Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place. We’re stockpiling massive amounts of data in our unstructured and structured repositories, keeping it indefinitely, and bleeding it out through accidental loss, careless (but well-intentioned) sharing, unfettered collaboration, and insider theft. We don’t know what we have, who’s using it, how, or why. And forget protecting our most important data; that’s a faint, and distant, goal.
Data, and people, are the only things that really matter in this new IT landscape of borderless networks, mobility, and Cloud everywhere. All of our traditional infrastructure is changing, or going away, very soon.
If we want to control our data, we need to begin by understanding what it’s become.
Pork bellies, gold, and… data?
Data has intrinsic worth, not unlike other valuable commodities (soybeans, wheat, crude oil). There’s a worldwide market for it; you can buy it, sell it, and trade it.
A century ago, oil titans like Standard Oil, British Petroleum, and Royal Dutch Shell ruled the global economy. Now, data has outpaced oil as the world’s most valuable commodity, according to the Economist. Alphabet (Google’s parent company), Amazon, Apple, Facebook, and Microsoft are now the five most valuable companies in the world. Together they raked in $25B in net profit in the first quarter of 2017 alone.
What connects these new data titans? What is their core business? Data. My data, your data… all our data.
The new rise of an old adversary
The attacks on our data are devastating and seemingly unstoppable: spear phishing, low-and-slow APTs, targeted hacks, malware, and ransomware. The risks to attackers are minimal – many countries won’t assist the United States with investigations or extradition – and the financial upside is massive.
Ransomware is an old threat – we’ve known since the late 1980s how to defeat it. But ransomware attacks still succeed. Just ask the healthcare systems who’ve shut down their operations in the wake of recent ransomware attacks, and then paid the ransoms to get their systems back online.
Why is ransomware enjoying a successful, frightening renaissance? Because organizations 1) don’t know what their important data are, 2) don’t back up their most important data, and 3) don’t test their data recovery procedures.
Data backup and recovery isn’t sexy. It isn’t a shiny new tool or a magic bullet – it’s a basic business best practice. And we ignore it at great peril to our companies’ continued operations.
The enemy is us
The IT security industry – vendors, practitioners, analysts, academics, journalists – continues to play to a supply-side mentality about threats, while virtually ignoring the realities about demand-side data protection and data management.
How much attention do hackers and malware get? Data breaches? Lots of attention, right? Now what about building an in-house data governance function that understands data throughout its various lifecycles and enlists support from different business units and functional areas?
Our compliance-as-security worldview emphasizes buying technical tools and solutions – mainly focused on reactive threat detection and correlation – but fails to deliver the expertise, governance, staffing, integration, enforcement, or ongoing care-and-feeding needed for proactive data management and protection.
Our policy makers and standards experts aren’t helping the situation; no major information security controls framework focuses on data in its numerous dimensions (discovery, retention, access, ownership, loss prevention, encryption, archiving, etc.) as much as on software and hardware assets, vulnerabilities, networks, server hardening, patching, perimeter safeguards, security management practices, change control, and the like. Are those aspects important? Of course they are. But, in world in which data and people are the only future constants, we’re focused on the wrong things.
To me, the failures of our IT security industry echo those of our country’s nearly half-century-old Drug War. We’re attacking supply (threat) when we should be focused on demand (protection).
Attacks will never stop occurring, so long as our data has value. Never. Let’s accept that fact and move forward intelligently.
Back to basics
We need a new and simple plan for wresting back control of our data. This plan must be focused on getting to know – and really understanding – data:
- Know why you have data – understand its business value
- Know how your data is generated and collected, processed, and transmitted
- Know what your data is, where it is stored, and how to discover it (including for legal purposes)
- Know who owns, has access to, and is using your data (including third parties)
- Know how old your data is and whether anyone has used it recently
- Know how your data is backed up; do you test its recovery?
- Know how to classify your data and why (e.g., archiving, encryption, deletion, external compliance)
- Know how to detect and prevent data loss, including in Cloud and mobile applications
- Know when and why to get rid of data and how to ensure proper decommissioning
- Know what your data is worth and how to monetize it
Our ten data management principles aren’t meant to supplant your current information security or risk management priorities, but they should clearly inform and strengthen them. If you’re like most organizations, you’re going to discover major gaps that cut all the way to the core of who you are as a business.
One common gap we see is not having a clear data classification and retention program in place at the corporate / organizational level. This gap leads to ever-growing storage needs, serious access control issues, and an inability to remove and delete stale data over time. The situation is even harder to unwind when much of that data are sensitive, confidential, and regulated.
What’s most concerning to us is the “surface area” that’s left in place, and often exposed, when an attacker gains access to those data stores. Data are the soft, gooey insides to that hard, and thin, shell.
Growing your knowing
G.I. Joe said, “knowing is half the battle”. I’d suggest it’s much more important when it comes to our data. Knowing is everything.
Once we understand the size and scope of our data challenges, we can start to educate our stakeholders and plan for improved management and protection. In our view that change must be: 1) incremental, 2) measured, and 3) meaningful. It’s critical to note that our goal shouldn’t be wholesale or rapid change – inevitably we’ll create friction with established business processes and virtually guarantee pushback from the very people from whom we need the strongest support.
Rome wasn’t built in a day and our data management challenges aren’t going to be solved overnight. Let’s embrace the long, slow haul. It’s not shiny, slick, or new, but it does work. In truth, it’s the only path to success.