Recently I conducted a Poll on LinkedIn to find out what topic most of my connections want to hear about and a resounding 75% wanted to know a bit more about Data and Zero trust.
Data is the final pillar of completing a Zero Trust Journey largely because its viability is dependent on other pillars. That said, data is one of the most challenging pieces due to the inherent nature of data and people.
What is standing in your way?
Let’s start the conversation with the roadblocks. The data, in many organizations, is frequently siloed and handled differently in each department. Finance wants data one way, Sales another, HR another, and so on. Each system makes sense to the leader in each department and there’s generally very little incentive to change. In fact, my own personal management style goes along with this, if someone is invested in the way they do something, by deciding how, or having ownership, the task, typically, will be done more enthusiastically with a better result. Unfortunately, this type of process silo generates multiple systems which would need to be controlled. The cost is often not explained well on either side between technology professionals and management professionals resulting in complaints of “XXXX just doesn’t understand”.
The solution, from my perspective, seems simple. The COO or CEO needs to determine the correct path and move it forward. The options are to value the efficiency that can be gained in the technology department by simplifying the way data is handled in all other departments, or to staff IT well enough to accommodate the disparate systems. Frequently however the Executive to make this decision abstains as either option causes some pain, thus the organization is left in limbo to get along however they can. This is why, in virtually all our engagements, we drive vision and strategy conversations to understand what the solutions need to look like to gain the most efficient operational technology we can.
What does securing your Data look like?
The nirvana of data security is all of it is encrypted, all of it is classified, every entity has defined and controlled access which is all logged and monitored in real-time. Every time data is accessed a decision is made whether it’s the right person on a secure device. Data is never uncontrolled unless it’s classified as such. Backups are fully automated and secured with the appropriate classifications and permissions which cannot be changed after the backups are complete.
Many organizations are currently sitting with basic file shares, plus a ton of shadow IT and cloud data, with no inventory, static access controls like security groups, Data encrypted best effort on devices, and not at all in transit on the network with classification being a far-off pipedream.
So how do we move this forward? I wish I could say there’s an easy button, but I haven’t found it yet. First and foremost, you must have a solid mature universal identity solution. Second is your device management, and ultimately compliance. Peripherally at least network macro-segmentation, but preferably micro-segmentation. These three pillars of Zero Trust are ultimately dependencies for the efficacy of a good data security solution.
Backups are easy these days, though I’ve noticed we have started to forget about them as we’ve migrated to the cloud. You still are responsible for backing up your data in the cloud. More than once, over the past few years, I’ve seen admin creds in a tenant compromised during a security incident and the only solution was a new tenant. Side note: Privileged Access Management is a part of your identity maturity. If you are in the cloud this is a must. Immutable backups are pretty much the standard these days. This is a critical piece of your disaster recovery or business continuity plan.
When you go to look at Data Security systems, I recommend highly getting the most in a single system. You need it to scan all your data, be it onsite, in the cloud, email, teams or slack, applications, etc. It should be able to classify the data that matters to you, Financial (bank accounts, credit card #s) and personally identifiable information (birthdays and social security numbers) are table stakes. Templates for legal agreements, invoices, any intellectual property you have needs to be able to be generated.
What about implementation?
Implementing is the real challenge. If you have convinced your management to let you redefine how data is handled in all the departments, you have the massive project of defining the way that should be then moving each dept to your system. Then a lot of the Data Security can happen more easily, and your ongoing maintenance is going to be lower.
If all departments need to stay using data, the way they want to. You have the project to understand that and devise your data security around those constraints one by one. Obviously, this will take more administrative time to maintain and likely longer to implement.
Unoriginally, I suggest starting with your most critical data first. Your version of the secret recipe for Coke, employee data, customer data, financial data, and so on. Build each classification out with the right templates, so the data can be easily scanned and categorized. Move the data to secure locations on the network by classification so that you have additional protections via your network monitoring tools. Define the roles for the identity groups that can access the data and if your identity game is up to par most access will be automated by the changing of functional roles in your HR system and propagated back to your mater identity platform. Let the technology do its job by determining appropriate just-in-time access with constant validation of identity and device compliance before data is accessed.
Obviously, these are broad stroke suggestions, and my hope is some of this resonates and sparks some ideas for your organization.