How to build a secured data protection strategy?

In Southeast Asia, many organisations have adapted to remote or hybrid working schemes over the last year and as a result, enterprise workloads have had to shift to cloud-based environments.

To make the transition to more distributed resources outside central hubs like the traditional office faster, many organisations have adopted third-party Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings.

With this transition comes a new set of security challenges that organisations need to address quickly. According to the latest Thales Data Threat Report 2021, Half (50%) of businesses report that more than 40% of their data is stored in external cloud environments. Despite this, only 17% of businesses have encrypted at least half of their sensitive data stored in the cloud. A great deal of company data is now being held in and worked on in the cloud, and much of it is sensitive.

Organisations are also working with a growing number of third-party service suppliers, adding another layer of potential threat to enterprise cybersecurity. In a bid to accelerate their digital transformations, companies may overlook vulnerabilities that could expose sensitive company and customer data. A strong focus needs to be placed on cloud security and distributed access management.

There can also be a tendency to treat data security the same way as cybersecurity. While both share some common features, there are still key differentiators:

Cybersecurity is the prevention of damage, along with an overall protection of exposed electronic systems, both on and offline. Data security lies within cybersecurity, and is the protection of the actual information – ensuring data isn’t accidentally or intentionally modified, damaged, or disclosed to unauthorised parties.

Data can be classified at various levels and protected in different ways. To avoid a data breach CISOs need to understand the required data security levels, and assess the type of protection needed.

Step 1: Discover and Classify Data

It is seen with a lot of customer engagements that customers think they already know where their crown jewels, in terms of highly sensitive data, already are. However, after undertaking a structured data discovery and classification exercise the results have always surprised them. They always get to find out data sources that they never thought would have any sensitive data to be worried about.

What is not to be lost in all this is that if you are part of an organisation that increasingly relies on Information Technology to conduct its business. You have likely seen more and more business processes getting digitised recently then you can almost be certain that the data is growing at an exponential pace in your organisation. To find out which all parts of this overall data set is sensitive and critical to your business and your customers is a task of utmost importance that needs help from an automated platform to discover this data and classify in terms of its sensitivity for the purpose of various number of regulations (of PCI DSS, HIPAA, PII, ISO27001, GDPR etc.) as well as business survivability (loss of business reputation, legal costs etc).

That being said, while you may still be tempted to go straight to step-2 below i.e. encrypting the data that is already known to you, rest assured that not planning for Data Discover and Classification is likely to leave you much more vulnerable than you probably imagine.

Level 1 data can be considered public data – things like published data, information directories, or product catalogues, for example.

As the levels get higher, the data gets progressively more confidential. Examples might include patent applications and research drafts (Level 2), and personal data like personnel records and other information used to identify individuals that might fall into privacy laws’ jurisdiction – Level 3.

Level 4 data is considered high risk, which, if exposed, could cause severe damage to the organisation, the individual, or both. This includes social security numbers, credit card details, personal healthcare info, even research data which if compromised, could cause financial, legal, and reputational damage to those involved.

At the highest level – Level 5 — resides personally identifiable information that could result in significant damage, including things like loss of insurance coverage, employability, or even criminal liability.

Step 2: Encrypt where it matters

The most secure way to protect data is via encryption – where data is converted using a code that hides its true nature. With encryption, data cannot be read without the right encryption key(s), thereby keeping unauthorised eyes out.

While almost all the products and cloud platforms facilitate some sort of native encryption they all lead to creation of encryption silos that are hard to manage in an enterprise environment besides leaving the data in the clear as the data moves from one platform to another platform – say from Azure Cloud to AWS Cloud. Given that the data can reside in multiple form factors of files, folders, storage devices, databases, cloud, applications etc., having to have a platform that allows you to scale the encryption of this data across these multiple touch-points is crucial to manageability of encryption in an ever evolving and growing enterprise environment.

Furthermore, not all the data has the same sensitivity and value, and requires the same levels of protection. So, while the processing power has evolved to a point whereby any impact on performance due to overhead computational requirement on the part of encryption can be managed through power servers, it still may be worthwhile considering to apply encryption on selective basis. So, while it is not at all a bad strategy to “encrypt everything”, you certainly must “encrypt where it matters”. Having said that, the previous step of data discovery and classification comes very handy to prioritising your efforts in applying encryption. So, choosing a platform that allows you to seamlessly do both i.e. remediating a highly sensitive data discovered, through encryption, is quite an important aspect for enterprises.

Step 3: Management of Encryption Keys

Once the data is encrypted (or in certain cases tokenised, masked, or signed), then the value shifts from data (as the data itself is now encrypted) to the encryption keys. Secure management of these keys is an integral and critical part of any data protection strategy.

Imagine having encrypted all the sensitive data but the access to the encryption keys having been acquired by the malicious user/attacker. Essentially, the attacker can walk away with all the encrypted data along with the encryption keys and hence can decrypt the data at his will and convenience.

By separating the encryption keys from the data, keeping those keys isolated in a secure and tamper proof environment disallowing anyone to take out those keys, rotating those keys at regular interval, enforcing the access to those keys, auditability of the usage of those keys etc. are all important part of managing the lifecycle of encryption keys in a centralised way. As mentioned earlier during the discussion on Step-2 above, centralised management of keys plays an equally important role in overcoming the otherwise sprawl of encryption keys that is hard to manage.

Enterprises that want to utilise the cloud fully should look to BYOK/HYOK (Bring Your Own Key / Host Your Own Key) practices. This practice refers to storing encryption keys in a separate cloud HSM or key manager, secured with FIPS-2 or 3 level protection. If general cloud assets are compromised, the attackers will not be able to obtain a separately hosted key.

Step 4: Secure Remote Authentication and Access Management

Finally, having a robust and secure way of authenticating the users that tend to vary in the sensitivity and criticality of the functions they perform, role that they are in, and hence the sensitivity of data that they touch upon, requires a slew of authenticators that fit in with their job profile. Having an authentication platform that allows you to scale up and down in terms of strength of authentication i.e. going from user-name and password to one time password or grid based password to PKI Smart Card based authentication is the need for any reasonably large organisation.

Furthermore, ability to track the parameters of geographical location from where the user is accessing the application or data source from, the time of the day, the IP range of access etc. all play an important role to deciding whether the access to a specific resource shall be granted or not.

Finally, having to enforce a single sign on mechanism that hides the underlying complexity of authenticating the resources across the organisation and making it user-friendly and yet bringing in the appropriate level of authentication as per the sensitivity of the resources being accesses, makes the life whole lot easier and hence improve the adaption of authentication solution and hence improve the security posture.

Today’s remote working environment relies heavily on the collaborative sharing of information, challenging organisations to maintain the security of confidential data. It is time to consider security beyond the perimeter and protect what matters. If you would like to get started on your data protection journey, download this complete 3-in-1 kit and obtain all the information you need to secure your data.