Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/23/2019
07:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

To Manage Security Risk, Manage Data First

At Interop 2019, IT and security experts urged attendees to focus on data asset management as a means of mitigating risk.

INTEROP 2019 – LAS VEGAS–  At a time when organizations are launching digital transformation projects, bringing more devices onto their networks, and embracing cloud technology, it's imperative leaders work together to create a plan for protecting vast stores of information.

It's no secret that cybersecurity and business teams often have a rocky relationship. As Optiv practice director Mark Adams explained here at Interop, security is viewed as a drag on the business. "It doesn't demonstrate a value proposition," he said.

But business teams are not going to slow the pace of innovation, so security must help stay competitive by protecting the tech they want to use. "Unfortunately, there isn't a real handbook around this," Adams noted, but it's important for security teams to understand what's important for the business.

The problem is, most don't. The majority of cybersecurity teams can list priorities for their agendas, but they can't name even one of the top three business priorities. Responsibility for all this ultimately falls to the CISO, as board members expect the security lead to be "a very savvy business person," he explained.

Digital transformation, however the business goes about it, carries tremendous implications for security staff. While great for the organization, these projects usually result in even more data being created, said Maxine Holt, research director for security at Ovum, in a discussion about digital transformation and privacy. Security functions must recognize and address the challenges.

Part of the problem in managing the influx of information is most companies either don't know where their data resides, what they want to protect, where backups are located, or answers to many other questions related to the management of the data they store. Security teams can stem the flow of information in a data leak, but that won't fix the core issue.

"The way companies need to think about data has to change tremendously," noted Etan Lightstone, vice president of product design at ShiftLeft. Here are a roundup of the ideas, trends, and challenges around data management voiced by experts who spoke at Interop this week.

Know What Your Valuables Are
CISOs and security leads can't put a program around data governance if they don't know what to protect, Optiv's Adams said. It's the first part of a data management strategy: Identify the most precious information the business needs to operate, know where it is, and prioritize its security. Sensitive data should be kept to a minimum and be given the strongest protection.

This isn't a one-time job, said Stacey Halota, vice president of information security and privacy at Graham Holdings Co., in a keynote. As a business changes, so, too, does its most valuable data. Her team conducts an inventory each year and requires each organization under Graham Holdings to report the data elements they have, where they go, where their backups are located, and other information so the full business knows what it's collecting over time.

When data is no longer required to help a department or company operate, it should be deleted. The process for deciding what should stay and go is a complicated one, Halota explained. She said she has built relationships with division heads across the business so she can learn what they need and negotiate when it's time to eliminate data that's no longer of value.

Watch Data Wherever It Goes
Businesses need to worry about data wherever it resides, said Shawn Anderson, executive security adviser in Microsoft's Cybersecurity Solutions Group. Many businesses focus on endpoint security but should be thinking more broadly about where data is located – not only on employee computers, but in the cloud, on mobile devices, and on a growing pool of IoT devices.

"You need to think differently about working in the cloud than you do on-prem," said Anderson in a session focused on endpoint security. The cloud is rapidly driving the amount of data companies collect, process, store, and use. Security teams can better protect data by focusing on identity: enabling multifactor authentication, blocking legacy authentication, increasing visibility into why identities are blocked, and monitoring and acting on alerts.

Businesses should protect their applications and verify those that employees can access. "All of the different governance practices pretty much boil down to knowing who your users are and whether they have the appropriate access," said Michael Melore, an IBM cybersecurity adviser. "People have privileges that they no longer require. That's an unnecessary risk." There should be processes in place to acknowledge whether privileges are no longer needed.

No matter how much software is on the endpoint, attackers will win if you lack a data protection strategy, Anderson said. Sensitive data should be secured from the time it enters the organization: It should be detected when it arrives, classified and labeled according to policy, and protected as it travels across the business before it's eventually retired and deleted.

A Closer Eye on Compliance
Compliance is not strictly a security issue, Ovum's Holt explained, but it is a lever on security and attracts board-level interest. She pointed to scenarios in which organizations were fined for noncompliant security and privacy practices. For example, one Portuguese healthcare provider was fined €400,000 (US$447,328) because staff illicitly accessed patient records. A German social media company was fined €20,000 (US$22,366) for storing passwords in plaintext. Google was fined €50 million (US$55,917,500) for failing to meet transparency and information requirements, and not obtaining a legal basis for processing.

Government regulations, industry standards, and compliance requirements such as GDPR and NIST can cause an organization's information risk and security capabilities to change "often and quickly," said John Pironti, president of IP Architects. He recommended companies document the types, amounts, and priority of information they find acceptable and unacceptable. This "information-risk appetite" should be developed alongside business leaders and stakeholders.

Still, different regulations have different definitions of what constitutes sensitive data. As Graham Holdings' Halota pointed out in her talk, the California Consumer Protection Act (CCPA) puts a broader range of data under "personally identifiable information" than the GDPR. Graham Holdings had to repurpose its data governance solution to redefine risk assessment and expand its document repository so it was properly collecting and categorizing data.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2019 | 3:59:15 PM
Know What Your Valuables Are
Doing a presentation next week where this is essentially my first slide. You need to know where your crowned jewels are, otherwise its impossible to prioritize what you need to protect.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...