Big data has proven to be a big asset for corporations who are trying to collect information and make informed business decisions, but if the proper strategies for protecting that data are not in place, the risks to the enterprise can be costly.
Earlier this year Cisco reported that worldwide mobile traffic is expected to grow eightfold from 2015 to 2020 reaching 30.6 exabytes, monthly. Planning for that data inflation raises a very important question: “How can organizations ensure their data is an asset and not a liability?”
Michelle Dennedy, chief privacy officer at Cisco, said, "When best practices around data protection and compliance are not strictly enforced, the risks of this data becoming a liability extends across all levels of the company, both financially and operationally."
As enterprises prepare for the explosion of data in the years to come, they also need to know how to collect, store, share, and delete the data they currently possess.
Security practitioners need to be asking, what is effective and sufficient data protection? Dennedy said, "Enterprises need to think about how to position data as a corporate asset in order to mitigate liability risks and, at the same time, leverage their data’s value."
That means that businesses need to know their 'why'. Why are they collecting this data? How is this information going to be used? These questions need to have answers in order to create a measurable framework because, "If you don’t have someone who uses that data to create value, it becomes a liability," Dennedy said.
From the perspective of a privacy engineering process, Dennedy said, "The number one thing is to know thy data." Those organizations that don't know where the data is, who is in charge of it, or why is it there are setting themselves up for enormous risk.
"If you go across data sets and find that the why is not there, but someone insists on holding onto the data because they might be able to use it later, get rid of it!" said Dennedy.
Either destroy it or find a purpose for it. Dennedy said, "Having a purpose is required. If it's collected for human resources, I shouldn’t be using it for other purposes. That's a legal requirement and it’s a moral and ethical requirement."
Data driven decisions have certainly changed the way that enterprises do business, and they allow for a better user experience; however, Marcus Johnston CSO at Infogix, said, "What’s really important is to have a defined approach and goals before you go into it."
Going fishing for data without a clear purpose isn’t going to get you much in terms of actionable information, but Johnston said, "If there is a defined driver -- it could be looking for propensity information within your marketing information or looking for fraud behavioral patterns within financial -- there has to be an end goal in sight that should be as constrained as possible."
Those enterprises that have collected targeted data with defined drivers have seen great success in its ability to improve business performance, said Johnston. "With big data, we can analyze and process volume and theme far beyond what we could do previously. We can sort a significantly massive size of information in conjunction with our private data."
Those benefits afforded through data collection come with responsibilities, which is why having a solid data governance framework is key with any data, whether it's big data or analytics. "There are tools that track the integrity and quality and provenance of the data—particularly for privacy standards," Johnston said.
Beyond a data governance framework, the security practitioners also need a platform to put in controls around the data, both in motion and at rest. "Underpinning a data governance framework from an operational standpoint, they need the ability to know and log any exceptions around the data being handled," Johnston said.
An asset can quickly become a liability where data sourcing, governance, and regulatory requirements generate risks for the business. "Once it's proliferated in a big data environment, it’s much harder to expunge," he said.
As much as data can afford great value to business operations and growth, it is the target that attackers are after, which will always make it a security liability. That's why inter-departmental communication is critical for both compliance and security.
Digital Guardian CTO Mark Menke said, "For the compliance side of the house, they focus on data and how it's used. Security is focused on threats. Those two need to be communicating. Folks responding to threats need to understand the value of data to prioritize their security around protecting that data."
Data loss prevention (DLP) tools are experiencing a resurgence, according to Menke who said, "People are starting to use DLP as a positive control. If you look at how it was deployed years ago, they are now able to show positive custodianship of their data."
Through the use of DLP tools, security practitioners are able to have information consolidated and formalized to show where they store data. "They can set controls in terms of who has access to that data with whom that data is communicated, and in what format," Menke said.
As a result, many enterprises now have more mature data awareness policies, but because they remain under attack from malicious outsiders, they still need to put a security program in place.
That program, said Menke, should be threat aware data protection. "If combined together and communicated correctly, the folks doing incident response from a security perspective know how to understand where the data resides. They should prioritize their security program based on the target of the attacks."
If security practitioners don't know how the data center is organized and operated, the data is at a greater risk, according to Nathaniel Gleicher, head of cyber security strategy at Illumio.
"The reason most sophisticated hackers are so effective is because they know the environment they are attacking better than the defenders," Gleicher said.
To create the strongest security program, practitioners need to understand their attack surface and recognize all the ways an intruder can get around. They should start with the assumption that they will be breached.
Gleicher said, "Protect data centers at the perimeter, but know that the benefit of that edge is one dimensional. When you get into the interior, there are many dimensions. If you don’t know where your valuable information is, you can’t protect it."
Inside the environment, Gleicher said, "The steps to take are not rocket science. Patch vulnerabilities, segmentation tools, shut down paths. Just about every major breach has involved lateral movement through servers to find a high value target. If we could make lateral movement harder, it would make every breach harder."
If an intruder is able to gain access into the environment through lateral movement or some other means, reducing dwell time minimizes the damage they can do and the data they can ex-filtrate.
"Dwell time now is really high," said Gleicher. "If they want to increase the value they can get from data and decrease their liability, reduce dwell time. Make it harder for intruders to spend weeks and months inside data centers."