Data Protection Thrives on a Comprehensive Approach to Security
Data protection requires effectively coordinating good practices across many security domains. It is actually a large subset of the overall security program. Take a look:
If you’re familiar with Security Architects Partners, you’ll know we’re both broad and deep in our security subject matter expertise. Reflecting on YE 2016, IAM surrounded by additional data protection topics re-emerged as a core focus area for us. As Gartner and Burton Group alumni, we can cover a systematic, comprehensive approach to information security tailored for data protection, and also perform more narrowly-focused tasks. For example, we’ve provided guidance on topics like: Improving assurance of OAuth Implicit flows, embedding robust key management in microservice orchestration to AWS, choosing an enterprise-standard AES key size, defining good practices for application credential management, and developing emergency break glass procedures for privileged account management.
A User Story Disciplines
Data protection is about enabling the business as well as reducing risk. The easiest way to illustrate the synergies between disciplines is through user stories of future state architectures tailored to a line of business. Here’s one we just did:
Next Gen Cloud and Application Security
We highlight Next Gen because the economics of IT are driving clients to migrate premise-based systems to public cloud infrastructure-as-a-service (IaaS). Data protection capabilities must migrate with them – and help guide business units’ SaaS expeditions come back in from the lands of shadow IT to sanctioned enterprise cloud service providers (CSPs).
For example, we worked with a large international company considering cloud encryption gateways to enable international customer support using Salesforce, and with a large bank planning a bold move to Azuria via Microsoft’s identity-as-a-service (IDaaS). We also witnessed firsthand the security challenges of a global company’s CISO as he raced to catch up with a headlong business-driven migration of applications serving more than 50 countries to Amazonia. Credit: Michel Prompt, CEO Radiant Logic for the cool Azuria and Amozonia allusions.
Next Gen IAM Meets Privacy by Design
Optimizing premise-based IAM infrastructure continues to be very important. But often, you can hardly talk about IAM without addressing cloud, along with a raft of other disruptive megatrends we covered in our post on the second golden age of identity. Also, you shouldn’t lose sight of the bigger picture. Emphasize data governance to protect all confidential data including personally-identifying information (PII).
PII has been called “the new oil” of the information age. Extremely business-enabling, but potentially toxic. Privacy by Design helps organizations get smarter about data protection – to refactor business data collection practices, identity lifecycle management practices, and application designs. Such projects can entail assessing whether an IDaaS CSP covers the right geographic regions and has the right certifications; partitioning Active Directory by country in a re-design; or using identity abstraction layers to reduce application dependencies on storing PII locally.
Privileged Access Management (PAM)
The data protection discipline is about enabling the business as well as reducing risk. As we wrote previously: PAM is necessary, but deploying it stinks. Although the PAM technologies are getting better at supporting traditional premise-based systems, emerging hybrid cloud environments demand still more features. How, for example, do you reconcile PAM’s strict session management capabilities with agile devops models?
One of our clients uses this meme: “Share what we can, protect what we must.” In the ongoing effort to balance the enablement/risk equation, PAM is important. It can allow organizations to concentrate more permissions in the hands of fewer privileged administrators (and thereby contain costs) while still having some control of how those users operate – along with providing enhanced accountability and privileged access analytics.
Data Loss Protection (DLP)
Even with proper access management including well-established need-to-know rules for the workforce, enabling the business typically requires distributing sensitive information to many people. At a minimum, DLP can provide a monitoring control to prevent or deter accidental leakage of the information, while increasing user awareness in the process. It can also help with bottom up discovery and classification of sensitive information as per our user story.
It’s critical to understand that deploying DLP is much more than an IT initiative. DLP initiatives cannot succeed without strong business backing. And although some organizations choose enterprise DLP solutions, it is often faster and less expensive as part of a comprehensive data protection project to rely on targeted channel DLP products to fill some critical gaps.
Encryption,Tokenization, and Key Management
No data protection initiative is complete without protecting sensitive data-at-rest or in motion from inadvertent exposure to adversaries. It is important to understand that encryption is not access control; it is not effective against mistakenly-authorized or over-privileged users. Tokenization, however, can be mixed in with authorization controls as per our user story to reduce sensitive data exposure while still providing just-enough access to enable the business. The trick is to determine how and where – or at what level of the stack – to apply cryptographic controls. Last but not least, encrypting credentials and tokens via a good key management system strengthens assurance, particularly for application-to-application communications.
Through our user story and brief walk throughs of the key controls, we hope we’ve enlightened readers as to the inter-relationships and synergies between those controls and the data protection disciplines. If you’re interested in learning more, please check out the related reading and/or contact us.
Privileged Account Management (PAM) is Necessary, but Deploying it Stinks