Securely exposing data in agile organisations
Securing unstructured data in companies as they increasingly strive to be agile is of paramount importance.
Everyone's talking about the Liberty hack because it's topical, recent and potentially has a big impact on the business and its customers. But the hack itself is nothing new.
What is new is the inclusion of GDPR and the POPI Act, and the enforcement of these regulations which may or may not amount to the imposing of penalties and possible litigation.
How we use, share and manipulate our data is important and more so for the unstructured data. Unstructured data, which can loosely be categorised as any data not stored in a database, is inherently easy to consume and share, like e-mails and other business documents.
It is a far cry from the typical structured data which has been locked away in databases, making it easier for companies to secure the data as it's under their supervision. However, unstructured data, which accounts for the majority of corporate data, is often less secured. And, with as much as 80% of corporate data reputedly unstructured, hackers gaining access could potentially uncover a goldmine.
Most organisations have very little idea what data sits in their unstructured repositories.
Most organisations also have very little idea what data sits in their unstructured repositories. E-mail systems and their wealth of documents and attachments represent a serious obstacle to cataloguing corporate unstructured data.
Even once you manage to categorise it, you still need to know who uses the data, how it's used and where it's stored, then formulate policies and procedures to police it, monitor it and analyse the other relevant metadata.
Security policies must also account for dynamic perimeters. Traditional cyber security borders no longer exist in a world where we have on-premise, cloud and hybrid systems with apps hopping on and dropping off corporate systems from any geographic location. So you need policies that are enforceable in this fluid environment, and that are actually enforced, for the entire lifespan of the data.
Automated orchestration presents another massive hurdle. Orchestration doesn't necessarily imply only unstructured data. But it does mean systems, plus the data they create, use, manipulate, or delete, appear then disappear and potentially rapidly so. Additionally, you cannot always plan for the data's creation, manipulation and deletion. It can happen sporadically and spike at unplanned times.
These complexities have led many businesses to create a leadership role around managing the complicated environment with its myriad nuances. The chief data officer is a business role to understand, control and mitigate the risk around data.
Understanding the data environment is crucial in a security context. It saves IT departments from being tasked with locking down what's important from what isn't when they don't even have any real visibility into what they're dealing with. That can be an incredibly tough job for them. But it often happens because in the past, IT was too complex for businesspeople. That's no longer the case.
So now we can have the people who understand the data, and the role it plays in running the business, correctly position it so that we can secure what we must from those who would abuse it, while making it accessible to those who need it.
Tallen Harmsen has more than 14 years of experience as a security consultant and 21 years in the IT industry. He has been exposed in depth to the financial services, insurance, healthcare, pharmaceutical, mining, retail and logistics sectors. In his role as head of IndigoCube Cyber Security business, he engages progressive business solutions that challenge the emerging and entrenched threat landscapes.