The changing data protection paradigm

I spent last Thursday as I usually do, on the track at the YMCA while listening to my favorite podcast, Down the Security Rabbithole.

The episode, titled “Data Protection Primer,” discussed the importance of protecting data security and privacy. One of the guests, Vlad Klasnja, the data protection and privacy manager for Optiv, made the point that despite the challenges, organizations must start addressing data protection, even if it means starting small. This put my main brain into high gear for the balance of my run, thinking through how we collectively got into this mess, and how we can begin to climb out of it.

Twelve years ago, I was the technology head for a consumer credit bureau. Our data was obviously very sensitive, and, even at the time, heavily regulated. While protecting this data was a challenge, it was fairly easy compared to what organizations face today. I had little else to protect other than my consumer database. I knew exactly where the data was: replicated between two data centers, and on backup media at a secure storage facility. It was minimally accessible to the outside world. Even the data that was indirectly web-accessible resided in my facilities.

In just a few years, the industry has experienced a data paradigm shift. Most organizations now must deal with massive amounts of incoming data, in various forms, ranging from structured information in the form of databases and lists to unstructured data, including documents, images and — as the podcast hosts said tongue-in-cheek — even cat pictures.  

The amount of new data available is staggering. As the Harvard Business Review aptly put it, “More data cross the internet every second than were stored in the entire internet just 20 years ago.” This data has varying degrees of value and sensitivity, and resides on a variety of systems, including endpoints, removable media, local servers, cloud servers, and cloud-based services like Box and Dropbox. This growth and spread of data has quickly exceeded the ability of most companies to keep track of it, let alone protect it.

This massive influx of data, spread out among various locations, has naturally brought with it increasing security exposures, leading to an almost daily data breach crisis. It is impossible to keep data secure and free from alteration when you can’t keep track of what you have, where it is and what its value is. Given the challenges of keeping track of this flood of data, it is not surprising that data breaches often take a long time to discover, averaging more than 146 days in 2015, as reported by SecurityWeek.

Major corporations, despite their large teams and budgets, find it very difficult to keep up with and protect their data. Consider the recent examples of Sony, Target and Home Depot. If they can’t protect their data, what hope do small and medium enterprises (SMEs) have of keeping up?

While the challenge of data protection under our new paradigm seems overwhelming,  it is, as Vlad Klasnja put it, imperative that we start somewhere. In an effort to help organizations who have yet to tackle their data problems make this start, I would suggest a somewhat simplified and nonthreatening approach:

Figure out what you have

Data protection starts with an inventory of what data you have. Given the spread of data today, this will not be easy. It is possible, however, and must be done as a start to tackling the problem. This is a particularly complicated endeavor given the growth of data stored in the cloud, a fact that many companies are coming to grips with after the massive release of password data stolen from Dropbox. Fortunately, there are data discovery and inventory tools coming on the market, like Enterprise Data Discovery by GTB Technologies.

Quantify your risk

It is essential that you understand the risk posed by each of your data sets. Knowing this helps to determine what the priority for protection will be, how much you should be spending on insurance and the degree of your compliance exposure. The best approach to this, in my view, is a basic risk assessment. Take a look at my article “The dreaded risk assessment” for guidance on a basic approach to this.

Prioritize your data for protection

You can’t address everything at once, so prioritize your data for protection, based on the results of your risk assessment. You also need to make your time and monetary investment in protecting it proportionate to its value. Some data sets you will want to protect like Fort Knox protects gold, and others will require less protections.

Start at the top, and work your way down the list

Devise and implement a strategy for your highest-risk data, and work your way down the list in priority order. You will need to consider a wide variety of approaches to protection, including encryption, network segmentation and data loss prevention.

Keep up

Even as you work to identify and protect your data, you must devise a means of keeping up with new data coming in. This will require strong discipline within your organization, such that those who obtain or create data report it to those responsible for maintaining the inventory. There are various controls you can consider, including limiting access to storage services like Box, limiting the amount of disk space available to individual users, and preventing the creation of databases by anyone other than authorized personnel.

Bottom line: Data protection is not easy. It is essential, however, and the importance of protecting data is growing by the day. Instead of letting the complexity intimidate you, dive in and make a start.