The notorious Ashley Madison hack should make every organisation that holds data (ie every company on the planet) look very seriously at their data holdings. The moment that you enter someone’s details into your organisation’s database, you are responsible for ensuring that those details remain private and confidential. Not only is this a responsible business practice but, in most countries, it is the law. So if you get hacked and your data is compromised, you could be liable for prosecution…not to mention your company’s name in the papers for all the wrong reasons.
“Most tightly-regulated enterprises such as finance, healthcare and central governments have a pretty good handle on the types of data they hold and how sensitive they are,” says Gary Gardiner, Fortinet’s A/NZ Director of Engineering & Services, “but many other companies don’t really have an understanding of what their obligations are to secure their databases. For instance, a retail shop might hold personal details from a loyalty programme or a mail order house might have thousands of credit card numbers. These databases have to be secured.
“And it’s not just personal information,” he continues. “Any confidential or proprietary intellectual property, such as proposals, customer relationship management reports, strategic plans and the such, while not necessarily covered by privacy laws, should be kept away from prying eyes. And to complicate things, once you start storing data in the cloud or in third-party datacentres, you start to lose control of your data stewardship authority. It can be unclear where your responsibilities start and stop.”
Metadata: the unsung hero of responsible data protection
Perhaps the most important step you can take when securing your databases is to classify them. “Not all data carries the same levels of value to your organisation,” notes Gardiner. “Some data, such as financial, client and personnel records, needs to be highly-protected. Other files, such as internal communications, marketing materials, etc, isn’t nearly as sensitive. So there is no sense in treating all of your data the same. This data hierarchy can impact storage as well. Some data needs to be stored for fast access ‘in memory’ while other data can be held in tape archives.”
The key to all of this is metadata. “Metadata is information about information,” explains Gardiner. “Well-designed and maintained metadata descriptors can have a huge positive impact on your data security strategy. Metadata can contain fields for privacy and sensitivity (ie public, private, classified, highly-sensitive), date of capture, data lineage (ie what processing has been done to the data), levels of access (which company roles can access and/or modify the data) and, importantly, when the data can be safely deleted.”
Match the cost of data security / storage to their value
Data audits are becoming increasingly important as organisations struggle to secure and store order-of-magnitude database growth. “The advent of business intelligence, data marts and big data means that organisations capture data once and then propagate them throughout the system. Storing and securing data is expensive. Best practices suggest matching your security/storage expenditures to the value of the data to your organisation. Metadata is an enabler for cost-effective and thorough data audits.
While the costs of storing and securing data are decreasing with new technologies, such as deduplication and security-as-a-service, they are still a major outlay. “Anything you can do to drive down your data protection overheads while ensuring highly-secure access for authorised staff is a smart move,” concludes Gardiner. “The tools are out there. It’s just a case of knowing what to do and then making it happen. These issues will not go away…indeed they are becoming more critical. So don’t become an Ashley Madison. Secure your data to secure your future.”
- Seven Questions to Ask When Evaluating Privileged Account Security Solutions
- New Sydney office anchors iSIGHT's Australian threat-intelligence expansion
- Crooks spread malware by tempting targets to disable antivirus
- How to be a successful CISO without a 'real' cybersecurity budget
- So, you want to be a security pro? Read this first