Building a data protection framework
With the common maxim today being that data is more valuable than oil, there’s no doubt it’s one of the most important assets a business has.
With record fines starting to be imposed on companies failing to protect customers’ data, its protection is fast becoming a top priority for organisations. The challenge is ensuring it’s kept safe and secure, while also being readily available to employees who need it, and guaranteeing the integrity and confidentiality of it.
So where should a company begin? Tallen Harmsen, head of cyber security at IndigoCube, says a business must have visibility into and around its data to begin building a data protection framework. “You have to know how it’s being consumed and who’s consuming it, otherwise you can’t implement a framework of policies and controls to protect it. The standards are important, but it’s also important to work backwards once you know what needs to be protected. When you know what personal customer information you have, who’s using it, and how, then you can implement the policies and controls, encapsulated in the standards such as ISO, necessary to protect it. Beyond that, you must also ensure that with the processes, you have the correct technologies to support them and people who apply them.”
He says the most effective way to secure data is to ensure that business people take responsibility for its protection. “They must own the data. The people who create, work with and consume the data every day are best positioned to secure it, and IT must support them. There are tools to support this too, such as AI and, more often, machine learning, because it can figure out, at the speed of computing, when something has gone awry in the way data is being used.”
Data protection needs to be approached not from a technology perspective, but from the perspective of holistic data management, adds Lukas van der Merwe, specialist sales executive: security at T-Systems, South Africa. “Organisations need to do the work to understand their data and the potential risks before they’ll be able to guard against breaches, whether these are security- or compliance-related. It’s essential to understand where the risks lie and what the impact of an event will be, and then to determine, for each identified risk, what safeguards need to be put in place to prevent exposure.
“Data protection goes beyond data loss prevention software, although this is a part of a solution. It includes identity and access management, endpoint security, encryption and many other tools, policies and protocols working in concert to ensure data integrity. It all begins with assessing risk and obligation first, and then building an appropriate framework from there. Finally, the human factor shouldn’t be ignored. Large percentages of data breaches are still caused by human error, compromise through phishing attacks and stolen or malware-infected devices. Organisations should continuously improve awareness and enforce appropriate behaviours such as adherence to password policies, avoidance of phishing schemes and other best practices.”
Down to the nitty gritty
According to Ethan Searle, technology advisor at LanDynamix, it’s important to approach data protection holistically and within the context of the specific organisation. “Begin by understanding the business at a highly granular level. How does it generate revenue? What data does it use to do so? How is that data accessed? Where is it stored – on-premise or in the cloud? What redundancy is there in the whole system? How are your employees accessing that data? Once that is clearly mapped out, consider how that data is being, or should be, protected.
Organisations have been gorging themselves on the benefits of big data, with data protection being an afterthought.Gregory Dellas
There’s no silver bullet when it comes to data protection, he says. Too often, companies treat technology as a solution. It certainly has a role to play, but it needs to be complemented by business processes and user education.
Data protection must be aligned with how the company’s data is structured and used. For example, the move to Office 365 has made it much harder for hackers, says Searle. “Unlike Exchange, Office 365 has Advanced Threat Protection, which uses analytics to detect phishing, impersonation, and unsafe attachments and links. Hackers are now focusing on targeting end-users as a way into the network. For example, because users access email via their mobile devices outside of the corporate firewall, hackers can use the device to gain access to all emails. The end result is that emails pass through the hacker’s server before they reach the corporate system, and this gives the hacker access to information like who suppliers are and what invoices are being sent.
“We’re seeing invoices being intercepted and account details changed before the email continues on its way. The only way to counteract this kind of activity is to ensure that your business processes are well designed, including how payments are approved, whether or not bank accounts are verified by the bank and similar,” Searle says.
Gregory Dellas, security pre-sales, CA Southern Africa, believes that building a strong data protection framework begins with an executive-level commitment to the concept of privacy for both the organisation and its customers. “Having established the strategic commitment, an organisation can begin implementing standards-based frameworks such as ISO 27001, which provides excellent resources and a respected community with which to engage. It’s important to ensure data protection officers are empowered to implement, as well as maintain, the data protection framework with the right security toolset. Data protection will always be an ongoing exercise. A data protection framework must follow multiple controls and approaches to be effective.
Gregory Dellas, security pre-sales, CA Southern Africa, believes that building a strong data protection framework begins with an executive-level commitment to the concept of privacy for both the organisation and its customers. “Having established the strategic commitment, an organisation can begin implementing standards-based frameworks such as ISO 27001, which provides excellent resources and a respected community with which to engage. It’s important to ensure data protection officers are empowered to implement, as well as maintain, the data protection framework with the right security toolset. Data protection will always be an ongoing exercise. A data protection framework must follow multiple controls and approaches to be effective.”
Dellas believes there are two critical controls for organisations – data minimisation and data mapping – which are addressed in various standards and regulations, such as PoPI and GDPR. Data minimisation means the controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data necessary for each specific purpose of the processing is processed, and minimising the data stored and processed is the simplest way to minimise the overall risk to the organisation. “Data mapping is essential for any organisation to know where its data is held, along with collection inputs and data outflows, as a beginning to an effective data protection policy. It sounds simple in theory, yet many organisations will struggle with responding to data subject access requests, due to lack of comprehensive data mapping,” says Dellas.
