A Guide to Protecting Everything, Everywhere, all at Once
As cyber-attacks become more prevalent and sophisticated, organizations are finding it increasingly important to take a proactive approach to data protection. Similar to application security, a ‘Shift-Left’ approach to data protection can help organizations identify and mitigate risks before they become real, thereby preventing critical impacts on their operations.
Shift-Left Data Protection: Why It’s Crucial & How DataSecOps Enhances It
In this blog post, we’ll examine the importance of adopting not just a Shift-Left approach to data protection but also embracing the concept of a comprehensive DataSecOps platform. A desirable DataSecOps platform would provide precise, continuous, scalable data discovery, classification, and cataloging capabilities. This effectively identifies sensitive and high business impact (HBI) data, delivering Sensitive Data Intelligence (SDI). Your DataSecOps team should be able to leverage optimized and reliable Sensitive Data Intelligence to enhance security tools and processes, making them data-aware, ensuring security is built into DataOps, not bolted on.
In order to achieve a robust DataSecOps platform, it’s vital to provide seamless integrations with existing security orchestration, automation, and response (SOAR) platforms, as well as established data protection solutions. These might include tools you’ve already invested in, such as Data Loss Prevention (DLP), Data Archiving, Encryption, Tokenization, and Masking utilities. With dependable sensitive data intelligence, you can ‘Shift-Left,’ adopting a more proactive data protection strategy. This approach transforms your existing tools and processes into ‘data-aware’ systems, enabling them to proactively invoke appropriate mitigative actions, thereby avoiding potential crises.
Managing the Complexity of Today’s Security Landscape
In today’s landscape, security teams often find themselves juggling competing demands from various stakeholders. These include the emerging Chief Data Officer, the influential Chief Privacy Officer, the meticulous Head of Compliance and Data Governance, and of course, the tireless heroes within the CIO / CISO offices. As the industry accelerates toward an era of data integration and data orchestration, propelled by the hype surrounding AI and Machine Learning, the IT and Security teams face increasing scrutiny. This is due to escalating privacy regulations, which bring added complexities in the form of increased Data Subject Requests (DSRs) and Data Subject Access Requests (DSARs) when your data is all over across your IT and hybrid cloud in structured and unstructured and semi-structure data stores, data lakes, data warehouses and lakehouses.
In today’s landscape, security teams often find themselves juggling competing demands from various stakeholders. These include the emerging Chief Data Officer, the influential Chief Privacy Officer, the meticulous Head of Compliance and Data Governance, and, of course, the tireless heroes within the CIO/CISO offices. As the industry accelerates toward an era of data integration and orchestration, propelled by the hype surrounding AI and Machine Learning, IT and Security teams face increasing scrutiny. This is due to escalating privacy regulations, bringing added complexities in the form of increased Data Subject Requests (DSRs) and Data Subject Access Requests (DSARs)—especially when your data is spread across structured, unstructured, and semi-structured data stores, data lakes, data warehouses, and lakehouses.
Achieving Robust DataSecOps through Integration and Forward-Thinking
In my opinion, a true DataSecOps platform can serve as a harmonizing element rather than a source of conflict when dealing with diverse requests from multiple stakeholders. Everyone is seeking more reliable and accurate intelligence about sensitive and HBI data, proliferating across hybrid IT and cloud environments. Therefore, a comprehensive DataSecOps platform is critical to managing these demands effectively while also aiding prioritization around security and privacy operations.
Data Classification and Discovery: A Core Pillar
A critical aspect of a ‘Shift-Left’ strategy for Data Protection is investing in a holistic, highly accurate, and scalable data classification and discovery engine as you build your DataSecOps platform. Data classification involves categorizing data based on its sensitivity and business impact. Data discovery identifies where sensitive data resides within an organization’s network, including both structured and unstructured data, in-motion, at-rest, and potentially even data in use, known and dark, that encompasses organizational crown jewels like personally identifiable information (PII), Protected Health Information (PHI), and intellectual property. Once sensitive data is identified, organizations can then take more proactive steps to reduce and eliminate ROT Data (Redundant, Obsolete, Trivial Data, e.g., duplicate copies) and protect the business-critical data, applying the right access controls, encryption, masking, and other mitigating controls.
