Security teams have had challenges on where to start with data management for several years. It’s something hugely apparent when talking to enterprise customers about security and how they approach managing their data from point of collection through to end-of-life. And it’s especially pertinent as they continue to face off against threats caused by geopolitical tensions and bad actors launching brute force, phishing, ransomware or “store today, crack later” attacks in which traffic gets intercepted and decrypted when powerful computation is available.
Despite this, enterprises lull themselves into a false sense of security when it comes to their understanding of information security standards, regulatory compliance, data management best practices, and adoption of security tools. They have reached a stage whereby they are collecting and retaining just about every piece of data they gather. A lot of that data has significant value, whether it helps improve business processes or unlocks new business opportunities to deliver new services for customers. But as the volume of data grows, so too does the potential attack surface and the complexity of managing that data across its entire lifecycle.
Here’s where enterprises fall short in strengthening their security posture. They think about data at end-of-life, sanitizing it when, for example, it has passed retention periods, or a customer has invoked their right to be forgotten. However, they don’t think about sanitization and its repeated use throughout the entire information lifecycle management process.
Mature data classification helps us better understand retention
Enterprises are increasingly focused on the metadata management of their vast pools of information, building data catalogues to provide an organized inventory of data assets in their possession. They want to derive intelligence from that information to inform decision-making and power dynamic systems that incorporate artificial intelligence (AI) and machine learning (ML). However, classification models are still in relative infancy.
This creates a situation of poor data hygiene, where information can go untouched for years before it’s deemed to have reached end-of-life and subsequently gets sanitized. Developing a more comprehensive structure for data classification by determining a piece of data’s value, its risk profile, or its level of sensitivity can improve understanding of the data retention period, thus informing data policy to help mitigate risk and reducing the attack surface for a potential breach. That means determining from the outset that data needs to get sanitized after a set time and through a set policy, rather than waiting until the asset it sits on is disposed.
Equally, by thinking about the information lifecycle from the get-go, enterprises can make quick decisions on whether they should even have that data, and if not, they should erase it immediately with a certificate proving that the erasure has been successful. If data has only been held as part of a project, then when that project finishes the team should remove it from the infrastructure under that organization’s command. Classifying data appropriately can provide actionable insight to restructure policies and help employees better understand the information lifecycle management process.
Encryption is great…until it isn’t
Security teams may say that all their data has been encrypted, so it’s secure against a potential breach. And yes, while we can trust encryption to keep information secure, more sophisticated attacks are on the rise. In time, removing keys from data will be achievable by more advanced computers in a matter of minutes. It simply won’t do for the long-term and enterprises must stay proactive in establishing the value of data to determine what they need to erase through verified processes with audit trails to protect bottom lines.
Additionally, if we couple encryption with processes that don’t permanently erase information, such as archaic methods like degaussing to sanitize IT equipment and storage, then we have no guarantee that the encrypted information cannot become obtained via forensics and cracked later.
Standards and compliance aren’t one in the same
Enterprises also need to think about standards and compliance interchangeably. While it’s a best practice to adhere to standards and comply with data protection regulations when it comes to maintaining data privacy across the information lifecycle, standards are guidelines outlined by a governing agency and do not guarantee regulatory compliance. Regulatory compliance on the other hand, is an organization’s adherence to laws, regulations, guidelines and specifications, relating to business processes. Failure to meet regulatory compliance can result in fines and legal punishment. When working across borders, it’s important to understand this differentiation as we’ll need to meet standards and regulations when operating in certain jurisdictions.
Certified partners can help simplify complexity here. Governing agencies can certify security solutions, ensuring the use of such tools achieves compliance with both regulations and standards. Equally, we can build these requirements into organizational policies to tackle any potential issues amounting from security breaches. In doing so, enterprises will implement preventative measures against risks. Repeatedly thinking about the entire information lifecycle and managing it appropriately to keep an enterprise’s data house in order is a method that’s both promoted and ensures laws are met.
When it comes to data management, we never use a “one and done” approach. Enterprises shouldn’t store data for a rainy day. From data acquisition, through use of the information up until disposal with certified audit trail ensures most enterprises need to practice good cyber hygiene set out by laws and standards. It’s imperative to assess the value of data through a stringent model of classification and understanding its retention period to mitigate threats. Think of data management as a journey, not a destination. And ultimately, data that has no value often becomes more of a liability than a benefit.
Maurice Ueunuma, vice president, general manager, Americas, Blancco