How would you manage the security of your environment differently if you knew where all of the sensitive assets lived within your organization?
It’s the question we often pose to CISO’s, “How would you manage the security of your environment differently if you knew where all of the sensitive assets lived within your organization?” Most security professionals have embraced the notion of “Zero Trust”. The premise of Zero Trust assumes that the bad guys are either already in, or will get into, your company network. Therefore, you need to harden security controls and improve correlation and auditing activities to be able to properly defend and detect adversarial actions. Yet, despite this sobering reality, very few [CISOs] know where critical and/or sensitive data assets live throughout their organization. This creates a mindset that everything living within the trusted environment is deemed “critical” or “sensitive” and therefore treated equally, thus making the task of balancing security across the enterprise extremely cumbersome, if not impossible. The result of implementing security controls in a manner that isn’t consistent with data value increases the likelihood of basic low-value information resources having controls that are too restrictive and high-value information resources having controls that are too relaxed.
For most organizations, when prompted with the question of where critical and sensitive assets live, the typical response will be related to a few production systems or perhaps a data warehouse repository that houses “organizational crown jewels”. At InfoCycle, by analyzing an organizations’ on-premise and cloud data stores we often uncover a tremendous amount of what we refer to as “sensitive data sprawl” throughout the enterprise. We find that company networks are often littered with shadow copies of source data repositories and nine times out of ten, these repositories are not hardened to the same level as those that possess the perceived “crown jewels”. As a result, the security teams find themselves at a bit of a disadvantage to confidently secure organizational critical information assets because they have no real way of telling where they live. Enter a data map…
To many, having an effective data map sounds like a bit of a pipe dream. We often hear “our environment is too complex” or “our data footprint is changing too frequently to map” or our personal favorite, “of course sensitive data is everywhere – handling sensitive data is the nature of our business”. While the notion of being able to identify where sensitive content lives throughout the environment and catalog it in a way that promotes proper management of that asset throughout its lifecycle can be a daunting task for many, it does not have to be. Furthermore, with the average time to detect a data breach being upwards of 250 days after an attacker penetrates your network, the reality is that if you don’t map out your data estate, someone will eventually do it for you. In fact, by the time you’ve hit the 250-day mark, your attacker has already developed their own sensitive asset data map and likely completed their primary data exfiltration activities. Could it be that attackers are that sophisticated or that mapping out critical organizational data assets is really that easy? Unfortunately, it is of no coincidence that when a breach occurs the crown jewels of the organization are the assets that are most commonly compromised. So how do you get started on building your data map?
Here are three critical steps to getting started on building your data map today:
1) Identify Mapping Requirements: Identifying mapping requirements means aligning the data map with the needs of the organization. Before you start engaging various organizational stakeholders and capturing data dependencies, you must first determine the level of specificity required to meet the business objectives of the organization. Key questions to focus on include: Who will use your data map? What will they use your data map for? How will your data map be updated? Who will manage it going forward? We know it sounds simple but answering these questions will often help you ensure that you are mapping data assets at the right level of detail.
2) Engage the Business: With the high-level requirements captured, it is time to engage the business. Here, the focus should be on how extracting critical pieces of information from the key business units regarding their data meets the business needs and data dependencies. This includes areas such as critical applications, regulatory compliance requirements and any data creation events that are happening within the business unit.
3) Start with Metadata: Organizations often skip metadata analysis and jump straight to textual content analysis. The difference being that metadata is much faster to run and collects attribute information about the files throughout your network. In contrast, content or textual analysis requires opening files and analyzing textual patterns within, which takes much more time to complete. We often find that more than half of what we need to know about data can be inferred from metadata alone reducing time and cost to map your enterprise. Do not skip this step! It will help get your data map moving forward more quickly and allow you to show some organizational wins in mapping out your critical data assets.
Not sure where to start? Reach out to our team of experts today and we would love to help you on your data mapping journey: [email protected]