Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/9/2021
01:00 PM
Ameesh Divatia
Ameesh Divatia
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

With Cloud, CDO and CISO Concerns Are Equally Important

Navigated properly, a melding of these complementary perspectives can help keep an organization more secure.

Cloud data consolidation is widespread, as evidenced by the rapid growth of well-known cloud data warehouses like Redshift and Snowflake. Of course, the pivot to support remote working environments over the past year has accelerated this trend. With cloud migration comes valuable cloud data, a resource that, according to Forrester's Jennifer Belissent, is a moderate priority for 61% of organizations and is a critical or high priority for 25%. The demand for cloud data insights not only magnifies the role of the chief data officer (CDO) but also makes it essential for the CDO to collaborate with the chief information security officer (CISO) to ensure data remains secure through the analytics pipeline. There is plenty of responsibility for each, and an organization's success lies in the balance between the two. 

Related Content:

Who Does What in Cybersecurity at the C-Level

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

On the one hand, CDOs are excited about this mass influx of new data and the insights the company can gain from it, while CISOs, who must ensure that these newly mined assets don't become sources of risk, have the unfortunate task of saying, "Not so fast." And to be clear, both points of view are legitimate. Companies stand to gain keen insight by analyzing and sharing the wealth of cloud data they create, but doing so without the proper protections puts the company at a higher risk of data breaches and associated regulatory fines.

So the question is, how can organizations extract the most significant return on investment (ROI) from data while maintaining best-in-class protection standards?  

Finding the CDO-CISO "Happy Medium"
The key to keeping both CDOs and CISOs happy requires building data-centric security controls into the analytics pipeline to protect the data during creation, transport, storage, and processing. Doing so allows organizations to make the most of data while ensuring its protection internally and when shared outside of the organization. Here are five ways to use data to its fullest extent while protecting it, regardless of use.

Identify Data Value
Every piece of data entering a cloud environment should be accounted for and given a value upon creation. Doing so helps prioritize its importance to the organization and guides methods for data management. Customer-buying insight, intellectual property and proprietary information are examples of data that should be prioritized over, for instance, officewide policy memos or annual vacation schedules. 

Credit: Thitichaya via Adobe Stock
Credit: Thitichaya via Adobe Stock

Assign Risk Scores
Sometimes data does not offer critical insight, but it is incredibly sensitive — customer Social Security numbers, credit card numbers, and other personal identifiable information (PII), for example. All data should be assigned a risk score that determines the extent to which it will be protected. It is important to remember that determining risk levels is not always an exercise that is at the organization's discretion — privacy regulations, such as GDPR, CPRA, and HIPAA, outline which datasets should be considered most sensitive.

Implement Appropriate Protection Methods
Data protection is not a one-size-fits-all proposition — many factors determine protection methods. Data value and risk scores are two key determinants, but how and where data is being used must also be considered. As we have discussed, unstructured data — such as raw transaction logs, images, and text documents — entering the data analytics pipeline requires less intricate protection than refined and structured data exiting the pipeline. The protection method is even more important when engaging in data-sharing activities in which data values can be analyzed without revealing PII connected to the data.

Determine Access Control Policies
Many organizations embrace a zero-trust approach to security, which, as the name suggests, means trusting no one inside or outside of the network. A key element of such an approach requires access control policies that dictate who can and cannot access specific data in specific formats, with a fail-safe strategy for which the default posture is to deny access. Strict access control can drastically reduce the risk of exposure, especially as data becomes more valuable through the analytics pipeline and in data-sharing activities.

Monitor Data Throughout Its Life Cycle
Data, in any form, represents risk. Organizations that vigilantly monitor data can recognize anomalies early on and proactively move forward with mitigation tactics to prevent data exposure altogether or, at a minimum, limit the damage.

The CDO will tell you that the promise of cloud computing is seemingly limitless, but the CISO will counter by reminding you that the risk of data exposure is equally infinite. In today's data-driven business environment, the CDO-CISO dynamic is the key to harnessing data's value. By implementing data analytics techniques that incorporate best-in-class protection methods, organizations can keep both sides of the aisle satisfied. 

Ameesh Divatia is Co-Founder & CEO of Baffle, Inc., which provides encryption as a service. He has a proven track record of turning technologies that are difficult to build into successful businesses, selling three companies for more than $425 million combined in the service ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.