Jan 28, 2021
Back to Basics: Five Ways to Improve Your Corporate Data Protection PracticesBy Chris Hallenbeck, Chief Information Security Officer (CISO), Americas, Tanium
Complexity is the enemy of data protection. And there’s plenty of it in the modern enterprise IT environment. It creates critical visibility gaps that could leave organizations dangerously vulnerable and noncompliant.
According to a new report from law firm DLA Piper’s data protection team, GDPR fines increased by 40 percent last year and experts predict they’ll only get bigger. As regulators start ratcheting up the size of fines, it’s time to recalibrate. What better opportunity than Data Privacy Day to ask yourself: Is my organization doing enough to mitigate the risk of sensitive data loss?
Fortunately, enhancements can be made without reinventing the wheel. It all starts with gaining visibility and control of your endpoints and the data residing on them.
Data is everywhere
As organizations digitally transform, data flows far and wide — into containers, virtual machines, laptops, mobile devices, hybrid cloud servers, and desktops. Chances are high that at least some of that data will end up somewhere you didn’t anticipate.
Cloud migration, in particular, can rapidly expand the number of locations where data resides, outpacing your ability to keep track of it. In the meantime, legacy assets can get ignored. Mass remote working has also added a whole new fleet of potentially unmanaged endpoints to the mix.
As the number of tools used to manage and secure all of these assets snowballs, so too does complexity. Tanium data reveals that the average enterprise uses 43 IT operations and security tools — each of which requires IT staff training. The more time they spend jumping from one to the other, the less time they have to gain visibility and control of their endpoint estate, and the more chances that they’ll miss spotting a key risk or security event.
At the same time, compliance fines are quickly increasing. Better to be proactive in reassessing your data protection posture now than getting caught out down the line. Improving the status quo doesn’t mean buying the latest whizbang solution to keep out the most sophisticated nation-state actors. Even they will do the bare minimum to get to your data. Instead, focus on getting the basics right with effective cyber hygiene, starting with vulnerability and configuration management.
Best practices to help protect your corporate data
Here are five approaches to improve your privacy efforts.
(1) Switch on hard-disk encryption
A great deal of noise is made about data loss prevention (DLP) as a primary bulwark against data risk. It’s important, but it’s not a silver bullet. It won’t work if you don’t know what data you hold that needs protecting and where it is. That’s why many DLP projects fail.
We need to be less absolutist about our approach here. The truth is that as long as humans are involved, things may not go as planned. Data may end up in places you don’t want, as users (often unintentionally) circumvent security controls.
What does this mean? That wherever it ends up, you need to be assured it is protected. And the best way of doing this is with a policy of hard-disk encryption for all laptops and desktops. Most operating systems have drive encryption features built in, so enable them.
(2) Take a zero-trust approach
To be sure, enterprise IT environments are increasingly characterized by their complexity, which extends to network security. The traditional “castle and moat” model built around a secure perimeter is no longer appropriate in a dynamic, cloud-centric world of remote work and mobile devices.
Organizations need instead to be able to assess the identity of each person logging in and the security posture of every endpoint device accessing data. Whether to grant full access or provide limited access in the form of VDI, for example, must be based on a comprehensive assessment of the endpoint.
This means having insight into whether it’s up-to-date with patches, is configured in line with policy, etc. This is the basis of Zero Trust—an increasingly popular, flexible approach built for the complexity of modern business interactions.
(3) Proactively search endpoints and data
As sensitive intellectual property (IP) and regulated data often end up where you least expect, there is an urgent need to be able to search your endpoints for that data proactively.
It should be possible to ask questions of these assets in plain English and have answers returned in near real time.
Once you know where it is, you can take action to transfer that data to a more secure environment or to ensure its current location complies with policy. Anything less will fail to provide the kind of visibility you need, given today’s complex IT environments.
(4) Dynamically assign controls to streamline global compliance
There are scores of different data protection laws around the world. The most efficient way to deal with this complexity is to adopt the most restrictive regulatory framework and apply those controls and standards across regions.
But if you need to ring-fence a set of controls geographically because of a particularly restrictive regulation, you need an effective way to identify all applicable endpoints.
But this creates more complexity, unless you can dynamically manage endpoints based on key attributes (language and time zone settings, network segment, Active Directory OU, etc.) in a more operationally efficient way of doing things than maintaining manual lists.
(5) Bake privacy into new projects from the start
Privacy-by-design is increasingly the mantra of regulators across the globe. So whether you’re migrating to the cloud for the first time or designing a new system, service, or product, use the opportunity to think about data protection.
What data do you need to perform a given business function? How long do you need to retain it?
Baking privacy in from the start is a cheaper and more effective way to do things than trying to retrofit data protection when you will eventually be forced to comply with data regulatory requirements.
And a final tip. The focus throughout your efforts should be on data minimization: if you don’t need it, delete it.
To learn how an endpoint management and security strategy can help organizations close their critical gaps, download our Visibility Gap Study.