The Obama administration has urged closer cooperation between public and private sectors to address cybersecurity.
Though collaboration between security vendors and practitioners across all sectors is a must, many cooperative efforts has been attempted and have met with only modest success.
So what must be done to bridge the information-sharing gap between the public and private sectors and ensure that digital assets are properly protected?
Let’s begin by examining the problem to understand why, despite our enormous investment in security technology and research, our digital assets are at extreme risk. Start by looking at the trends and conditions of the country’s current state of data management.
Why digital assets are at risk:
1. Rates of data production are skyrocketing. Data files are being generated at such a quick pace as to double annually.
2. Regulatory mandates are dated. Most regulations were conceived in the early 90’s, but despite the government’s best efforts, it is nearly impossible to keep up with the latest technological innovations. As a result, most of the guidance provided by these regulations is too high-level and granular.
3. Network insiders have almost unfettered access. People have been talking about this “soft middle” of the network for a while, referring to the lack of stringent access controls for insiders. Now most organizations are saddled with the legacy of overly permissive access.
4. In a down economy, crime goes up. This includes white-collar crime and digital information theft.
5. The file systems that house data are decades old. Windows and Unix file systems were conceived to facilitate information sharing. But limiting access to file system data and auditing use came along later and were very manual. IT managers today know all too well the enormous limitations of access control list (ACL) management within file systems.
6. Data availability and data security give IT personnel conflicting objectives. Optimizing and accelerating business related access and traffic is a priority. However, keeping up with these changing business needs and data growth is a serious challenge.
The fix: Reframing the problem
How to best protect data for the long term? This discussion takes many names, including governance risk and compliance (GRC), data governance (DG) or information governance. Whatever the moniker, the goal is to spur ways to secure data as part of a holistic approach that includes all data types and stake holders.
Our biggest challenge is to change thinking altogether on security and data protection. There are three key tenets that must be part of the foundation architecture for data security:
1. Business owners must be involved. It is time for IT departments to be decoupled from the responsibility of data entitlement management. Accurate and business-appropriate data access policies are key to limiting risk, but the only way to create them is by involving the people that are responsible — the true asset owners. IT personnel have been saddled with these tasks to date because of technical expertise. People and data must be in context; data ownership detached from users responsible for securing it can raise conflicts and constitutes a gaping security risk that can only get worse as data volume grows.
2. Data use profiling is imperative to access policy creation. Knowing the business owners of data will enable organizations to define accurate and appropriate access policies. To get started though, owners must know which data belongs to them and which files contain sensitive information. Matching each owner to his or her data requires short-term monitoring of user behavior on data.
3. Any process has to be repeatable and scalable. Even in the most disciplined of organizations keeping access controls “business need to know” becomes more challenging as data stores grow and users shift roles and responsibilities. A policy for access can become dated and overly permissive within days or weeks of implementation — especially in environments that are highly distributed, and where many permanent and contract employees throughout the world collaborate on projects. Whatever the specified data protection architecture is, it has to account for the frequent monitoring, tabulation and application of access controls.
The crisis opportunity
Both public and private institutions are looking for ways to retool existing and planned data infrastructures to address the risk to information. Though the discussion will continue, the revamping process holds much promise for the emergence of a sustainable data protection strategy and reference architecture that is as innovative and robust as the technologies that let us generate and share data. The end goal should always be to have a well-vetted reference architecture available for all organizations to deploy with confidence.