Cloud adoption and the exponential growth in data usage, storage, and transfer have made sensitive data a lucrative target for malicious actors. Sensitive data just doesn’t get stored only in secure on-prem networks, but rather in various cloud and multi-cloud environments, including AWS, Azure, GCP, and Snowflake.
The dramatic repercussions of stolen or compromised customer data manifested in data-based breaches over the past two years have driven home the understanding that it’s crucial to find scalable data security products. On that note, it’s important to emphasize that tools are only part of the equation and aren’t always enough. The following are critical data security management tips and suggestions for forward-thinking CISOs and their teams, to complement their data security strategy:
- Ensure that business leaders understand – and help define – the organization’s risk appetite. Security requires a much broader effort across departments than in the past. Today, security risk has become business risk, and all teams and executives must be aware of what the organization’s risks and threats are and what the organizational data security strategy requires of them. It’s up to security leaders to identify a clear and transparent security culture, that security tools are chosen not only by their security value, but also for their ability to support and improve business and risk goals.
- Prioritize data management. With the amount of data spreading across and outside company borders, it’s essential to understand and classify the type of data that resides in all storage locations and build a comprehensive data inventory. Proper data management helps inform decision-making processes and operational strategies, as CISOs receive a real-time view of their entire data risk surface.
- Understand who does what with the data – and why. Data usage and access have become the most important domains of cloud security and data management. Visibility into company data has become challenging enough, but today, it’s also now important to see, understand and manage who has access to sensitive data, what activities are undertaken using this data. and why these privileges exist. The sprawl of third-party applications that are widely-used and require sensitive data has made data management even more challenging. Obtaining and analyzing information on these types of access privileges can help identify potential insider threats and reduce the risk of unauthorized access. Furthermore, using a policy engine to identify violations and risks can help ensure compliance with regulations and best practices.
- Continuously assess the organization’s data security posture. Point-in-time peeks into company data inventory to assess its security hygiene are not enough, as data in the cloud continues to grow at a faster rate than security teams can catch up with. Data also acts differently in the cloud. Does data reside as an entity within an entity, making it difficult for security teams to see and understand the risk? Constant governance and oversight – automated, if possible - helps these teams see incremental changes and quickly react to them, and should function as the foundation of the organization’s data security posture. Teams need to measure the results of this oversight against the organization’s risk appetite to ensure that security teams have the control they need and the information necessary to report to decision-makers on a regular basis.
- Adapt to the growth of multi-cloud platforms. Data has evolved from being stored on single cloud providers to a number of cloud-hosted platforms. This shift drives business efficiency at scale, but exacerbates data sprawl – thereby increasing the need for security oversight. As risk grows, CISOs would do well to cover the full breadth of data migration to these multi-cloud platforms and ensure that third-party security controls are appropriate to build a comprehensive foundation to use and grow data securely in the cloud.
CISOs are on the front lines of data security and are tasked with preventing their company’s data growth from becoming a security risk, while still making sure data becomes a significant business asset. CISOs must also represent these conflicting goals in the boardroom, an increasingly challenging responsibility. Those in the data security and posture management space can become CISO champions by helping them encourage this growth for its business benefits while staying on top of data risk and its repercussions.
Liat Hayun, chief executive officer, Eureka Security