Organizations use and store many types of data. Some of it is high value containing business-critical information or regulated data, such as PII (personally identifiable information). Other data is less sensitive and while important for your business does not pose a great risk if an unauthorized person got a hold of it. Increasingly, data is scattered across endpoints, internal networks, and numerous cloud storage locations and services. Keeping important data secure is complex, requiring knowledge of its value, vulnerabilities, access rights, and location.
Many organizations focus on securing the perimeter, then endpoints, and finally users from threats as they seek to implement data security controls. Threat actors don’t care about your perimeter, users, or endpoints. While defending these can protect your infrastructure from going down and causing service outages, the ultimate goal of both malicious insiders and hackers is to get your data and exploit it.
Data security posture management (DSPM) provides visibility as to the location of sensitive data, who has access to that data, how it is used, and the security posture of the data stored or application using it. It does that by assessing the current state of data security, identifying and classifying potential risks and vulnerabilities, implementing security controls to mitigate these risks, and regularly monitoring and updating the security posture to ensure it remains effective. It enables organizations to maintain the confidentiality, integrity, and availability of sensitive data.
That means you need to secure the data itself, not the systems that allow access to it or store it. You have to identify who has access to it and layer on security controls to govern that access.
A DSPM solution should also answer four critical questions:
- Where is my sensitive data?
- Who has access to it?
- How has it been used?
- What is the security posture of my data store?
Discover Sensitive Data
A proactive approach to data security starts by finding your sensitive data, classifying it, and understanding the risk associated with the storage, processing, or transfer of that data. Knowing where your sensitive data is located and who has access to it provides visibility to help you better understand data security risks and take steps to mitigate them.
A key component of assessing your data is to reduce the risk of unwanted exposure, by proactively eliminating data that you no longer need or is obsolete. Data categorization allows you to understand current data (less than a year old), obsolete, and redundant data. Many regulations, like HIPAA or PCI-DSS, require you to retain records for defined periods. Data retention must balance the need to ensure unnecessary data is not retained while preventing other types of data from being inadvertently deleted. Managing redundant and obsolete data also reduces productivity, since users may not know what is current and use the wrong information.
Control Access to Sensitive Data
Once you identify sensitive data, you should implement policies to proactively minimize its exposure, in particular by controlling how it is accessed, used, and retained. This is critical as it covers the policies and procedures aimed at preventing data-related security events.
While identifying and classifying data helps map out your data risk, protecting it focuses on mitigating that risk. Most organizations have multiple types of sensitive data, and the appropriate level of protection can vary based on the type of data or business use case. A single piece of content may contain multiple types or classifications of sensitive data (e.g., PII and PHI), and you may need to consider which protection rules should take precedence when protecting data.
If a document is sensitive, you should encrypt it and apply explicit access controls to limit who can view, edit, print or share the sensitive content with unauthorized users inside and outside your organization. Additional measures to prevent screen captures or add watermarks to sensitive data limits other often overlooked exfiltration vectors. This prevents accidental or intentional misuse or undesired movement of data by those users with a legitimate need to use it. It also ensures that attackers cannot use the data even if stolen.
Policies should govern in-use actions regardless of where the document is stored or who has access to it. This data-centric approach ensures that the data is protected at all times even after it leaves approved locations or goes outside your organization.
Track Usage of Sensitive Data
DSPM identifies potential data risks and allows you to implement proper security controls to mitigate vulnerabilities and reduce the risk. Tracking user actions with sensitive documents allows data governance and security administrators to easily identify the location of protected data and its ongoing protection status. This includes all transformations the data underwent along the way—how the data was transformed, what changed, and why.
Log information is essential for overall data security and incident response analysis. By collecting logs on the location and usage of unstructured data containing sensitive information, you can identify your company’s data security posture at a glance. By tracking users and document usage history, you can understand how your organization uses and manages sensitive files and documents.
The discovery of risky or anomalous behaviors, such as unusual data downloads, excessive printing, or accessing unauthorized copies of sensitive data, may pose a threat to your organization. Since tracking the movement of data can be challenging, it is better to monitor and manage the usage of sensitive data. Once encrypted, you can collect user access logs to correlate actions to help identify potential data breaches and policy violations.
By encrypting and controlling real-time access to sensitive files and documents, alerts decrease since you don’t have to monitor locations and devices. Only authorized users can access the sensitive data and you can adjust policies quickly if needed. This allows you to respond quickly to security incidents and minimize their impact.
Security Posture of Data Stores
When IT was centralized and data was stored in corporate data centers, it was easier to protect the data. Now that virtually everything and everyone is remotely connected, the attack surface has grown and the challenges multiplied. Cloud locations and services increase the decentralization of data repositories. Add this to existing on-prem data stores and documents stored on endpoints, and the true extent of the data’s geography is a considerable challenge.
If we focus on the security of the data, rather than the data location, the job becomes easier. If you encrypt sensitive documents and apply dynamic access controls to them, the file is always protected, regardless of location. The security posture of your data is what to focus on, not your data stores. By default, if you encrypt and control access to sensitive documents in your data stores, they are secure.
This knowledge can then be used to establish and enforce policies to ensure that sensitive data is continuously and appropriately protected.
- Data Security Posture Management Should Focus on Securing the Data - March 4, 2024
- The Role of Enhanced Visibility for Data Privacy and Security - November 7, 2023
