Do you know where your data is?

[5 min read]

And who has access to it?

When I talk to CEOs and security professionals about data security, the one question that continually trips them up is - do you know where your data is?  They tend to stumble over this question because they initially focus on their production data locations, without thinking about the plethora of other places sensitive data may find itself. For a security professional this is a major problem because if you don’t protect your data you are at risk of a data breach. With data breaches on the rise, now is the time for organizations to build a data security program in which CEOs and security professionals can easily identify the location of their sensitive data and who has access to it. 

Where is my data?

This might seem like a simple question to answer, but the responses I get often focus on production systems only. It is understandable that people immediately think of their customer applications when asked about data security. The problem is that customer data isn’t only stored in production systems. Data is typically stored in some kind of “data container” such as an asset e.g. a computer, a server, a thumb drive, etc. What has changed today is that we don’t always manage these assets directly, instead we rely on third-party services managed by IaaS, PaaS, or SaaS providers. From cloud services providers, such as AWS,  to productivity tools like Slack, our data now resides in the cloud. So, when thinking about where our data is, we need to expand our definitions to include everywhere and anywhere data may have transited.  To properly protect your data, you need to know what type of data exists within each asset and who has access to that data.

Just as importantly, customer data isn’t the only valuable data you have. Consider the other types of valuable data that your company might store. You have employee data, trade secrets, proprietary source code, financial information, and many other sensitive data types that could be damaging to your organization should it be breached or become unavailable to you. 

Do you have an inventory of your data?

Reverting to my original question about knowing where your data is stored, my follow-up question is generally, do you have a full inventory of all “data-containers” being used?  And as you guessed, the inevitable answer is “no”. So the overall challenge increases.  How can you realistically protect data if you don’t have an inventory of all the places it is stored, and who has access to it?  

STEPS TO PROTECT YOUR COMPANY DATA

Here are some of the key steps you can take to protect your data.

• 1. Conduct a systems inventory
• One of the first steps you should take to protect your data is to conduct a full inventory of all systems supported within the organization and assess them based on criticality. Not all systems will contain highly sensitive information, or be critical to the operations of the company, but without conducting this assessment it is impossible to identify those that do. Then you can get more specific and evaluate which systems you use that should, or need to, contain information. Often, this type of assessment will reveal that some information is held in multiple places unnecessarily or that it is stored in the wrong place in which case,  remediation is simple.  This data inventory process provides the opportunity to define the “to be'' state so it can be compared against the “what is” state.  It is impossible to determine whether systems are operating in compliance if we haven’t defined what compliance should be from the start. For example, how do your employees know not to send sensitive customer information via Slack if you haven’t defined a policy telling them that this is not allowed?  Therefore, conducting a systems assessment and inventory is a great first step to help you understand where your data is stored.

•  
• 2. Control systems and data access
• The second step is to ensure you understand who has access to each system and at what level.  Are they a simple user with limited access or are they an administrator who can handle exporting data? The onboarding and offboarding process for staff is a critical process in controlling this element of who has access to sensitive data. Documentation should be stored in a data security system that outlines each employee’s access and their role in using each system. Again, that is impossible to do if you don’t have a complete inventory of all your systems. 

The importance of the role that employees play in data security is highlighted when you look at how data is most commonly breached today.  Often, data breaches in today’s cloud-based environment are not the result of brute force attacks into physical infrastructure, but more commonly due to incorrect access by employees. This occurs either through misconfigured permissions or through the absence of an offboarding process where a user’s access role is changed when they either move to another role or leave the company. A recent report indicates  “a grand total of 94% of organizations had an insider data breach in the past year, with 84% of the data breaches resulting from human error.”  To demonstrate that you take data security seriously, an auditor will not only require that you show clear processes for who should have access to critical systems, but that you can also show who authorized the access rights. This kind of reporting is essential when undergoing security audits such as SOC 2 and HITRUST.  

[Read more: How to prepare for a SOC 2 audit]

•  
• 3. Understanding critical data
• The next step is to rate your data based on how critical it is to your business. This can be done through a criticality assessment and your data security tool should make this process straightforward. The assessment will allow you to determine how important data and/or the data container is to your business, based on the importance or sensitivity of the data.  For example, does the asset contain regulated data such as Personally Identifiable Information (PII), Payment Card Information (PCI), or simply trade secrets, such as proprietary source code?  Once your full asset inventory has been defined and the criticality assessment is complete, you can prioritize your procedures around those assets that are defined as “Highly Critical” and “Critical”. This will enable you to implement appropriate risk mitigation measures where they will have the biggest impact. This process is also foundational for any risk management program you want to implement.

•  
• 4.  Maintain control of your data
• Since all data must be contained within an asset, and should only be accessed by authorized users, understanding your asset inventory and controlling the access control process are significant components in building a data security program. This becomes the foundation for all policies and procedures, business continuity, disaster recovery, and risk management. Maintaining data security is a long-term commitment and not a one-off activity. Using an integrated risk management tool to help with data security is essential to avoid struggling with complicated spreadsheets that can easily become outdated.

Ostendio MyVCM is a single, integrated Cybersecurity and Risk Management platform that works in conjunction with all business operations to deliver perpetual security that's always on, always secure, and always auditable.

The solution to data security

To answer the question - do you know where your data is? - CEOs and security teams are turning to tools to help them build, operate and showcase their data security programs. For example, the Ostendio MyVCM platform puts its asset module at the core of the platform and we help companies build data security programs that meet the needs of their organizations. The asset module is a critical part of the data security process. By leveraging Ostendio MyVCM, companies have an organized way to track all asset types from hardware, software, SaaS, PaaS, IaaS and define the criticality of the asset, what type of data should be stored within the asset, and manage who has access to the asset. Using MyVCM, this essential information is easy to show when undergoing a data security audit such as SOC 2, FedRAMP, or HITRUST.

Last year, the Ostendio MyVCM platform was used by customers to handle over 1 million platform user activities and 1,300 assessments. To find out more about the asset module and how you can know where your data is, set up a time to talk to an expert at Ostendio.