To succeed in the new world of data, security leaders need a dedicated data security team. As of 2021, less than half of large companies had a chief data officer (CDO), according to the 2021 Gartner CEO and Senior Business Executive Survey. Now, with emerging data governance rules and a more challenging threat landscape, we are seeing the rebirth of data security teams as companies rehire specialized data security professionals.
Information security covers the infrastructure, software, and hardware that holds the data, whereas, data security focuses on protecting the data itself. With the move to the cloud, the market has flooded with solutions that focus on cloud infrastructure, such as Cloud Security Posture Management and access management, but they lack a data-centric view. As data moves and flows in the clouds it is imperative to understand the nature of the data (is it sensitive?) and its context (who uses that and what is the business context?) so it can be determined if the move is authorized or a breach.
Today, businesses are generating more data across hybrid infrastructures and multi-cloud. Long gone are days when data used to be purged to save space. Lack of accountability and data ownership combined with a lack of process discipline creates different levels of vulnerabilities across the spectrum.
Over that, the shift to cloud computing has introduced new ways to process and store data. The move to the cloud has also driven data sprawl (meaning, the uncontrolled and scattered proliferation of data across various systems, storage locations, and platforms in an organization). Now, organizations are facing new challenges that only a dedicated data security team can address.
Challenges in the new world of data
While the amount of data in the cloud continues to increase, so does the size and variety of data assets in an organization. Most organizations now have multiple different types of data services (like storage, database, and analytic platforms). Meanwhile, ‘shadow data’ (data that is unavailable or subject to an organization’s centralized data management framework), often containing sensitive information such as personally identifiable information (PII), patient records (PHI), and credit card information (PCI), and others, is rapidly growing in the form of orphaned snapshots and database backups. This means there is data that can’t be tracked by legacy tools and is easily exposed to attackers, making security teams’ jobs that much harder. Organizations are also facing new requirements to comply with additional data privacy, data sovereignty, and data governance regulations. However, being that most modern data security tools are limited to a single architecture, service, cloud, or policy, keeping inventory of PII/PCI/PHI is more challenging than ever.
The roles and responsibilities of a data security team:
Increasingly strict compliance regulations as well as the need for tighter security controls are the driving forces behind the need for a dedicated data security team. Organizations must hire data security professionals who can go beyond achieving compliance requirements to gain visibility into the data that lies across the clouds and shorten the time to detect threats and respond to attacks in real time. Data security professionals must know and be able to implement the processes, protocols, and technologies necessary to secure today’s modern tech environments.
The essential responsibilities should include:
Taking inventory of data across all enterprise data stores
Organizations can’t protect what they don’t know. Because most of an organization’s data now sits in SaaS (software-as-a-service), PaaS (platform-as-a-Service), and IaaS (infrastructure-as-a-Service), it is not always feasible to install agents such as on-premises data loss prevention (DLP) solutions to keep track of the data. Still, it is essential for teams to know their data, where it is stored, and what is stored in it. Therefore, teams should look to leverage solutions that are agentless and do not require any proxy to discover and secure data.
Data classification, ownership, and governance
No matter the structure of an organization’s data, all data should be classified. Not only does data classification identify PII, PCI, and PHI data, but it can also detect an organization’s most prized possessions. Taking inventory is crucial in helping teams decide how their data should be protected. Including data contexts such as location and environment (production vs. development) can give teams a clearer picture of all the data they have and how to protect it. Assigning data owners is another step that can help teams determine existing risks in their data that need to be remediated.
Strengthening the data security posture
A data security team should ensure that proper controls are assigned to all data assets. Data security posture management (DSPM) tools can help teams with static risks such as encryption, logging, retention, authentication, and authorization for data stores that contain customer and other sensitive information. DSPM tools use the context of the data an organization already has to prioritize the remediation of static data risks.
Real-time detection and timely response
Since data is constantly changing, each risk that arises creates an opportunity for an attacker to exploit it. As data changes and causes new risks to data, however, data security teams need real-time detection of risks followed by a response. Real-time data detection and timely response tools give data security teams the ability to detect events, assess their potential as an attack on data, and respond in real time to attacks regardless of where their data is stored.
Understanding the data attack kill chain
Attackers are constantly finding ways to ransom or exfiltrate data by leveraging static risks to further disable security measures, modifying IAM (Identity and Access Management) policies, or starting mass downloads of sensitive data. Teams should be aware of the tactics attackers are using to steal their data, and more importantly, how to stop them.
In addition, roles pertaining to developing an iterative plan – agile, business data ownership, product owners, process discipline stewards, and change agents are also important. These roles are assigned by GRC (Governance, Risk, and Compliance) and IAM leaders, and are essential for a successful data security program.
Critical advice for the journey:
It takes time to build a strong data security team. For a team to be successful, a thorough understanding of both the domain and the business is imperative. Here are a few tips to successfully build a data security team, including how to choose the right members and how to overcome hurdles along the way.
Find the right tools and internal partners: Most teams overlook the total cost of building versus buying solutions. Leaders should be aware of the time and money that can be wasted by using the wrong tool for their business. The world of information protection is complex and includes data governance, privacy, and security tools. Understand their differences and decide if you are only trying to achieve compliance or also prevent data from exfiltrating and act accordingly.
Work from the outside in: It is essential to start off building a data security program by laying a strong foundation. Teams should begin by discovering where their sensitive data is and what is stored in it. Make sure you are looking for all the data, not only the data you are currently managing. Unmanaged data lurking in the shadows could be the bigger risk.
Categorize different risks: Static risk and dynamic risk are remediated by different teams. Static risks, such as misconfigured data (e.g. bucket open to the world, production data not encrypted) should be handled by the data owners and IT. Events that pose an immediate risk, however, should be handled in real time upon being alerted by the security operations center (SOC). Teams must put the necessary training systems in place so that each team has the knowledge and understanding needed to mitigate their assigned risks.
Hire the right people: To build a strong data security program, an organization needs people who can navigate the organization and understand complex environments. Recruiting people from relevant teams such as GRC, IT, and IAM can help bring a more well-rounded understanding of the existing processes.
Note where data is growing rapidly: Teams should identify and keep track of where data is growing at accelerated rates because that’s likely where new attacks are taking place.
The road forward
As the need for data security grows, so will the role of data security experts. The current environment has created a rebirth of data security teams as organizations must secure data from exfiltration and increasingly aggressive attacks. Organizations must increase investment in data security talent and systems to succeed.
About the Author
Dan Benjamin is the Co-founder and CEO of Dig Security, a leading cloud data security company that helps organizations discover, monitor, protect, and govern their cloud data stores through a unified policy engine. Dig’s mission is to provide the data security stack for modern enterprises, protecting data wherever it lives inside an organization.
Benjamin is an entrepreneur with over a decade of industry experience founding and leading startup companies. He has held leadership roles at Fortune 100 companies including cloud and security leadership roles at Microsoft and Google. During this time, he noticed a gap in public cloud data security solutions, leading him to co-found Dig Security, a company dedicated to helping customers instantly identify cloud security issues to prevent breaches and attacks through real-time data detection and response. He is also a former member of IDF (8200), an Israeli Intelligence Corps unit of the Israel Defense Forces.