Linking Data Governance and Data Protection
Over the past few years, cyber-criminals have become more sophisticated in their means of attack, their targets, and pointedly, their intent. While a decade ago the most severe cyber events would have likely to have involved denial of service attacks or credit card information theft. Since 2014 we have seen what is believed to be a nation-sponsored assault on a major entertainment company, compromised access to millions of records managed by the US Office of Personnel Management (OPM), tens of millions of records managed by Ashley Madison an adult dating site, and tens of millions of Anthem health insurance member and employee records.
These more recent security breaches reflect more serious criminal intent that goes way beyond simple identity or credit card theft. In the entertainment company’s case, the impact of the breach and subsequent public release of information influenced key business decisions regarding the release of movies, with cost estimates ranging from $10 million, to $35 million, and in some analyses as much as $100 million, with severe repercussions to corporate image and brand degradation.
The hackers who breached the Ashley Madison site professed a moralistic intent – to shame the participants. And aside from exposing some hypocritical reality TV stars, the breach also exposed the weaknesses in corporate trust, particularly in their charging a $19 “full delete” fee that did not actually work.
The assessments of the cost impact of the OPM data breach range from $133 million to as much as $350 million, with a significant portion allocated for ongoing credit and identity theft monitoring for those affected. Similarly, the estimates of the Anthem breach exceed $100 million. This is not small change.
Other apparent trends indicate organized criminals seeking out massive amounts of sensitive personal data for the purposes of committing fraud, exfiltration of sensitive corporate intellectual property, and ransomware, in which sensitive artifacts are remotely locked or released to the public unless a ransom is paid.
The key issue here is the inherent “sensitivity” of certain data artifacts. And although the qualification of “sensitive” may change from one scenario to another, the fact that sensitive data exists across the enterprise should not be a surprise. But because most organizational security functions are focused on perimeter security which guards the entry paths into the enterprise, when these protections are bypassed, there are often ineffective safeguards for protecting sensitive data assets.
This is where we need to begin dovetailing our data governance processes with our data security processes. Data governance and stewardship activities can allow data stewards to focus on the nature of the data assets within the organization, and apply policies regarding protection of the actual content of the artifacts as opposed to access to those artifacts.
There are three main issues to be addressed. The first is assembling an inventory of data assets. In many organizations, there is no catalog of data assets that characterizes what is being managed, what are the different methods by which that data can be accessed, what data protection policies are to be applied, who can gain access to the data, and how the data protection policies are to be applied. This is a straightforward data set inventory, sanctioned under a data governance program.
The second is assessing each asset’s level of data sensitivity. This must be defined in the context of the ruling policies. For example, in the healthcare arena, HIPAA rules dictate what data elements requires protection, but there may be many contexts in which these data elements are used. Some require greater protection than others – compare an Explanation of Benefits (which contains protected information) to a marketing database containing all residents within a set of regions (which might not be classified as protected information).
The third is instituting methods of protection. In some cases, data protection is limited to access controls, but in other cases it implies obfuscation of the data so that if there were a security breach and the asset were accessed, the perpetrator would not be able to make heads or tails of the content.
There are different considerations and approaches to these issues, and I am looking forward to sharing some ideas at an upcoming webinar.