Securing the data-first enterprise
If there's one thing the past few years have taught us, it's that data security must remain at the forefront of all enterprise operations—or else. But while ransomware attacks continue to skyrocket and new risks are emerging in the form of a tangle of complex privacy and compliance rules that must be followed, the enterprise is finding that it must come to terms with a new potential threat: the rampant proliferation of sensitive data into every corner of the business, including areas where security operations has historically paid little attention.
"Data has changed from being in a single location to being everywhere, and the pandemic has only given a boost to that trend," says Rohini Chavakula, a data scientist in the AI division at Hewlett Packard Enterprise. According to Ponemon Institute's 2021 Cost of a Data Breach Report (produced in cooperation with IBM), data breach costs are now at an all-time high: $4.24 million per incident, on average. To put that in perspective, the cost of an average data breach is now approaching that of the average ransomware attack ($4.62 million).
Following the data to keep it safe
The new challenges of securing data are largely attributed to two trends related to the edge: the abrupt explosion of remote work (and the proliferation of devices used by remote workers) and the equally rapid growth of the internet of things. Emerging frameworks like zero trust still need to evolve further to address these scenarios fully, says Andy Longworth, senior solution architect at HPE's AI and data practice, as current implementations are more tuned to traditional, centralized environments.
"When I think about IoT devices in the field, zero trust is especially hard," says Longworth, "because those devices are not necessarily always connected. If they're disconnected from the network and somebody tampers with them, you may not even know about it. There are wider problems that probably need to be solved before zero trust is a viable approach for devices in the wild."
Please read: What is zero trust?
In the meantime, many experts say the first step to data-first security is a better understanding of the way data is classified. "Do we need to treat all devices and all data the same?" says Longworth, pointing to a healthcare client he's working with that is struggling with how to secure various types of data, ranging from patient X-rays to interoffice emails, each of which has various security needs and risk levels. "You've got to understand the context of all of those data types and what protection that data needs to be afforded."
"Data inventory and data categorization should really come first, then data mapping," says Ben Goodman, CEO of CyRisk, a developer of a security risk analytics platform. "Know where it lives for the full data lifecycle. Then determine if you really need to be working with the sensitive data or if you can de-identify it or tokenize it."
Chavakula notes that adopting systems that can help with this type of data classification is now critical. Rather than restricting access to software based on the user's security profile, the underlying data itself must be appropriately classified. This is a shift from the traditional way of securing data, which, for example, is likely to have restricted a payroll application to members of the accounting department. Instead, organizations need to rethink that approach, so that the underlying financial data itself is restricted with more precision. This type of practice can help prevent breaches based on the use of false credentials or elevated privileges.
"One of the most fundamentally important strategies in protecting data is knowing exactly who your organization is sharing data with and for what reasons," says cybersecurity consultant Charles Denyer. "You can't protect your data if you don't know how it's being used, stored, shared, disposed of, and retained." Denyer advises clients to develop a data privacy program to address these issues from a policy standpoint, noting that they are critical for ensuring compliance with GDPR and other data protection laws while also being useful in securing the underlying data itself.
Automation, AI, and your data
Of course, all of that won't solve complex issues like insecure IoT sensor data, which is why Longworth says that automation will help with both security and compliance. "With things like cameras and other devices at the far edge—well outside the data center and the boundaries of corporate IT—we need to leverage ways to automate things as much as possible and take people out of the equation as much as possible," he says. "That's how things get lost."
Longworth notes that it's long been the instinctive tendency of IT professionals to leap into a problem and "hand crank" a fix because, in today's enterprise, every problem is seemingly designated as urgent. "People start taking shortcuts to fix the problem, and that becomes a new security issue where processes and procedures are not followed," he says. When these types of updates or repairs are not applied properly, there's often no paper trail to follow to even discover where things went awry, compounding the issue. "Wrapping as much automation around these things as possible is the only way forward," Longworth says.
Practical automated security tools exist and those in the industry that are using them are seeing the benefits. According to the aforementioned Ponemon study, "Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation." The study associates the massive cost savings with these tools' ability to more quickly identify and contain a breach.
Yesterday's tools, tomorrow's problem
By and large, most experts agree that the application of proven security principles and practices is the first and most important step toward securing the data-first enterprise. "The key in 2022 and beyond will be the organization's ability to readily understand, manage, and act upon the effectiveness of its data protection efforts," says Jesse Dean, vice president of solutions at TDI, a global cybersecurity provider. "This has to come through increased visibility—now up to the board level."
Please read: Security: The foundation for transformation success
Longworth adds that encryption, long a staple of the data center, needs to be adopted on a much broader scale in order to take into account data at the edge. Tools need to be adopted to encrypt data while at rest on user devices and edge-based storage—and to ensure it remains encrypted in transit. "We can't just consign these tools to the data center any longer," he says. Emerging frameworks like Gartner's cybersecurity mesh architecture may prove essential on this front, offering centralized management of resources through a modular approach that enforces security policies regardless of whether they are inside or outside the network perimeter.
Underpinning all of this, naturally, is user training, which remains as critical as ever. "A fool with a tool is still a fool," says Longworth. "Training and policy enforcement are as important as ever." He adds that enterprises will need to carefully weigh their usage of security tools in order to prevent user frustration and attempts to circumvent overly strict controls. "With data breaches, the vast majority of the time it's not someone being malicious. It's people doing the wrong thing."
To that end, the ultimate solution may really just be a matter of changing the way users think about data. "I've heard it said that data is the new oil," says Goodman. "But if people treated data like money, they wouldn't leave it lying around."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.