HOW TO BUILD A MODERN DATA SECURITY PROGRAM
After years of putting off important discussions about data protection due to a lack of knowledge, technology, and limited options for action, CISOs are finally starting to broach this subject.
Data security today is a side-effect. Until recently, efforts to protect data have been concentrated on secured network “vaults,” WAF, and IAM. Although these solutions offer protection, they don’t identify or eliminate data risks -- and all have their shortcomings. Secured network vaults are still a mandatory piece of the puzzle thanks to compliance, but only create the emotional security of the “moat around the castle.”
And while WAFs have flexibility in customization, they are mostly black boxes that are hard to maintain. IAMs allow DevOps flexibility in creating policies for enterprise access management, but generally leave users over- or under-provisioned, creating risks and requiring frequent modifications.
Data store and object security (DSOS). Combining DSOS, WAF, and IAMs gives you a powerful combination of data security and protection. The vision for DSOS is to provide visibility into data in order to detect, respond, and protect against threats that have penetrated network defenses and identity management layers. To achieve this protection, data visibility will provide crucial information, such as: where critical data is stored within the enterprise, how it is used, by whom, and to where it is traversing. This will give oversight into company data usage unlike the enterprise has ever had.
Visibility into data stores. When assessing where critical data is located, there needs to be a deeper understanding of data than just the virtual or physical location. Unfortunately, regulatory compliance is achievable without visibility into data objects and stores, but how much more secure would businesses be if they had this type of awareness?
Current methodologies for identifying risk to data typically stop at the database, the server, or the service for which they reside. However, visibility at the data store layer provides for the capability of mapping critical data to the
columns and rows and utilizes opportunities to cross-reference that information with external data such as IAM. This allows security teams to have even sharper focus and defenses when monitoring how data is accessed either by services, employees, or 3rd parties. Building and maintaining this visibility is important for data security, compliance, and preventing breaches before they happen.
Detection & Response. Once it’s established where data is stored and who has access to it, one has the situational awareness to start using detection. I view basic detection in two parts:
First, establishing a baseline understanding of assumed security policy/controls versus the reality of how they are implemented. For instance, does the test account have access to production even though it would be against security policy? Is there user provisioning sprawl with what users should have access to versus what is discovered? Many successful breaches are based on such misconfigurations. Create feedback loops between your DSOS solution and compliance/security teams to understand where assumptions and reality separate -- then close the loopholes.
Next, by using the telemetry provided by DSOS, exercise the ability to see the behaviors associated with adversarial tradecraft increases. This is a challenge when trying to protect data via network, endpoint, and user activity because they detect through abstracted layers; trying to understand when a machine or network is compromised with data being a tertiary variable in the equation — instead of the primary variable.
By starting at the data-layer and focusing on what is critical to the business, who is accessing what, and where data is going, allows for security teams to have an unobstructed view — thus their ability to protect data while detecting suspicious or malicious activity increases significantly.
Inserting and evolving DSOS. We are at the inception of this DSOS solution. With these new methodologies come new opportunities for applying secure solutions to what has historically been a big gap for enterprises. As DSOS evolves, it will assume many new forms in order to more efficiently address data protection challenges, but I believe the winners of this space will have to accomplish two main design principles:
1) creating a product that can be deployed with ease irrespective of the sophistication of current security architecture, and
2) delivering a solution that can evolve as necessary as data complexity and security architecture expand and new techniques become available.
Besides the higher-order goals of visibility and detection, customers need the ability to simply implement a solution — and to trust that solution to continuously deliver more in the future.
Symmetry DataGuard. From the beginning, the team at Symmetry Systems has made it their mission to require less than an hour of installation time for any of their DSOS products — and for users to begin seeing value immediately. Once operational, they’ve prioritized simplifying the abundant amount of information about data and how it is used to provide actionable insights into reducing data risk.
On AWS, you can insert DataGuard as a service to bypass putting together a similar plan using parts of Macie, GuardDuty, Detective, Splunk/Elastic queries, and custom Lambdas and graph logic. On GCP, you can deploy DataGuard to simplify data lakes and ML datasets. And so on for SQL data stores that you host on-premise.
I have a great deal of confidence in the Symmetry Systems team, in DataGuard, and their long-term vision. I encourage my peers and anyone looking to fortify their data protection protocols to join the early customer program and try DataGuard in their environments. We're truly the groundbreakers of the future of data security.