I was just a kid when the “lock it or lose it” ads started running. In those days, it was my bike that I was most concerned about and I took the advice to heart, keeping it safely locked up. But that was easy – I only had one bike and I knew where it was – so that made it easy to protect. The same thing used to apply to data, back in those days when organizations used mainframes. It changed a bit with the move to servers, since data could reside on any server in a data center, but today, with data located between network core, edge and cloud, it’s a very different story.
Where is your data?
One of the biggest problems in defending against cyberattack is actually working out where your data is, in the first place. It may be at the network edge, or on-premises, or in the cloud, or copied between all three. It could even be integrated into a partner ecosystem or reside with a customer. The point of the matter: You can only protect data once you know where it is located.
And let’s face it, most organizations could not immediately tell you *all* the locations where their data is held. Invariably, it’s everywhere – often because it was convenient at the time to put it into a cloud, keep it on a partner’s shared drive, attach it to a mail, drop it on a USB stick, burn to a CD or DVD, or leave it to gather dust on the hard drive of an old laptop or desktop PC. Very often, the reality is: “All of the above” – with multiple versions or copies of data spread all over the place.
Put yourself in the shoes of the Chief Information Security Officer (CISO) and you’ll quickly grasp the sheer scale of where the challenge starts. But tracking down your data is not where the story ends, the next step is to try and work out what’s most precious and should therefore be the most well defended.
Once you’ve decided on the appropriate level of protection, is it still easy to access the most important files? This is the acid test, because users will find alternatives if it’s complicated or slow to save files in the right place.
Spare a thought therefore for IT Security teams – when putting protection policies into place, they need to know which data needs to be recovered quickly, and which data is less important and can therefore be restored later. For those critical files, you’ll probably choose to hold them on disk, but that’s more expensive than tape for archiving – as well as being more vulnerable to crypto-attacks. This means it’s even more important to be diligent in stacking and ranking your files, as you map out a strategy for data-driven transformation.
It’s not a matter of ‘if’ but ‘when’ you get hacked
Perhaps it is a sorry fact of modern life but IT Security is not based around the principle of whether companies are going to be hacked, but a matter of when. By taking some precautions, companies can at least reduce the risk and limit the damage of an attack. Most of the time, hacks hurt the most because they stop people from being able to do their jobs – because systems are unavailable, or data has been locked. Keep this in mind when prioritizing which data is the most crucial. If you don’t know what’s a priority or not, you can never make the right choice.
Just like always, make sure your critical systems are in a more secure part of your network – but bear in mind this may no longer be within your own four walls. The major public cloud providers have invested heavily into security – and in many cases have more advanced security features and controls than on-premises environments. This changes the rules. What was previously a clear distinction is no longer so cut and dried.
What does remain the same is that you need to know where your sensitive data is located, and as I mentioned above, that is not always easy. Data discovery is an important step-in taking the appropriate measures when finding out where the data sits. Compliance and data residency requirements make things even more complicated.
Data-driven transformation is forcing a rethink of your security approach
To fully benefit from a data-driven transformation strategy, you are going to have to rethink your security approach. We are seeing that reflected in many RFPs from customers – with data become more of a front and center topic. The priority for organizations is to properly classify their data, then ensure it is properly protected in line with its classification, with the strongest measures of protection going to the most essential information. Furthermore, access to data must be meticulously organized and restricted.
An effective Identity and Access Management (IAM) process and toolset introduces role-based data access . A lot of companies are talking about zero trust – or guilty until proven innocent. Incredibly detailed policies can be put in place to determine who has access to what data, and exceptional care should be taken over users who have Privileged Access Management – for example, administrators and developers, since they are often the preferred targets of cyberattacks.
Shoring up your defenses should also mean investing in intrusion detection systems. One of the patterns about breaches is that once an intruder has successfully gained access, they tend to keep a low profile. Through treading carefully and avoiding setting off any alarms, cybercriminals can ensure the success of exfiltration, which is the unauthorized copying, transfer or retrieval of data. To combat this, intrusion detection systems identify irregularities – for example, IP addresses, unusual times for data to be accessed, and so on. The next level is to use UEBA – user entity behavioral analytics – to detect any unusual usage and pinpoint an intruder at an early stage.
The first step is to work out how to assess and prioritize data. This assessment includes finding out where it is stored, then implementing data classification – as this means you can then determine which level of security measures should to be applied. Fujitsu and our cyber-security partners can help. And just like our colleagues on the product side, you can rely on Fujitsu to provide for the big picture – to put together solutions that tie together our own technology with that from partners, to take care of entire ecosystems.
Remember, data is a key part of Digital Transformation. Without it, you’re left with “igil rnsformion”, which does not make a lot of sense.