One of the most significant changes in the world of security today is the loss of the concept of a defensible network perimeter.
Many legacy security frameworks and concepts are built on the idea that we can keep threats out of the entire network where we store and transact information. The reality is that most of us now operate in a cat and mouse game of identifying and containing the latest intrusions and disruptions.
However, when we look at where our organization data are, they are often outside of the organizations’ network anyway:
- Is data on employee mobile devices roaming via other networks?
- Does our information go into supplier systems?
- How many software-as-a-service solutions and other online platforms does your organization’s information wash through?
For these reasons, how we apply security has to correlate with where we choose to allow electronic information of any value to travel.
Applying Data Governance
The term “choose to allow” is used intentionally to indicate that if we have something of value, we need to apply appropriate management and protection. In other words, we need more than ever to apply data governance. Data governance is all about putting appropriate management and control directly over our information, no matter where it is.
Of course, we know that all information is not of equal value. There is no point protecting my public author bio pic with the same security I would apply to a finance system. Data classification helps us appropriately categorize our information based on:
- Confidentiality—The required level of secrecy and cost impact of unexpected disclosure
- Integrity—How tolerant (or not) any section of the information can be to being changed or lost entirely
- Availability—How important it is to have timely access to the information when we need it
- Consent—Whether there are legal requirements or restrictions in place that impact where the information can go. This applies to personal information.
Data classification makes it possible to adapt the level of data governance applied to reflect the business needs, business value, regulations and sensitivity.
The reality is that data classification and data governance have been at the core of our security frameworks for a long time. We have always needed to be responsible for applying security to wherever our valuable data flows.
Change of Thinking Needed
The change is that we need to stop thinking that we can defend information en bloc within a trusted defensible network. We need to go back to the basics and apply security to the information. Wherever our valuable information will be allowed to go becomes our new security perimeter.
As an interesting example of this; an insurance company openly shared their approach to insuring against cyber attacks. The basic components were simply this:
- They would only insure information that was held in identified containers (structured or unstructured repositories) when it ran through verified methods of data exchange.
- Each repository (and data exchange route) had to demonstrate that it was going through a regular security review that was looking at security controls appropriate to the sensitivity and value of the content.
- The insurance would be null and void if any major or critical security issues had been identified and left unsolved.
Using this approach, it did not matter where the information was—only that it was known to go there and was governed correctly. What they are describing is basic data classification and data governance.
As somebody quite passionate about cybersecurity, I take the time to look into as many breaches and failures as I can. Whenever substantial amounts of information are lost, it is amazing that in almost all cases, the root cause is that nobody correctly applied and maintained data classification and data governance processes.
If Mossack Fonseca had appropriately applied data classification and data governance to their email system, would they have operated such a sensitive repository of information with so many security vulnerabilities?
The standards laid down by effective security architecture now leverage data classification and data governance to secure information of value, wherever it is allowed to go.
Need to scare colleagues into action on data governance? Check out Meeuwisse’s latest cybersecurity horror trailer on You Tube here.
Meeuwisse is the author of Cybersecurity for Beginners and is a regular speaker at ISACA conferences. His past experience includes working as a CISO, running global information security programs and writing security control frameworks. He is presenting Data Governance: Information is the New Security Perimeter at ISACA’s EuroCACS Conference in Dublin at the end of this month.