Calming the data tsunami through identity access governance
With over 80% of corporate data living in file shares, SharePoint and cloud storage services, data security has taken on significant importance to companies, says Ben Bulpett, EMEA director at Sailpoint.
A data breach can strike any organisation at any time and its critical data must be safeguarded, whether it's sensitive information an organisation must protect to maintain its competitive advantage, or records needed to meet industry or government regulatory demands.
Sensitive personal and business data is more vulnerable today than ever before, with corporate trade secrets, national security information, personal identity information, medical records, social security and credit card numbers, stored, used and transmitted online through digital channels and connected devices. With the expected trajectory of data growth, current predictions estimate that, as a human race, we will be storing over 463 billion gigabytes per day by 2025, a growth of over 1 000% as of 2018; a data tsunami is presenting an even bigger challenge.
With over 80% of corporate data living in file shares, SharePoint and cloud storage services such as Google Drive, One Drive, Box and Dropbox, compounded by users having access from any device, data security has taken on significant importance to many, if not all, organisations, says Ben Bulpett, EMEA Director at leading Identity and Access Govenance vendor Sailpoint.
The proliferation of data presents criminals with an increasingly wide range of opportunities to monetise stolen information and intellectual property. Besides, foreign governments and organised crime rings have embraced hacking as one of the most potent tools at their disposal. The ramifications of a data breach, where protected data is exposed or stolen, are dire, with the average cost to an organisation that loses over one million customer records being as much as $40 million.
Organisations are also at risk from internal threats, and to prevent the accidental or intentional release of sensitive data, where negligent or disgruntled employees can expose confidential information even faster than a hacker, organisations need to ensure adequate safeguards are in place. A recent IBM survey identified that, on average, it takes an organisation nearly 197 days to realise it has suffered a data breach, and a further 67 days to contain and resolve it. Organisations need to ask some key fundamental business questions about their data.
* Do you know what data you have?
* Can you identify sensitive data?
* Do you know who has access to that data?
* Do you know how that user got access and should they even have access?
* How is that access being used?
* Who owns that data?
* Can you report in real-time what is happening to that data and take appropriate action?
Bulpett says: "With board-level emphasis on good corporate governance and with POPI and GDPR being top of mind, the need to demonstrate compliance in taking ownership of their data, while putting the necessary controls in place to ensure organisations can answer the above questions. While some organisations have taken steps to implement the necessary processes and procedures designed to attain, maintain and prove compliance with new regulations, many organisations we talk to underestimate the enormity of the challenge and what it takes to meet and maintain compliance. Part of this task includes a comprehensive review of who has access to what data and where regulated data resides, along with the ability to conduct required security audits and implement continuous controls."
With Section 19 of POPI placing an obligation on a responsible party to secure the integrity and confidentiality of personal information/data in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of, and unlawful access to, personal information. To comply with this obligation, companies in South Africa must take reasonable measures to:
* Identify all reasonably foreseeable internal and external risks to personal information under its control;
* Establish and maintain appropriate safeguards against the risks identified;
* Regularly verify that the safeguards are effectively implemented; and
* Ensure the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
All of this will require a comprehensive data governance strategy that answers the who, what, why, when and how.
In South Africa, notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party's information system. As many organisations in South Africa deal in the European Union (EU), stringent regulations will be applicable. GDPR requires that organisations incorporate least-privilege permissions for EU citizens' PII data, but also that they be able to detect and remediate violations of that policy immediately. Organisations will now have a maximum of 72 hours after becoming aware of the data breach to report any data breach involving customer data, and must notify individuals if adverse impact is determined.
The complexities associated with compliance and data protection means the most effective way forward is to automate as many identities and access management tools and security audit processes as is reasonably possible.
Riaan Hamman, Data Security lead at Puleng Technologies, says: "There are several steps organisations need to take to ensure they are compliant with regulation. The first, and most vital, step organisations need to do is map their data to data owners throughout their environment. Successful compliance and good corporate governance require every organisation to know who its users are, where regulatory controlled and sensitive data resides, and how its data is accessed." Hamman explains: "Once data and owners are captured, organisations need to strengthen the controls that determine who has access to specific data and who doesn't. Data access needs to be controlled by "least privilege" so that access to only the minimum resources is permitted and access to sensitive data is highly restricted. These privileges need to be checked on a regular basis, both through internal and external audits.
Bulpett concludes: "At Sailpoint, we have approached the issue of data security with an identity governance platform that puts the protection, management, control and ongoing access to an organisation's data at the heart of a cyber security strategy. Specifically, identity governance tools enable organisations to confidently assess their risk, strengthen their controls, close enterprise vulnerability, and automate their detection and audit processes. Assessing risk with identity governance at the forefront of a security strategy, an organisation can create a roadmap to prioritise and remediate the most important regulatory gaps, and thus effectively control and secure an organisation's critical asset, its data."