Key Pillars of Forming an Internal Data Protection Practice

Data Protection Series Part 2

Posted: September 3, 2020

Hello and welcome to part two of our whirlwind overview of Data Protection.  In this blog, we’re discussing what a typical Data Protection program’s goals might be, some of the challenges we’ve seen customers encounter, and common strategies used to mitigate risks related to data loss.  If you’ve just found this installment and missed part one, click this link to get a high-level overview of a comprehensive program and the five pillars it’s built on.

Now that everyone’s on the same page, let’s jump right in and take a peek under the covers to see just what makes up each of those pillars:

  • Discovering and categorizing existing data and its owners

It’s hard to protect something if you don’t know what it is or where it’s located, right?  With hundreds of terabytes or even petabytes of data scattered throughout an organization, IT managers face a daunting task just trying to manage storage.  Then, when the question comes up of “what’s taking up all that space?”, many times the response is a deer-in-headlights look. That’s because that same IT manager know there are years – if not decades – of untouched data in many locations, and the value or risk to the organization is unknown.

Without this information, how is a CISO supposed to identify and manage the risks related to that data, such as GDPR’s “right to be forgotten”?  Fortunately, there are tools designed to solve this problem, automatically scanning filesystems searching for data, be it structured or unstructured, stored locally on desktops, on servers in the data center, or even in the cloud.  These tools will identify the nature of the data, common patterns related to regulatory compliance, as well as custom patterns defined by the customer.  Once this is complete, metadata about the files will be stored along with keyword indices providing the ability to quickly get a picture of what data the organization has.

  • Ensuring the right people have access to it and the wrong people don’t

Once you know what you have the next question is, do the right people (and only the right people) have access to that data?  Unfortunately, with the flexibility of filesystem permissions and the ability to override inheritance (and the unfortunate possibility of broken permissions), answering this question at scale is virtually impossible.  Fortunately, the same tools that do data discovery will typically also include a means to report on access to files, directories and shares as well as calling out instances of broken permissions, and wide-open (“everyone”) permissions.

In addition, the best tools include features such as the ability to model the impact of permissions cleanup prior to a commit or cross-referencing data classification categories against user groups.  A simple example of this might be to report on any file containing PII that someone outside of HR has access to.

  • Monitoring access to and movement of the data

Now that we know what we have and only “the right people” have access to that data, what about insider threats—people who have legitimate access to sensitive data?  That’s where User and Entity Behavior Analytics or UEBA comes in.  Just because Sally in accounting has access to HR payroll data due to her departmental role, does she normally use that data?  Many tools will track the access patterns of employees’ normal day-to-day activities, building a blueprint of the files they typically deal with, when, and from where.  If there’s a sudden, significant deviation from normal access patterns such as Sally accessing HR data on a Saturday from home, this information can become part of an alert sent to the appropriate individuals or fed into the company SIEM as part of an overall threat assessment system.

  • Categorizing and protecting new data appropriately

Depending on what space your organization is operating in, you may have different requirements on how to handle different types or categories of data. For example – if you’re a healthcare provider, you will need the ability to properly categorize data (from multiple forms) to conform with HIPAA rules and regulations. Whether this category of data includes medical records themselves or documents that contain patient information, you and your organization will need to properly categorize this data depending on the data structure and content. This methodology not only applies to pre-existing data in the organization but also new data that is ingested or created.

  • Preventing unauthorized exfiltration 

Ensuring proper access rights are assigned to various data types and protecting that data internally is the foundation of a data protection practice – and preventing unauthorized exfiltration of this data is the final step of ensuring these protective measures have teeth. For example, what measures does your organization have in place to ensure an employee that does have access to this sensitive data cannot leak this out? Do you control USB devices? Can you prevent, log, and monitor the copy/paste function to services like Pastebin or Github? Do you have the ability to add a layer of protection over SaaS platforms like Google Drive and Dropbox? Does your organization have control measures around printing sensitive data? These are the scenarios that need to be thought through when finalizing data protection practices to ensure that your data is not exfiltrated out of your organization.

We’ve touched on some key pillars of forming an internal data protection practice, and we’ve addressed a lot of points we often see our customers come across. You can use these sub-categories of the overall methodology to help your organization build the objectives of your new or existing data protection practice and form a more granular and comprehensive roadmap to reach your goals. Let us know if you want to talk about building or refreshing your organization’s data protection.


This blog was written by Nick DiPasquale and Brett Wyer, Senior Solutions Architects at Set Solutions.