Blog

Tag: data discovery

Complying with CCPA - What are some of the landminesThe potential landmines for compliance with CCPA is pretty high.

One of the first things is that a lot of companies don’t know how to interpret the law. We saw that with GDPR for the year prior to it going into effect. CCPA is a lot like it, but there are likely still questions.

Secondly, is the DSRs (Data Subject Requests) or the right to be forgotten. People are very in tune with their privacy these days and will want to act on it, not only for the reduction of spam, but for the identity theft potential. The requests will likely come too fast and companies with a lot of data containing personally identifiable information (PII) – the very thing those DSs will be after them for – will find themselves in a position where they don’t know where to start.

Thirdly, most have also not started tackling unstructured data that may contain that PII. Most companies are working on dated data governance policies to begin with and haven’t updated systems, process, procedures, included unstructured data, and don’t have the tools in place to properly protect data. So they will need to first, find what data they have (whether it is dark or otherwise), and get rid of it based on its age and usefulness.

On a separate, yet related note, as with most research organizations, a recent webinar by AITE Group,  touched on the privacy regulation subject.  Since California has set their privacy regulations wheels in motion, and there are 11 other states that are making changes for the stricter, the U.S. is seemingly having problems with standardizing privacy laws across the nation.  Arguments around who will enforce (which, by the way, was  a common question with respect to GDPR), and how can’t be decided on.  And this makes sense.  For Europe, there are 27 member states, so they will enforce their own vs. the U.S. – we are one country.  So while there does need to be a national data privacy law, let’s not hold our breath.

The best way to comply with CCPA and similar privacy regulations is to classify sensitive data as confidential and immediately encrypt it.  This protects the data, controls user access and tracks the file wherever it travels.  Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data.  You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.

Photo credit R. Miller

 

unstructured data securityThanks to all of you who responded to my last blog post regarding unstructured data security and privacy topics you’d like to hear more about. Here’s a sampling:

Why do so many data loss prevention projects either stall or de-scope? Why with significant industry expenditures in the space do we continue to experience record-breaking instances of data breaches and exfiltration? What are the latest methodologies and technologies security and privacy executives should consider implementing to protect their sensitive data and comply with stricter and pervasive privacy regulations such as GDPR and CCPA?

Whew, that’s a lot of ground to cover – but, it confirms the complexities that surround unstructured data challenges and the uncertainties security and risk professionals face as they consider ways to attack the problem.

So, here’s what I am going to try and do over the next 90 days – between this blog, our upcoming webinars and my session (Tuesday the 18th @ 10:45 am, Potomac A, Ballroom level) at Gartner’s Security and Risk Management conference next month (oh, and come visit our booth #563)  – essentially, offer an insider’s playbook to implementing an unstructured data security program while enabling privacy controls.  Whether migrating from existing DLP point solutions or wondering where your unstructured data lives today, my goal is to provide a life-cycle perspective as to the best methodologies and how to avoid the pitfalls that have plagued enterprise projects.  Learn ways to streamline, simplify and fast-track your unstructured data project to protect it and comply with privacy regulations.

Fasten your seat belts and stay tuned!

unstructured dataSo, in my last post, I mentioned a series of webinars and thought this would be a good opportunity to provide a little preview into some of the topics we’re planning on discussing.

Unstructured data, of course!  But what about it?  I’ll be discussing the challenges… kind of a “What I heard from you as a Gartner data security analyst” in a “How to navigate through the maze of methodologies, governance and technologies” sort of way.

Unstructured data is a live and growing thing that often gets overlooked.  Remember the “Wild Wild West” comment from my last post?  So I’m here and excited to help you discover new simpler approaches to gaining visibility and control over the growing unstructured data all organizations are facing.   How to discover, classify and encrypt unstructured data and prepare for and adhere to privacy regulations like GDPR and CCPA.

