Deploying the latest, greatest detection technology to deter stealthy network intruders will take companies only so far.
Related: What we’ve learned from the massive breach of Capitol One
At RSA 2020, I learned about how one of the routine daily chores all large organizations perform — data governance — has started to emerge as something of a cybersecurity multiplier.
It turns out there are some housekeeping things companies can do while ingesting, leveraging and storing all of the data churning through their complex hybrid cloud networks. And by doing this housekeeping – i.e. by improving their data governance practices — companies can reap higher efficiencies, while also tightening data security.
This nascent trend derives from a cottage industry of tech vendors in the “content collaboration platform” (CCP) space, which evolved from the earlier “enterprise file sync and share” (EFSS) space. I had the chance to sit down with Kris Lahiri, CSO and co-founder of Egnyte, one of the original EFSS market leaders. For a drill down on our discussion about how data governance has come to intersect with cybersecurity, give a listen to the accompanying podcast. Here are key takeaways:
With so much data coursing through business networks, companies would be wise to take into consideration the value vs. risk proposition of each piece of data, Lahiri says. The value of data connected to a live project is obvious. What many organizations fail to do is fully assess – and set policies for — data they hang on to after the fact.
One reason for this is storage is dirt cheap. It has become common practice for companies to store a lot of data without really thinking too hard about it. In fact, there’s a strong case to be made for meticulously archiving all stored data, as well as getting on a routine of purging unneeded data on a regular basis.
Knowing precisely which datasets must be kept for long periods, for compliance reasons, enables an organization to use cheaper storage for data expected to be rarely accessed, as opposed to storing an inordinate amount of data in the most expensive ways.
Lahiri points out that it costs four times as much to access data stored in an AWS S3 bucket than it does to keep the data stored in that same S3 bucket. “There’s definitely a cost angle to it. It doesn’t cost much to store data, but it can cost quite a bit to access it,” he says. “Outside of the security perspective, everybody should become more aware of their data life cycle . . . as a company grows, and as the amount of data grows, there is a need for archiving, based on how actively things are changing and what you need to get to, and when.”
It makes a lot of sense that proactive data governance, to keep costs down, also turns out to materially improve security. A robust data archiving strategy puts data into tiers, Lahiri says. Data in active business use should be kept readily at hand, in an easily accessible and highly resilient storage solution, he says.
Data that is rarely used, but necessary to store, should be reviewed and classified, with levels of access assigned according to defined needs. Many of the parties given access to live data, such as certain employees and third-party contractors, probably will no longer need a high level of access; their access should be cut off.
Finally, comes the purge. “Once you get beyond the archival stage, it’s important to pay attention to data that you no longer need,” Lahiri says. “I challenge anybody who thinks they actually need to keep any data beyond a regulatory requirement. This is the time to purge those data sets.”
The wisdom of proactively purging stored data was driven home by the hack of Capital One bank. The accused hacker stole personal data for 106 bank patrons, including customer data from credit card applications dating back to 2005.
“They didn’t have a clean purging strategy that says, ‘This is sensitive data, so let’s put in a policy that says we need this data for only so many years, and the rest should be purged,” Lahiri says.
Smarter data governance may not be as sexy as the latest automated threat hunting tools or post quantum encryption. Yet it is a fundamental best practice that can actually improve the efficacy of advanced detection systems, and thus function as a cybersecurity multiplier. Improved data governance results in greater visibility of sensitive assets and a reduction of easy targets.
Egnyte is in a good position to champion the cause. The company was founded in 2007, has 16,000 customers worldwide and venture backing from the likes of Google Ventures, Kleiner Perkins, Caufield & Byers, and Goldman Sachs.
At RSA 2020, Egnyte launched its new platform which anticipates data ingestion growing at an even higher clip — as 5G and the Internet of Things take deeper root, Lahiri told me. Egnyte unifies leading-edge tools for content governance, privacy, compliance and workflow automation, he says.
“We focused on everything that a company does in overall data governance,” Lahiri says. “Our new platform really is our way of saying, ‘Don’t think of one solution to collaborate with, and another solution to figure out data security. We’ve merged these together, and built security into many different layers, so it’s a turnkey solution.’ ”
It’s clearly going to take overlapping initiatives to make digital commerce as private and secure as it needs to be. As improved data governance gains wider adoption, it will help move the ball forward. I’ll keep watch.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/best-practices-why-pursuing-sound-data-governance-can-be-a-cybersecurity-multiplier/