Data is everywhere, in on-premise, IaaS, SaaS and cloud data systems, creating a tsunami of security, compliance and privacy concerns. To tackle these challenges, organizations need visibility into sensitive data stored in all their assets. Most typically turn to traditional data discovery solutions only to find that they are ill-equipped to handle petabyte scale volumes distributed across a number of different environments.
That’s because data discovery only addresses part of the problem. To automate data privacy, security and regulatory compliance management, organizations need a more unified approach that is based on the following foundational pillars.
1. Catalog of shadow and sanctioned assets
Most organizations have limited visibility into their assets in the cloud, where they keep all their apps and the majority of their data. Complicating matters is the fact that there are several shadow assets in the cloud—for example, non-native applications (such as MySQL) running on generic cloud-computing platforms such as EC2.
Therefore, it’s critical to discover all native and non-native assets and identify those that are operational, what data is stored in them and whether they are protected. Maintaining a centralized asset catalog is a recommended best security practice in the Center for Internet Security’s (CIS) top 20 critical security controls (CSC) and in the NIST Cybersecurity Framework (CSF).
2. Discover and catalog asset metadata
Discovery should go beyond identifying sensitive data and include visibility into the business, technical, and security metadata associated with each asset. This information can be synchronized with data catalogs to provide stronger access governance as well as privacy and security management.
For example, business metadata provides information about ownership, location and lineage between objects in the catalog. Technical metadata includes insights into data such as data governance and retention policies, while security metadata consists of information on security posture and how data in an asset is protected.
3. Discover sensitive and personal data in all assets
Make sure both structured and unstructured data is being discovered and cataloged, including databases, data warehouses, object stores, file stores and more. Without such visibility, security administrators can only speculate on the security, privacy and governance policies they need to implement.
4. Classify and tag sensitive data
To protect sensitive data exposures, organizations should classify their sensitive data based on risk, type, format. This typically involves classifying data using a sensitivity index such as Restricted, Private and Public. To keep pace with the growth in structured and unstructured data, automation can be used to categorize sensitive data and files according to data classification policies. These tags can also be used to enforce security controls and prevent sensitive data from leaving an organization.
5. Monitor data risk posture
Data risk posture enables organizations to assess the impact of data and privacy breaches and their associated legal, regulatory, financial and reputational consequences. This requires taking into account data sensitivity, location, residencies and density. All of these risk factors should be used to generate a numeric score so that organizations can compare and contrast risk across assets, locations and owners to prioritize and remediate threats.
6. Build a personal data graph between data and its owners
Privacy rights regulations force organizations to ensure they have a process in place to quickly and efficiently respond to Data Subject Rights (DSR) requests. In the EU General Data Protection Regulation (GDPR), users have the right to access and modify their information. California’s Consumer Privacy Act (CCPA) offers similar rights to individuals. To fulfill DSR requests in a timely manner, it’s best to build a people data graph that links personal data with users’ identities.
7. Map data to compliance and regulations
To comply with global data security and privacy regulations, organizations must provide security controls and privacy practices as evidence of their compliance. To meet these requirements, make sure data privacy systems can map sensitive and personal data usage to compliance regulations and their specific requirements. This will allow you to meet deadlines for processing DSR, Breach notifications and consent requests.
Managing security and privacy for data stored in the cloud poses unique challenges that aren’t addressed by legacy on-premise systems. Applying these seven best practices when building and deploying a cloud data security and privacy program will help you avoid blind spots that can expose the organization to breaches and regulatory fines, and will help reduce operational costs.