If you are a CISO, DPO or CDO, or even a business unit lead within your organization, you should join these sessions.  If you struggle with what functions to automate or are trying to get out from under or improve the traditional rules based approach, you should join  Would you rather have your staff spend less time fielding false positives and more time on the things that really matter? Please, join and learn how Fasoo’s extensive product capabilities can help.

Here’s the thing… maybe I didn’t hear EVERYTHING, so I’d like to shout out to the readers… I would love to get your thoughts, suggestions, and field any questions.  I want to hear from you and keep the conversation alive.  In the meantime, stay tuned… I’ll be back.

Data security Deborah Kish expert joins Fasoo

Me! After over 20 years with leading IT consultancy, Gartner, I am excited to announce that I have recently joined data security vendor Fasoo. At Gartner, my focus on enterprise data security and compliance challenges, products and technologies led me to really understand the significance of the “Wild Wild West” nature of unstructured data. On average, I advised 30 CISOs and CIOs and other security professionals every month on the challenges they face with respect to data security and privacy.

At Fasoo, I will lead marketing and product strategies in the unstructured data security and privacy space and will do this through a series of webinars, white papers and blog posts. My mission is to provide end user organizations insights into how Fasoo’s extensive suite of product capabilities can help meet data security and privacy goals because arming your organization with the right tools is an important step toward protecting unstructured data. I will also help guide organizations through the file and people centric approach that will foster stronger unstructured data security and privacy controls.

I’ve often said in my previous role at Gartner, “It has never been a more important time to be a data security analyst” and that translates to my passion to wanting to help organizations get this problem under control. I hope you will join me in the journey. Stay tuned.

By Deborah Kish – EVP Research & Marketing

Classify sensitive data as confidential and encrypt itData discovery and classification is an important first step to protect your confidential data and comply with privacy regulations.  You need to identify the location of your data and its value to your organization before determining how to protect it.  Done right, this leads to a data-centric security and compliance program that is critical to your corporate brand and competitive advantage.

Unfortunately many discovery and classification projects stall or fail because solutions try to address all data needs, not just security and privacy.  Organizations get caught up in the process and lose focus of the goal, which is to protect and control sensitive information.

There are different approaches to data discovery and classification.  Content-centric approaches, like DLP, use predetermined workflow rules to control data usage.  They try to classify data using complex rules and then control its movement.  You may have 20 rules that try to determine if a file you are emailing contains sensitive data and another 20 to make sure you don’t copy that file to a USB drive or a cloud location.

Context-centric approaches apply rule-based analytics to assess user behavior to minimize the risk of insider threats.  This might look at who creates a document, where they move it and when was it was last accessed.

These rule-based approaches attempt to model everything data and users can and cannot do.  They require extensive data classification and rely on maintaining a very complex set of rules.  They gather a lot of data about your data so they can attempt to determine all possible outcomes.

These approaches complicate data discovery and classification and make it difficult to protect and control sensitive data, which is your ultimate goal.

A better approach is to classify sensitive data as confidential and immediately encrypt it.  This protects the data, controls user access and tracks the file wherever it travels.  Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data.  You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.

The goal of discovery and classification is to understand your data and protect it.  Streamline that process by encrypting sensitive data and controlling its access, rather than wasting time developing and maintaining complex rules that focus on all the things users can and cannot do with it.

Discover, Protect and Monitor access to your sensitive dataThe barrage of data breach news on the front page should come as little surprise to any of us. The more data stored and sent digitally, the more we expose ourselves and more breaches occur.  With all the resources and money spent on preventing a breach, we might think it is reasonable to expect that the number of reported incidents decline. But yet, on the contrary, this is not what we see.

According to the Identity Theft Resource Center (ITRC), just this year to date, there have been 725 reported breaches. The traditional security model to guard the perimeter is not adequate. Today’s challenges require a layered Data Security Framework.  So, what should this framework contain to take the right preventative or restorative actions?

For businesses, getting insight and control of their critical files is essential.  This includes any new file that is created and saved and any existing files containing sensitive information.  Many businesses are significantly challenged with gaining visibility across their environment to understand the location of their sensitive files. They don’t know how many copies or derivatives of a file are floating around on desktops, laptops, file servers, mobile devices, etc. and are not in a position to take appropriate action to secure and control them. Discovery is the first layer to add to a company’s security posture.  This helps you find things.

