Unfortunately not, that was the easy part. Next for data...
The first action you should take is discovering and mapping data assets because you can’t protect what you aren’t aware of. For an organisation to fully understand the risk associated with their data they need to understand their attack surface. Even the most mature organisations have gaps in their knowledge. There will be things you know, things you think you know, and things you don’t know.
Comprehensively mapping where your data is located provides the opportunity to improve data hygiene. Allowing you to reconcile:
- What proportion of the data, if any, is classified
- Whether the data has been stored with adequate security controls (secure network and storage, limited access etc)
- If there is scope for de-duplication via a clean-up exercise
As data is discovered, complementary actions will be required, related to how the organisation is currently treating that data and how they can improve that in line with their policies or legal and regulatory compliance standards.
Data discovery can be a laborious process and, if manually undertaken, can be prone to human error – the use of discovery tools and automation to scan networks is generally accepted as good practice with human knowledge and understanding of the estate overlaid for additional context.
Discovery should occur periodically, it's not a one-time activity, and should be repeated to maintain hygiene and visibility. Define where data resides and compare that to where data should be, relocating or applying additional controls based on its classification is crucial.
Once you know where data is, consideration must be given on how access is controlled. Before applying controls the relevance of that data to your organisation must be established, this usually requires the development of a classification policy.
Establishing ‘rules’ related to how data is classified will enable the organisation to clearly define the importance of that data to business functions and their clients, stakeholders or data subjects, as well as what might be required to appropriately secure that data.
The process of classification involves establishing characteristics and/or attributes of data, then, in simplistic terms, determining a category that the data fits into. Categories are selected by the organisation based on their policy.
Data classification is usually split into the following categories;
- Highly Confidential – requires the highest degree of protection due to its sensitivity
- Confidential – if exposed could cause meaningful damage to the organisation
- Private – proprietary to the organisation and should generally only be shared internally
- Public – has little external value and can be shared openly and freely
Classification ‘labels’, once defined and agreed upon, are applied across data through manual or automated processes. The topic becomes more complex when data of multiple different classifications are used together.
These can be leveraged to better organise, monitor and proactively control data.
Monitor and automate
An organisation’s ability to monitor their data is key, knowing who has access to data, for what purpose, from where and for how long etc. Once data has been classified appropriately, attention should be focused on ‘high risk data’ or alternatively its ‘crown jewels’. This is data that means most to their business and should be protected to prevent damage to the organisation’s brand, through loss or compromise.
Monitoring provides an understanding of the data’s lifecycle and establish patterns of use which is extremely valuable when applying proactive controls. Restricting access for data to only those that require it for their role is imperative, reducing your threat surface. Additionally understanding how/when that data is used for business operations forms a picture of what standard behaviour looks like. Creating a baseline for monitoring purposes, through supporting technologies, to pinpoint deviations and raise incidents and investigations to ascertain whether this was expected behaviour or potential nefarious activity.
The ability for automated actions to be put in place for certain types of data aligns to the above approach. Once data has been classified, automated actions can be performed in the form of ‘policies’ to protect data. This provides the ability to prevent and flag potential data loss/leakage attempts through accidental or malicious actions. Policies related to data can prevent loss in several ways restricting;
- Sharing of documents through collaboration services
- Emailing documents
- Cutting and pasting of text
This is a key mechanism to reduce data loss through proactive controls.
By classifying data an organisation provides itself with the capability to appropriately set retention timelines in place for that data. This is key when considering obligations related to data set out in data privacy legislation, such as GDPR. By classifying data and setting appropriate retention timelines the organisation can remove concerns around storing data for longer than required to comply with legislation as well as potentially saving costs on unnecessary infrastructure storage.
Please visit the chat function on our website or fill in the below details if you would like more information about why the security of data is paramount. Savanti has many years of experience in security and is ready to assist you in your journey to a better future.