The introduction of GDPR and PoPI have changed the face of data protection in other ways too. According to Van der Merwe, these pieces of legislation bring legal enforcement to something inherent in the constitution of many countries, South Africa included – the right to protection of privacy. “The obligation was always there to protect sensitive information. What these acts bring is the enforcement and clarification as to exactly what it means. PoPI informs us what information may be gathered, how such information should be treated through its lifecycle, how it may be used and under what circumstances. Essentially, it enforces consumer rights as to what information may be gathered and gives consumers the power to either permit or deny its use. The enactment and enforcement of PoPI is forcing organisations to be more stringent in their data management. In order to comply, it’s critical to understand what data they have and for what purpose it was obtained, confirm that it’s being used appropriately, know where it’s being distributed and track it so that it may be deleted from all systems on request. This becomes very complicated for organisations not previously enforcing this obligation. Ultimately, companies will benefit from better data management, as the data security posture will improve; in the short term, it could have significant cost implications.”
Says Harmsen: “The regulations are vague, but necessary. PoPI tells us that we must protect personal information to the best of our ability, but doesn’t offer much more specificity and certainly no roadmap on how to achieve that. GDPR does a slightly better job, but still lacks specificity. However, GDPR is an evolution of the Data Protection Directive, which is very similar to PoPI in South Africa and so we can expect PoPI to also evolve. It’s a means to lead businesses along the correct path and give them time to develop their knowledge, understanding and capabilities through a ‘carrot and stick’ approach of recommendations and fines.”
In Searle’s view, we can expect data regulation to evolve as the importance of data grows. “The real consequence for organisations is that while their data holdings are vital, they also represent a huge risk: the fines for below-par protection are large, and the reputational damage in the wake of a hack is real. It’s wise to approach compliance positively rather than just ticking the boxes. Compliance will guide one towards an effective data-protection regime.”
Big data protection
Regulation isn’t the only influence on the way businesses protect their data today. Data protection in a big data context can be highly complex from an operational and legal perspective too. Van der Merwe says that, for example, big data is often unstructured, making it more difficult to classify and manage. “Ostensibly, although it does not require any different treatment from any other data in terms of data management and protection, the complexity it brings is that it requires different ways of using and manipulating the data. It’s also generally stored in cloud-based environments accessed by many entities from different devices and networks that fall outside of the traditional data management environment. However, organisations still have the same obligation towards this data.
“To manage big data, it’s important to have a holistically and well-integrated cyber security suite enabled with policies and procedures that facilitates the automation of data protection through various tool sets.”
The availability of big data has had the biggest impact on data protection because organisations collect the data into lakes against which they run their analyses, says Harmsen. “We have all kinds of systems accessing that data, from legacy to modern, but it’s often left unsecured as a result of the processes people typically follow. Very often, that’s not a problem because the bulk of the data isn’t unique to a person. But a small portion of it often is and therefore you must secure it. This highlights the need to tread a fine line between making data accessible and available, while also securing it. It’s a tightrope exercise that requires a delicate balance and a mature security posture.”
It’s a tightrope exercise that requires a delicate balance and a mature security posture.Tallen Harmsen
Dellas believes that it’s more apt to ask how data protection has impacted big data. “The concept of big data has grown out of the advances in storage and processing power of the 2010s, especially through economies of scale in cloud computing. Organisations have been gorging themselves on the benefits of big data, with data protection being an afterthought, but with increased consumer and legislative scrutiny in 2019, we’re seeing the impact on big data. Organisations must now be far more transparent about what they collect, how they process it and why they need it in the first place. With this increased scrutiny, organisations are less prone to adopt all-out big data as their strategy and look towards more narrow data processing strategies that satisfy new legislation.”
Protecting the IoT
The Internet of Things (IoT) is another trend where data protection considerations need to be made. “Traditionally, technology was deployed in a secure environment with a closed network and a limited number of people who could access it,” says Van der Merwe. “Perimeter security made it easy to manage and avoid unwanted access. With the IoT, potentially millions of vulnerabilities are introduced. Each connected device or sensor could be connected to both the internet and the corporate network simultaneously, which makes each device a potential point of entry for those with malicious intent to misuse information or disrupt operations. Each connected device needs to be secured and managed and this requires a completely different approach to security than traditional networks have necessitated in the past.”
Harmsen says IoT devices are easy to use, install, and implement, and organisations want to use more of them for good business reasons. “However, they don’t come with the necessary built-in security standards and their architectures aren’t designed for the installation of agents to secure them like our desktops and servers, meaning they expose businesses to risk.
“Protection requires visibility into the IoT devices supposed to be on the network, managing what they’re allowed to do on the network, and implementing the right controls around the devices and their profiles. For example, if they’re found to act beyond routine, the system must know to quarantine, alert a human, or take some other measure against the device. That leans on AI and machine learning, but becomes more effective when you combine the intelligence of multiple security systems that create checks and balances that can more accurately identify allowable behaviours. Often, you want to segregate these devices onto their own network to limit exposure, but sometimes, such as when they feed business processes, you can’t. This demands an understanding of the environment and tweaking the controls and policies to balance security with the effectiveness and accessibility of the devices.”
In Searle’s view, IoT will increase risk for organisations in multiple ways. “Networks will expand hugely as sensors and SIM cards are increasingly placed on objects, and increasing quantities of data flow into the corporate network. Keeping those sensors and SIMs secure is a massive task, and will create new weaknesses in the whole network environment.
“A critical issue here has to be how the corporate network is designed. As always, this must begin with a deep understanding of how the business works and what is important to it. Segmenting the network appropriately will be critical in order to quarantine those areas that are mission-critical from other, less secure and less important ones,” Searle concludes.