Data security posture refers to the current status of the capabilities required to protect data from unauthorized access, destruction, and/or alteration.
What is The data security posture of an Organization?
Data security posture includes an assessment of the following three elements of an organization’s data store or individual data objects:
Data attack surface
A mapping of the data to the identities, vulnerabilities, and other misconfigurations that can be used as entry points to gain access to it.
Data security control effectiveness
An evidence-based assessment of the data security and privacy controls against industry best practices and organizational policy.
Data blast radius
A quantifiable assessment of the data at risk or the maximum potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This includes identifying the types and volumes of data that could be affected, as well as the estimated costs and predicted consequences based on current control effectiveness.
Why is an assessment of your data security posture important?
Overall, a robust organizational data security posture involves a comprehensive approach to managing the security of an organization’s data, including continuous inventory and classification of data, ongoing assessment and improvement of data security controls, proactive rightsizing of access to data, and a commitment to continuous monitoring and response to unusual usage of data.”
A robust organizational data security posture involves a comprehensive approach to managing the security of an organization’s data, including continuous inventory and classification of data, ongoing assessment and improvement of data security controls, proactive rightsizing of access to data, and a commitment to continuous monitoring and response to unusual usage of data.
How do I achieve a good data security posture?
Inventory your data: Develop a comprehensive list of all data stores and the sensitivity of the data within them.
Monitor data activity and data flows: Ensure visibility into activity and the flow of your data to improve the ability to detect and respond to any anomalies or indicators of compromise.
Assess data security controls: Conduct an evidence-based assessment of your data security controls, including the level of encryption of the data, the validity of hashing and tokenization of data in certain environments, and the validation of cloud configurations and access controls, including authentication required to access data.
Reduce data attack surface: Put processes in place to use the results of this analysis to proactively identify and reduce the data attack surface, including ensuring MFA is required for all identities with access to sensitive data and data stores that contain sensitive data, and removing dormant accounts from the environment.
Minimize blast radius: Regularly assess the volume of data at risk and prioritize pragmatic steps to minimize the potential impact of a security breach of a single identity, data store, vulnerability or misconfiguration. This means removing sensitive data from inappropriate environments, identifying and eliminating misconfigurations, and data minimization by archiving or deleting data or by deleting unused privileges from active accounts.