is discovered to determine the foundation of how much protection is necessary vs. the level of accepted risk.
The options for solutions and tooling covering every aspect of your Data Protection program can be daunting. We usually recommend that organizations fully determine their intended use cases for every aspect of their program from data discovery, classification, to DLP and CASB. When your organization can iron out the use cases entirely, it becomes easier to begin the vetting process for your desired tooling. Often times we compile use cases and desired outcome from our customer’s organization and run an on-paper POC. This allows us to directly map features and solutions offered by the many vendors we partner with to ensure a particular tool will serve you long term, as well as being easily adopted by your supporting staff. These solutions tend to be complex and have multiple interactions with other supporting infrastructure.
Over a series of blog posts, we’ll deal with some of the considerations around the pillars mentioned above, as well as how a company might go about successfully implementing them. We’ll start digging into each of these areas and how products and policy can be used together to solve this complex business challenge as a whole.