Welcome back. In previous videos, we addressed the need for data security and protection, and some of the challenges and pitfalls. Now, let us examine what capabilities a data security and protection solution should have. Our objectives are to examine the 12 critical data protection capabilities. These are the top 12 data protection capabilities. They are: data discovery, data classification, vulnerability assessment, data risk analysis, data and file activity monitoring, real-time alerting, blocking, masking, and quarantining, active analytics, encryption, tokenization, key management, and automated compliance reporting. We will examine each of these in more detail. The first capability of a data protection solution is data discovery. You cannot reliably protect what you do not know about. You must know where your data lives. You must have some process for seeking out databases and file systems in your enterprise that might potentially contain sensitive or regulated data. Note the word potentially. With this capability, you are not classifying data, you are finding it. Data discovery will be performed iteratively, both because of new data sources that are always cropping up in a dynamic IT environment, and also to capture previously overlooked sources of data. The output of this capability is a catalog or inventory of data sources. You will probably use multiple means to find this data. This means a cross-silo comprehensive effort that requires high-level buy-in and C-level executive support. You will need a lot of cooperation and trust. The capability must be able to find production data sources, data sources used for development and testing, and unauthorized data sources. One means of discovery is to ask people such as line of business owners, database administrators, and network administrators. Another method is to employ tools to perform scans of the networks and individual servers. The goal here is to cast as wide a net as possible. You want to find all the data sources in your organization, not just the data you should have or think you have. Sensitive data may exist beyond the knowledge of the data owner. This is a common, yet an extremely unsafe and vulnerable scenario. You can not protect sensitive data unless you know it exists. Data classification parses discovered data and matches it against patterns or keywords to determine the nature and sensitivity of it. Assign labels or keywords based on data type. This will make it possible to apply the correct security policies to the data. Not all data will be sensitive data, and different types of sensitive data must be treated in different ways. Classification allows you to determine what protective measures apply to which data. A data classification scheme should consider the standards and regulations relevant to an organization as well as unique organizational needs. Remember, some data may fall under multiple classifications. Your data security solution requires some means to discover and address the vulnerabilities in your hardware, software, and networks that host the data. This method should address the process in a consistent fashion and should be automated. This solution should assess the system configuration against the recommended state or baseline, determining areas of weakness. Such areas may include user accounts that should be disabled but are not, inappropriate privileges, insecure authentication methods, shared accounts, misconfigured configuration files, and missing security patches. Vulnerability assessment should be an iterative process which uses input from stakeholders to determine priority of focus. Rather than trying to fix all vulnerabilities at once, it should use a phased approach to address the most urgent risks with an eye towards constant improvement. Vulnerability assessment requires coordination and buy-in across departments. Therefore, it requires high-level support, careful gathering of metrics and progress reporting, and integration with change in configuration management processes. The results of data classification and vulnerability assessment allow you to perform data risk analysis. This is where you assign risk levels to data sources and use that assignment to prioritize allocation of resources to the most appropriate efforts. Risk analysis considers not only what type of data you have, but what threats pertain to the data source, the probability of that threat, and the amount of damage that threat would cause, as well as methods to counter the threat and the cost of the mitigation procedures. This process can be difficult, however, it is important for the organization to understand the risks associated with their businesses. There are tools and frameworks that can assist with risk quantification. Risk analysis results feed back into the data discovery, classification, and vulnerability assessment capabilities to refine those processes. Risk analysis also helps in planning policies for monitoring data assets. Active monitoring of your sensitive data is critical to detect suspicious activity and security breaches in a timely manner. A 2018 study by IBM showed that the average time to identify a data breach was a 197 days. That is correct, more than half a year. Imagine the exploitation of data that can occur in that time. Think of the damage to an organization's reputation when the data breach is finally discovered and disclosed. Active monitoring, properly deployed can reduce the time to discover data breaches. Activity monitoring is challenging. From a business perspective, you must use the results of risk analysis to develop a set of monitoring policies targeting the highest risk data sources first, then iteratively moving to other priorities. This requires close cross-silo coordination and communication. Line of business owners, as well as database, server, application, and network administrators must be consulted. From a technical perspective, data activity monitoring requires filtering a huge number of database transactions, perhaps billions per day, to pick out a handful of events that indicate possible suspicious activity. This can be extremely resource intensive and the monitoring solution must be carefully configured to avoid over task in CPU, RAM, disk, and network resources. The monitoring solution must address varied methods of accessing data, remotely or locally, by an internal privileged user or an external attacker, or even a misconfigured application. Data activity monitoring is also iterative. Results from data activity monitoring feed into vulnerability assessment and risk analysis, which in turn provides insight on refining monitoring policies. Real-time alerting involves acting quickly and appropriately on suspicious activity identified by data monitoring. Alerting requires the consolidation and centralization of relevant information, correlation with data from other security solutions, and reliable routing of that information to parties that can act on it. The alerting process must be automated and reliable. Integration with security intelligence and event management consoles is a must. In this video, we have discussed the first six data security capabilities. In the next segment, we will continue our discussion of data security capabilities.
