Last Wednesday’s Coffee Talk dealt with the important area of, “Risk-Based Application Classification.” The session host was Troy Keur, Director of Solutions Advisory at Simeio Solutions. Here are some of the highlights from the session.
Why should organizations care about data risk management, and how do you define corporate crown jewels?
The first thing to understand is what we mean by “crown jewels”. For all mission-critical applications, the money is in the wealth of accumulated data. We find that most companies are flying blind when it comes to managing their data. It’s surprising how many don’t know where the applications are, who has access, and who should be accessing them. The problem is, while most organizations focus on protecting their perimeter, all of the data is inside the squishy middle.
Most security programs reside within IT. Unfortunately, breaches often occur where IT has no control over the devices. For example, an x-ray machine within a healthcare facility, where that device is tied to a line-of-business. So, it’s important to work from the business side and work back through the entire value-chain for a product. There needs to be a bridge between business management and the CISO. If you look back at Target Corporation’s breach, it was an HVAC contractor that had access but hadn’t done anything for the organization for six months. Unfortunately, he wasn’t off-boarded, leaving those systems vulnerable.
Data management is complex. There is no one-size-fits-all. Those who continue with that approach are going to find themselves going down a rough road. The future is in user entity behavioral analysis or UEBA. And the ability to tie UEBA with identity, and associate it to risk. Because data is so widespread, it’s impossible to get your arms around it any other way.
How does an organization go about understanding the risk?
Understanding data risk is now essential for any enterprise because it’s being mandated through regulations, like GDPR and CCPA. In fact, at least twenty-nine states in the U.S. are working on privacy and personal information legislation. If you don’t understand your risk, and there is a breach, there will be significant penalties, potential brand erosion, and revenue loss.
Understanding data risk can be a real challenge, given the many different types of data. There’s machine data, structured data that resides in databases, and possibly the most problematic, unstructured data. This type of data is everywhere; in shares, folders, and shared through links for Office365 users.
Historically, data classification has been a difficult process, but now vendors are taking unique approaches towards understanding diverse data and prioritizing risk. With effective measures in place, you can more clearly discern where your controls need to be, prioritize the risks, and put a roadmap in place. But, the crucial first step is really knowing and understanding your risk factors.
What exactly is all this machine, structured, and unstructured data?
Data comes from many sources, such as business systems. The manner in which people work with these systems, and use the system data, is what extends and multiplies the risk. Employees access business applications and pull reports. Those reports can contain sensitive information. Someone will go into Salesforce, pull down an export data, and save it within a spreadsheet. Those spreadsheets can contain sensitive data. Having the right controls around the data, as it moves and is repurposed throughout an organization, is critical. – Clearly knowing and enforcing who can access it, and how they can use it will ensure you have the right protections in place.
With the increasing move to the cloud, how can we protect our most sensitive information assets?
It starts with identifying the source and content of what your company deems sensitive. The information can be intellectual property, for a manufacturer. For a bank, it might be a merger and acquisition data. For a healthcare provider, it might be patient records. The sensitive nature of the data will depend upon the type of business.
As we move applications to the cloud, our data moves to the cloud. There may be certain industries, where regulators won’t allow sensitive data to be in the cloud, while other industries may do so, as long as there are controls in place.
Cloud providers must go through ISO and SOC certifications, to ensure that private information is protected. So, it’s important to make sure the cloud provider is able to support your data. Additionally, it’s critical to understand your workflows. Shadow IT can produce a significant risk to an organization, where SaaS apps aren’t tied to the corporate IAM system. Again, this is all about knowing what and where the data is, and being able to control it. The multi-cloud challenge is a people, process, and technology problem. Fortunately, there are new software solutions that address these issues. Digital transformation is causing us to address myriad challenges. It’s not just about data, infrastructure, or IAM. It’s a new perimeter-less ecosystem challenge that needs to be integrated properly.
How do you see remote workforce evolving from an IAM perspective in 2021, and beyond?
COVID-19 has caused many organizations to rush forward with remote workforce enablement, without system-wide visibility, access, and integration. As the remote workforce evolves, it will take on a different level of priority. This is where classifying the applications comes into play. We need to prioritize applications that are most critical. What would happen if your most important application went down? How would that impact the business? These are questions that need answers, so you can create a defensive posture. Identifying your most critical applications, understanding the risk, and knowing how to protect them is imperative, particularly, if you’re providing remote access to those applications to a majority of your workforce.
I don’t think the entire context of the remote workforce has changed because of the pandemic. I believe this is the direction we were always headed. It’s just that COVID-19 has accelerated the move by many organizations by five-to-eight years. Those in the middle to later stages of their digital transformation journey, know this is critical and foundational table-stakes.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this, and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.We hope you can join our next Coffee Talk where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.