Recently, I was talking with a major analyst firm about data and security. The name of the firm will not be mentioned to protect the not-so-innocent. During this call, I was amazed to learn that most CISOs remain focused – even with their increasing board level visibility – on protecting their enterprises from outside intrusion or compromise, but not on protecting their enterprise’s most valuable asset – data – from threats internal and external.
I was told most are hyper focused on what the authors of the ‘Privacy Engineers Manifesto’ call the “access stage protection.” The unfortunate truth, says Constellation Research’s Dion Hinchcliffe, “there is no perimeter. You can’t trust much of anything anymore, even inside a perimeter. It seems a bit sad given the huge promise of the Internet to connect everyone. But the problem is it connects everyone.”
Former CIO Wayne Sadin agrees and says, “I particularly dislike ‘perimeter,’ because it implies ‘inside = safe, outside = dangerous.” While access stage protection remains an important component of the security architecture, there is an opportunity for CISOs to do more and at the same time, to partner with their chief data officers to protect the real gold for their organizations, their data.
The reason for taking this step is that the bad guys – as CISOs know – have become more sophisticated. Instead of breaking down the organization’s front door, they have found a proverbial window to enter from. They are doing this by targeting the DBAs who control access to the database and using phishing and other techniques to get their hands-on customer data. This happened to a major healthcare payer, a few years ago, and the hackers got access to everything within the organizations customer database. This creates what I like to call an all or nothing game for enterprise data.
And yes, education remains important, but it is so easy to get fooled as I attested to in a recent article in Datamation Magazine. So, the question is: why aren’t CISOs and CDOs actively protecting their firm’s data?
This is a great opportunity for a partnership because CISOs can tap into the CDOs data knowledge and governance skills, while CDOs can tap into the CISO’s knowledge of internal and external threats.
Getting Systematic About Data Governance
A core element of getting data protected is getting systematic about data governance. With data governance, no one – regardless of title or level – should have access to all data. What is needed is to establish “principles and processes to build controls and messages into processes, systems, components, and products that enable the authorized, fair, and legitimate processing of personal information” (The Privacy Engineers Manifesto, page 29).
Specifically, the opportunity is to setup data governance for personal identifiable information (PII) and to comply with ISO 27001. The question CISOs and CDOs should be having at this point is what is involved in doing this well especially within legacy organizations.
I want to suggest there are three steps:
Step 1: Establish Data Stewardship
Everything needs to start by creating data stewards. And please, data stewards cannot come from the IT organization as much as IT may care about data.
Only the business owners of data understand how data should be governed and the compliance requirements their industry may demand in terms of personal identifiable information (PII). The first task, therefore, is establishing data owners for data classes.
With this in place, data stewards need to ensure that data policies for how data is maintained, managed, governed, and secured for the ultimate data owners. While there are clearly privacy types, here we are focused on security, ethics, and privacy. According to Hinchcliffe, “the first step in data security is establishing the mandate with buy-in across the organization, then marshalling sufficient resources to do anything. With this, governance, privacy, security policies can then be developed and enforced adequately.”
Here, it is important to take as Robert Seiner suggests to take “a non-invasive approach to data governance. This approach is built on the premise that people are already governing data, but they are governing data in an informal manner, leading to inefficiencies and ineffectiveness in the way data is managed.”
With this mentality, an effective data governance program that is about codifying rules regarding the collection, creation, definition, alignment, prioritization, monitoring, and enforcing of data. This includes the creation of data governance rules and data definitions. This is especially true for PII.
Here you want to determine who can view or modify data. In terms of processes, data governance includes at a minimum the following steps: 1) data rules and definitions; 2) decision rules; 3) accountabilities: 4) controls; 5) data stakeholders; 6) data stewards; and 7) data processes.
With data rules and processes established, CISOs and CDOs can move to step 2.
Step 2: Data Discovery
The sad fact is that most legacy organizations do not know what data they have or even where it is located. And this includes, unfortunately, PII.
So, this step is all about data discovery. CIO Martin Davis suggests the second step “is cataloguing your data, where it is and how it is used because you can’t govern what you don’t know.” This is an essential step because even with the best of intentions regarding protecting data and complying with privacy legislation and governance you cannot protect when you do not know there is exposed data and where it is located. This process involves discovery, catalog, and meta data creation which are critical functions to protect data. This is especially the case where the discovery process can automatically find potential PII.
With this step completed and knowledge of the data rules created by data stewardship, CISOs and CDOs can move together to step 3. Given this, it comes as no surprise that Hinchcliffe says, “maintaining an accurate data ownership picture and catalog is crucial for effective data security. Yet, it’s now growing ever-more difficult quickly with cloud, SaaS, Shadow IT sprawl. Ultimately, automated data discovery is the only answer.”
Step 3: Protecting Data
In step 3, policies are applied to sensitive data (in a data catalog!) so others know how that data can/cannot be used. The goal should be to protect data in motion and at rest.
To achieve this, there are a variety of data protection techniques. Here it is critical to do more than coarse grain controls like database encryption. These kinds of approaches are susceptible to DBA phishing. Additionally, encryption only protects and locks data from those that do not have credentials. This is problematic at many levels.
The sad fact is that organizations need their data protected internally and externally. And this requires that data access be provided with differentiated access rights and in conformance with privacy regulations. Coarse grain encryption is either on or off for a table or row and column.
This does work in a world where you want to protect against a hacker getting everything or where you need the ability to discriminate what people can see or not. Coarse grain encryption only protects you from the outside and only unless employee credentials haven’t been acquired.
You should hear a time bomb ticking here. The fact is that authorization (who has access to what) is needed even if you have data protection (via encryption) in place. Encryption mostly just helps protect against theft of the storage device /disk and packet sniffers.”
At the same time, organizations need to be able to use data to create the insights needed for business innovation and advancements. In big data, for example, the goal should not stymie data integration or regulatory requirements that customers’ privacy rights be protected. This means that data should be usable to perform analytics and critical business processes. However, at the same time, non-public personally identifiable information should be protected from internal or external parties that do not have an authorized use.
Instead, fine-grained control includes authorizations, masking, encryption by role. This allows you to protect against internal and external threats. This enables you to control what people can see by role, person, or data. This makes for a more intelligent, dynamic data centric and person centric data protection.
Additionally, effective governance of data should leverage the use of pseudonymization that substitutes for the identity of data subjects so that additional information is required to re-identify the data subject. This additional information should be upon the person, role, and the data itself. A CIO shared this problem with me by describing what happened when he had a minor security breach. It was made a major breach because a certain executive insisted on complete access to everything.
To meet the spirit of ISO 27001, a technological approach is needed that not only protects access to data intelligently but also protects data in motion. Making this work requires data rules that move with data. With this kind of centralized governance and pseudonymization, protection can be applied wherever the data goes.
The power of this approach can be understood by considering a healthcare example. I may want my doctor to see my entire medical records, but I may not want them to see my financial records as well. Or I may want a researcher studying how to derive better care to see my entire medical records but just not who they are for.
There you have it. There are 3 steps to aligning between CISOs and CDO. This is a golden ticket opportunity for both functions to gain business credibility. The question remains: are they ready to work together to achieve a better and more secure world for their company and their customers?