Data Cataloging: Enhancing Data Visibility
A truly effective DataSecOps platform should also provide data cataloging capabilities. This involves creating a metadata repository of all the sensitive data identified during the data classification and discovery process. The metadata should include details such as data type, location, sensitivity level, business context, owner, and usage. This metadata repository can orchestrate appropriate mitigative actions when sensitive data is at risk, such as encryption or data masking, tokenization, DLP, IRM, etc.
Data Protection Tools & Techniques
When adopting a DataSecOps platform, organizations get a reliable resource to safeguard their sensitive information proactively by leveraging various data security and protection measures, including:
- Role-Based Access Controls (RBAC): This system is designed to restrict access based on the roles of the employees within the organization. This ensures that only authorized individuals can access the data they need for their roles. You can learn more about RBAC here.
- Zero Trust Segmentation (ZTS) and Zero Trust Network Access (ZTNA): ZTS segments the network, restricting lateral movement across the network, and reducing the “attack surface.” ZTNA aids this process by denying access by default, even if the user is already inside the network until the system verifies the user. You can read more about Zero Trust Architecture here.
- Zero-Knowledge Proof (ZKP): This cryptographic method allows one party to prove to another that they know a value, without conveying any information apart from the fact they know the value. More about Zero Knowledge Proof can be found here.
- Homomorphic Encryption: This form of encryption allows computations to be performed on data without decrypting it, presenting a considerable breakthrough in data privacy and security. You can learn more about Homomorphic Encryption here.
Additionally, the DataSecOps platform should also be capable of leveraging data anonymization techniques like tokenization or masking, popular methods to reduce the potentially attackable surface. With these methods, the actual data is replaced with fictitious values, ensuring unauthorized entities can’t access the sensitive information. You can read more about data masking here.
Your DLP solution can detect an Excel File on G drive that was discovered, classified, and tagged as “PII Found” as part of your DataSecOps Shift-left strategy. The DataSecOps Platform can then invoke the right “Data Protection Play Book” leveraging your SOAR platform.
Create a Jira / SNOW incident ticket: “PII discovered on G Drive”
Invoke File Data Encryption Solution to Encrypt the file
Initiate your Archiving Solution to Archive / Backup the file
Notify the User / Owner of the file
Managed DataSecOps: Bridging the Skill Gap
The DataSecOps platform requires skilled cybersecurity, data privacy, data operations skills, and AI talent (with a minimum level understanding of supervised training/labeling), which may be in short supply. Thus, it can be challenging for organizations to develop and run their DataSecOps platform in-house. This is where a managed DataSecOps solution can assist.
Data protection and data privacy and governance experts can provide the necessary services to help customers identify their sensitive data, categorize it, and protect it from both internal and external cyber threats. This can help organizations address the cybersecurity and AI talent and skills gap that they face. A key strategy for DataSecOps management would be to leverage the needed expertise to build the right integrations with the existing investment in data protection tools and processes instead of taking the rip-and-replace approach.
Embrace the Shift-Left Approach for Enhanced Data Protection
In conclusion, a ‘Shift-Left’ approach to data protection is a crucial next step for achieving an effective cybersecurity strategy. With a robust DataSecOps platform, organizations can identify their most sensitive data and proactively take appropriate mitigative actions to protect it. A managed DataSecOps solution can further assist organizations in addressing the cybersecurity talent and skills gap while providing proactive data protection and governance services.
Our team of experts at WaveStrong has been helping customers by offering Managed Data Protection Services and partnering closely to achieve desired outcomes. We are continually expanding and optimizing our services and data protection solution portfolio while growing our partnership ecosystems. We are committed to partnering with you, helping you ‘Shift-left’ with your data protection and building up a DataSecOps platform, so that together we can discover, classify and protect everything, everywhere, all at one.
About the Author
Tony Zirnoon, CISSP is Head of Business Development and Partnerships @ WaveStrong, Inc. He is a trusted advisor to cybersecurity startups, incubators, and accelerators in Silicon Valley with extensive experience defining Sales Growth & GTM Strategies.
This article first appeared here in Medium.