Once the discovery process is completed, now you are ready to protect your sensitive informData Centric Security protects your most sensitive dataation using encryption. When the topic of encryption comes up most associate it with protecting information when it is stored or when it’s transmitted over insecure channels, such as the internet. Many often miss the need to secure sensitive files when they are in use. This is the time when these files are at the most risk, since a user can do anything with sensitive data when they have a file open. The best method to achieve security today is through data-centric security for persistent protection of information.

Another layer for an effective data security framework is monitoring activity related to sensitive files. The ability to tie in data from various security technologies, including firewalls, DLP, databases, and even physical security (e.g., entry/exit data from keycard or biometric systems) and employee attendance records can help a business review risky activities and after suitable investigation, help decide whether or not to take action to address them.

A complete framework is required for companies to continuously adjust their security position dynamically to prevent damaging data breaches. Current challenges dictate a good data security framework to take into consideration both human and technological aspects. At a minimum this framework should include regular updating of traditional security measures already in place; educating and training employees; a current data breach response plan and most importantly data-centric persistent security technology measures.

Fasoo Data Security FrameworkThe internet, its commercialization and all its technological advances have changed the way of the modern world. Unlimited information is available at the touch of a button; tasks that used to take time and effort are now much simpler.  All this technology created the opportunity for companies to find new and creative ways to grow revenues and data collection has become an essential component of many business operations.

As data is moving and multiplying at a rapid pace across boundaries, platforms and applications, users have the ability to access data in a variety of ways and data very rarely stays within the secure perimeter of an enterprise anymore.

With more and more sensitive data residing outside of the corporate perimeter, locating, securing and controlling this data presents a significant challenge.  The traditional security strategies that businesses have been relying on are no longer the viable option they once were.

Businesses need to understand the risks to their data, keeping up to date with the constantly evolving threat landscape. You shouldn’t be protecting the crown jewels of your business using only perimeter security technologies, since it’s obvious that they are no match for today’s criminals.

In our current perimeter-less world, many CISOs realize that data centric security is the best method to secure sensitive data. They realize that data is vulnerable to security breaches and theft and that encryption should go down to the document level to ensure that any document is safe where it is stored, while it is in transit, and when it is being viewed by any authorized users.  Security is now becoming part of every stage of a document’s lifecycle — from creation to transmission, storage, editing and retrieval.

Three building blocks are key to building a data-centric security framework:

1. Data Discovery – The ability to implement a data security and governance strategy begins by identifying sensitive data at the source, wherever that may be.  Security has to travel with the data, no matter where the data goes. By identifying and analyzing sensitive data, enterprises can focus on managing and securing it.  Data discovery allows you to understand relationships between users and data that is created.  It helps you see how information multiplies and proliferates within the perimeter and how it’s used by different groups, line of business and mobile applications.

2. Policy-based encryption and usage governance – This enables you to secure and define the types of data an authorized user can access based on their roles. Organizations need a baseline level of security that meets the overall company policy, but also higher security levels and controls for specific business units or users that need it.  A customer service representative may only need to see a customer’s order history, but not financial information.  Limiting what data authorized users can access and what actions they can take on this can greatly reduce the ability for a current or former employee to expose or steal sensitive data.  This approach can further demonstrate that an enterprise is enforcing security and privacy regulatory policies.

3. Risk Management – It is essential to visualize and manage risks by correlating logs of authorized data usage with other user activity.  Having a comprehensive view of how sensitive data exits a perimeter or as sensitive data appears where it is not supposed to be, can provide business managers a level of intervention for risk management.

Clearly data is imperative to conduct business today and this brings the need for security and protection of sensitive data; all the time, anywhere. A data-centric security framework does this and even goes further to provide enterprises with the ability to revoke all access to data as needed.

Categories
Book a meeting