Security isn’t a standalone concept — it also involves mitigating risk at some cost. And in the absence of metrics, people tend to focus on familiar or recent risks. Which means we end up acting reactively rather than proactively.
Rather than waiting for risk to arise, understand how data, people and location (both system location and geographic location) create patterns — both good and bad — across your organization. The center — or pivot point — of that strategy should be around the data that you hold.
So let’s contemplate the life of data within your organization. Whether data is created within your organization or collected from a third party (customer, vendor or partner), the only way you can effectively protect it is by understanding it. What is the data? Does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information (PII), protected health information (PHI) or financial data? The list can become quite extensive.
All companies create and hold sensitive data, and there's not anything inherently wrong with that. But once you know what the data is, where it is, who can access it and who has accessed it, can you make decisions about where it should reside? You probably don’t need to put the same security protocols around pictures from your company picnic as you do for your customers’ credit card information. Understanding your data is crucial when determining how it needs to be protected.
Creating Chaos without Controls
Data without controls can create operational, privacy and security gaps that put company assets at risk. It can cause unintended consequences, such as data leaks, inappropriate access to sensitive information — internally and externally — and increase the potential for inadvertent or unauthorized disclosure of sensitive information. With highly sensitive data (such as PII and PHI), limited and appropriate access is critically important.
Understanding the difference between what can and can’t be shared is key. Once you understand the data, the rules that apply to it and how it can be used, you can build controls that center on those factors. Data in a highly secure system may need less controls than data located in a cloud environment, corporate intranet or website. These controls can be determined by:
- Identifying the elements of the data with metatags
- Understanding who needs access to the data
- Discovering what can be handled through native controls and what needs to be added on as support
- Determining what should be kept on premises and when you can go to the cloud
- Finding the location of the data
Always remember that data sovereignty requirements — which govern where data can live geographically, as well as who can access it (two important questions in light of the rise of cloud computing and data centers) — can affect how you implement all of the above.
How Prepared is Your Organization?
Many organizations have data classification policies that are theoretical rather than operational. In other words, the corporate policy is unenforced or left to the business users to implement on their own. The challenge presented by a business user driven “trust” system is that it is difficult to predict the appropriateness and level of data being properly tagged. Are inappropriate discussions happening? Is sensitive or confidential information being shared? Are privacy and compliance policies being circumvented deliberately or inadvertently?
Adding data discovery to data classification processes will allow you to determine the origin and relevance of the data you hold as well as determine a proper retention schedule. This provides the ability to manage the lifecycle of the data within your company — from creation or collection to retention, archiving, and/or defensible destruction. It will also equip you to more effectively implement data loss prevention in a tactical way.
Data Loss Prevention (DLP) software is designed to prevent data from leaking or being inappropriately shared — but without a good understanding of the data, and a risk-based approach to implement DLP technology, it can be seen as a productivity blocker rather than an enabler of security. You cannot block everything from leaving your company any more than you should encrypt every document you have. When security blocks productivity, employees find a way to bypass it. The job of security is to help the business use data productively and securely.
Through true discovery and mapping of your data, you can manage and protect it effectively. In the same way that brakes on cars allow us to drive faster and safer, better privacy and security controls allow us to benefit from the data our companies hold in the most efficient way. Only after understanding your data can you truly ensure it is in the right hands.