Data protection and governance: Hi-Tech Security
Data protection and governance: Hi-Tech Security
A sense of urgency
We all know we live in a new era where old truths and accepted practices are crumbling. They simply don’t apply anymore. Industry 4.0 has made its entrance quite some time ago and businesses are adapting at too slow a pace. The main reason businesses are not moving quickly enough is through the natural inertia of the human factor. Let’s face it, dealing with change is not the easiest for us human beings. When do we change? Typically when we get a shock to the system and we need to avoid harm or when we see a considerable return on effort to achieve something that will benefit us.
We can come up with all sorts of governance principles, but if people don’t feel the need to apply these it won’t happen. We have to understand the importance of data security and governance at a much deeper level, rather than just giving it lip-service.
Lessons from a long time ago
History is not everyone’s favourite subject, but it can teach us the importance of changing our mindsets and related behaviours. Let us go back to the time of the famous Wars of the Roses.
Between the years 1455 and 1487 a number of English civil wars were fought for control of the throne of England. Two of the three rivalling sides were the House of Lancaster, represented by a red rose, and the House of York, represented by a white rose. The castles that were built leading up to this period, with their heavily fortified walls and towers, were impenetrable for the typical weaponry used around that time. Archers and longbowmen could do very little to these walls.
Around this time, a rare, new weapon made a more prominent entry on the battlefield. The cannon started to make an entry in these wars and made one thing very clear: the castle walls could not withstand the smashing impact of cannonballs. What was thought to be the ultimate line of defence, simply crumbled and left everyone inside the castle walls horribly exposed to the terrors of the enemy.
This story highlights that ‘old world’ security thinking in these times does not work anymore. What we thought was impenetrable very quickly turned into wet cardboard easily pulled to pieces by wild dogs.
Where to start
Reuben Paul is a 13 year old hacking whiz kid who did his first presentation at a hacker conference when he was only 8. He has now set up the non-profit organisation CyberShaolin. One of his key messages is that nothing in cybers space is ever 100% secure. We ourselves, our children, and future generations need to simply start with basic defense strategies, like strong passwords (most data breaches involve weak, default or stolen passwords), not to share too much about yourself on social media, not to blindly click on any link that you encounter, and not to trust anyone that you don’t know personally. In the cyber world, everyone is a cyber stranger and should be treated accordingly.
Interestingly enough this is also in line with some of the mega platform vendors around us nowadays. Microsoft’s philosophy for instance, is not to focus too much on keeping people ‘out’, but rather to ‘assume breach’ and to focus on your best next actions once the perpetrator is inside. Your security protocols should be in line with this thinking and efficiently deal with the next actions when someone has gained unauthorised access to your systems. How quickly do you know where the person penetrated your security, where is he heading and how quickly can you isolate him and cut him off from all your valuable assets?
White-hat hackers vs. Black-hat hackers
Black-hat hackers try to harm humanity with their skills, whereas white-hat hackers act for the good of humanity. I’d suggest that organisations engage the services of white-hat hackers to provide the necessary shock-effect to the people in their organisations. This will hopefully stimulate the necessary changes in mindsets and related behaviours.
If you unleash a guided, focused hacking wave on your business community to gain access to unstructured documents with passwords in them (I know lots of people still use these), and show how easy it was to retrieve this information, it will teach people very quickly to up their security, pronto.
Even though the cloud introduces so many advantages we never thought possible, it also introduces more security threats. Systems have been devised to cope with this, even leveraging strong cloud functionality like machine learning and artificial intelligence to detect possible threats.
Microsoft spends more than 1Bln USD each year on security R&D. They’ve built something that’s called the Microsoft Intelligent Security Graph. The Graph feeds all the security capabilities that Microsoft builds into Windows, Office 365, Azure and their mobile platform. It doesn’t come as a surprise that Satya Nadella called Microsoft ‘the biggest security company you’ve never heard of.’
The Graph can see attacks that are happening to customers in every part of the world and watch as these attacks migrate around the globe. It aggregates known vulnerabilities, information of compromised credentials and attack patterns using machine learning embedded in their solutions.
Data security should be an integral part of systems development right from the start. Ideally one wants to answer ‘Yes’ to each of these questions:
- Do you know who is accessing your data?
- Can you grant access to your data based on risk in real-time?
- Can you protect your data on devices, in the cloud, and in transit?
- Can you quickly find and react to a breach?
- Are your users absolutely delighted about working with their systems and apps?
Securing your information assets should start with the following high-level activities:
- Identify and classify your sensitive data assets
- Determine where sensitive data is located in your business
- Determine how each of these sensitive data assets should be protected
- Map how these assets interact with business processes
Besides this classification, one should also asses external threats (e.g. black-hat hackers) and internal risks (e.g. ignorant employees sharing sensitive info).
To facilitate all of this, business should maintain their metadata very carefully (data about the data). This can then help classifying data elements using example classifications like Critical Risk Data, High Risk Data or Moderate Risk Data, to name a few.
So, one should absolutely implement good governance around their data protection and security as soon as possible, but I would advise you to really start of with the weakest link: the human factor.
Good luck building your own castle walls to keep your data safe!