As we are closing on 2018, I would like to summarize our learnings and thoughts for this year. We started Ardent last year with one objective in mind “Empower customers to minimize data and reduce their business risk substantially” . As simple it sounds,there is serious lack of data minimization approach in data driven world we are living in. As we go through more data breaches and analysis of that we find more evidence that minimizing data is crucial and can save organizations from larger breaches or reduce impact of it significantly. This year , we see term “Data Minimization” used more frequently than ever before thanks to GDPR(General Data Protection Regulation by EU) . It is noticed by lawmakers here is US too, recently after Marriott breach Virginia Senator Mark Warner put out this statement” We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. “. So most likely that is coming soon in regulation perspective which is good news.
2018 was busy year for cyber security and privacy space overall and it seems every year is going to be busier than earlier. Several breaches are recorded , more scrutiny is done by regulators, more congressional testimonies happened as lawmakers are getting more concerned about personal data of citizens. To name a few, in Facebook/Cambridge Analytica scandal where at least 87 million user’s personal information was accessed without authorization.Other significant ones to name ,Under Armour(Myfitnesspal), Ticketmaster, British Airways,Exactis and most recently Mariott where millions of user accounts were compromised or user information was exposed. There are many more breaches and list is long but conclusion here is small or big, every company is vulnerable and it is happening more often than before.
Need for Data centric security approach:
Impact or scale of breach is mainly assessed by one factor which is amount of data compromised. Cost of breach is directly proportional to user data and records these companies have and they own. That means cyber risk is proportional to amount of sensitive data owned.Now think about information security program you are running within your company. Is it focused towards data? Do you know exactly how much sensitive or personal data you own? One fine day breach is detected and when regulators hit the door you will have to take the higher number and be responsible for that. Data is most important asset you are protecting and it is essential to assess what you have and what exactly is at stake.
Prioritization is must:
Organization’s security posture is going to depend on prioritization in security budget and resources. Every system is vulnerable in some sense and it is not going to be perfect world in general. Security resources are not going to be unlimited so you have to prioritize what is important. Most of large size enterprises which were breached over years have spent significant money and resources on security but prioritization has not worked well to save them from losing data or reducing impact of breach. That is where data centric security plays important role. You need to secure data first at its source and security architecture needs to be geared towards data you are protecting. If your security architecture is sound, risk of losing actual data goes significantly down even if perimeter is compromised.Most of conversation around cyber security is still dominated by malware, ransomware and perimeter security. If one endpoint is compromised due to malware or ransomware and that threatens security of entire company that itself is a bigger problem. As a industry, we have spent significant time and resources in malware and perimeter security over last decade and that is for sure not changing the game. Focal point of security budget should go towards data security and focusing on areas of data security. It is easy to get busy in operational aspect of security with million of alerts generated from SIEM and other tools with attractive graphs and statistics but eventually it is not focused towards data assets and their security. There is dire need to change our focus towards data security.
Data Explosion :
We are storing and accumulating enormous amount of data everywhere with no organized process around deleting it. When did you last time has data clean up or deletion project to get rid of unwanted data? In my last two decades of security career I have not seen specific effort to do that. Just compare that to paper based records, we have done great job of shredding paper document however completely opposite to digitally stored data, we just keep accumulating data with no deletion. Storage has gone incredibly cheap over time however securing that data is very expensive .Every piece of data has shelf life and there is cost and liability for storing data you do not need. Bottom line is we should be extremely careful about data we store and should be deleting excess data on regular basis.
Data Minimization can help:
Data minimization refers to “The practice of limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose.” Companies are liable to protect data they own. So owning more data than needed increases responsibility, liability and eventually cost to protect. If we delete data we do not need it will automatically reduce risk which would be arising of that data. Data minimization can be done following steps.
1. Identify your data assets:
Identification of sensitive data assets is first important step. Work with data owners to identify what is important assets to protect and where are they located.
2. Assess your data
Data assessment is next step. Assess data with goal of understanding which data need to stay and which is not needed anymore. It looks exhaustive initially but you will discover lot of data which is no longer needed and easy to get rid of. Start with low hanging fruits first , process is not expected to be perfect initially. As you do this often you will get better idea of data.
3. Delete excess data
Once you are done with data assessment you will have better understanding and handle over data . Delete data you identified for deletion.
This process is automated and simplified with Ardent Data Minimization Platform(DMP)
1. It helps you identify data so you have full confidence in this process and making sure you are minimizing only what you need and nothing more .
2. Provides enhanced reporting of data assets showing what is at risk and needs to be minimized
3. Provides secure deletion process making sure data is not recoverable once deleted.
4. Provides automated process for deletion so you do not have to do this manually again.
There are various good reasons to do this . I am stating a few which provide tangible benefits right away.
1. As data is spread out across multiple data centers and cloud service providers there is a huge risk with supply chain. Accidental exposure of data is not unlikely when you are moving data among data centers or cloud service providers all time.
2. Customers do not have control over hardware in cloud environment specially around deletion so they need to rely on software based methods of deletion and maintain good data hygiene which is under organizational control.
3. Non production environments have tons of data and should have limited shelf life. That data must be minimized and/or eliminated on regular basis.
4. Shared work environments have temporary data and keeping accountability of that is challenging. Data minimization can help securing those environments very efficiently.
I wish you happy new year 2019 and look forward to opportunity to help you in your data minimization project this year.
About author: Sameer Ahirrao is Founder and CEO of Ardent security. Ardent security(@ardent_security) is provider of Data Minimization solution. Contact advisor at ardentsec.com or visit www.ardentsec.com for more information.