​Security in 2020 – Data Security is Key

A how to on providing security controls over data regardless of location, time of access, user or device.

BYOD, mobility, cloud, social media and IoT – these phenomena are causing a paradigm shift in IT based on what users can and where data can live. Gone are the days when data was confined to the data centre and we could put a virtual fence around it and protect it. Now data is everyone with multiple copies of it. This causes a massive headache for CISOs who are tasked with protecting this data from falling into the wrong hands. The question then arises, with data literally everywhere, how do we achieve this?

Before I answer the above question, let’s look at some key fundamentals of data protection and how they allow data to be protected either in motion, processing or storage. These are:

  • Authentication – know who is accessing your data and how. Ensure that the right actors have access and those that shouldn’t, don’t
  • Authorisation – provided authenticated access to data is not enough. You will have to ensure that the access is strictly governed and defined by who can do what to the data across all components of the data lifecycle (create, store, use, share, archive and destroy). This will typically require creating an authorisation matrix by data type to ensure correct and compatible access while maintaining appropriate segregation of duties. The matrix will then have to be applied to the relevant data types to ensure only authorised access is permitted to data. Data classification is critical here since the value of the data will define who can access it and to what level
  • Accounting – things that can go wrong, will go wrong! This is where appropriate logging comes into play. With the right logging based on the data type, you will be able to track who did what and perform root cause analysis to rectify issues, and forensics to determine what happened in the case of a security incident
  • Encryption – this is particularly important for data at rest. If the data is encrypted, and the keys are controlled appropriately, then anyone getting access to the data will struggle to do anything with it since it will be undecipherable.

So having discussed the issue of data being everywhere and some basics around controlling security to it, the next point to address is how do you apply these security fundamentals to the data. This is where the rubber hits the road!

The basic premise that applies here is “containerising” the data and applying security controls to the data itself – not users, location, time or devices since the mantra now is access anywhere, anytime from anything.

To achieve the above, one needs to implement tools, processes and technology that can containerise the data and apply the relevant security controls so that if an actor does not have access to the data, they cannot even see it. What they cannot see, they cannot get to. Extrapolating this further, controls need to be applied at the following layers where data tends to exist:

  • Network – this the backbone that data uses to transit from A to B. Controls at this layer are important to protect data in motion so that data cannot be intercepted and accessed by unauthorised actors. Appropriate access controls, authorisation and encryption is critical here
  • Servers and databases – this is where data is typically processed. Controls need to be in place so that only the right processes are accessing the data in the right manner and that these processes cannot be manipulated to access data that they should not be accessing
  • Cloud – data is being moved to the cloud rapidly. It is vital that security controls are maintained in the cloud to ensure that only authorised and authenticated access is permitted and all access logged. Data at rest in the cloud should be encrypted with the key under control of the data owner
  • Mobile / IoT – as mobile and IoT devices proliferate, they will hold / access more and more data. Controls need to be in place to ensure access, authorisation, encryption and logging controls are in place for data on mobile / IoT devices
  • Analytics / Correlation – adequate logging can only be achieved when logs are captured for all data types regardless of device or user, and analysed and correlated to reveal threats and attacks. Without this level of intelligence in place, it will be difficult to determine security issues with critical data types. An important component here is to ensure that the organisation has an adequate incident response plan that is well tested. The log data should be reviewed ideally in real-time and responded to. If this capability cannot be procured internally, consider outsourcing to the many managed security providers that now exist.

Within this article, I have tried to explain how to provide security controls over data regardless of location, time of access, user or device. The fundamentals of data security still very much apply around data containerisation and application of authorisation, authorisation, accounting and encryption controls. Appropriate application of these controls at the right layers of network, servers and databases, cloud, mobile / IoT and analytics / correlation will allow you to protect your data adequately.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securityuser devicesCISOsauthenticationsocial mediaIoTdata protectionSecurity ControlsBYODinfosecCloudmobilityAuthorisationencryption

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ashwin Pal

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts