Many organizations have built the foundation of their security architecture based on physical and logical technologies designed to keep “bad actors,” or threats, from entering their environment. This approach is not without merit, as it mirrors what we have traditionally done with our homes. We install locks, alarms, and outside cameras, all with the notion of providing a strong perimeter of keeping the “bad guys” out. This is supplemented by strategically organizing things in our personal lives to minimize losing everything if we encounter a natural disaster or if someone does enter our homes, for example having a safety deposit box at the bank.
But, while you can protect your home from myriad threats from the outside-in, there are still issues that can occur from inside your four walls that the best protection and even inside surveillance (e.g. internal cameras) won’t protect you from. Consider your kids, heaven forbid, playing with matches, or forgetting to unplug the tree on Christmas Eve, or your so-called best friend using your computer to look-up movie times and stumbling upon your banking records. Whether at work or at home, your data is only as secure as the architecture that it has been housed in. Once a “bad actor” gets behind your defenses, whether from the outside-in or inside-out, your architecture and the security principals upon which it’s built will protect your precious assets. So where to start?
- Assess and Prioritize Your Risk Surface – Assuming your organization has an existing data architecture in place, you’ll want to build upon your current investment by reinforcing layers of security upon it in a thoughtful and prioritized manner. You can’t afford to boil the ocean, and quite frankly, it doesn’t work anyway! Instead, sit back and think about the overall risks that face your organization and then prioritize those that are most likely to occur and have the greatest impact to the organization. For each risk you need to ask yourself:
- Do I have the right architecture policies in place to protect my data sets and the systems that impact them?
- Do I automatically have access to the right internal and external information so that I can perform predicative and prescriptive analytics when making architecture decisions and assessing my security posture?
- Do I have the right processes in place to ensure my architecture is resilient from inside-out and outside-in vulnerabilities with minimal manual intervention?
- Enhance Your Data Architecture – Once you have performed a thorough analysis of your current risk profile and found the greatest bang for the buck, you need to implement an integrated strategy for strengthening your data security architecture. It’s not going to be sufficient to tactically address items a la carte. That’s not how robust architectures are developed. You can of course prioritize your efforts to dovetail with organizational strategies and budget cycles, but the overall roadmap must be holistic in nature. These security dimensions must work seamlessly together in an orchestrated, adaptive manner.You need to harden your systems from the inside-out first AND isolate platforms that are mission critical to your organization from the rest of your systems. This of course, goes hand-and-hand with reinforcing your perimeter security and firewalls. You also need to logically structure and segment your data and the access to it so that people only gain access based on the “need to know” principle. Even then, when they do access it, you must be sure it’s the actual person who they claim to be. This must be supported by protections to keep all data private and confidential so that prying eyes are unable to peer into your data should they somehow gain access to it from either inside or outside your company. And remember, this means data that is just stored at rest in your databases, or traveling within the confines of your network, or over an external network. It’s all “fair game,” and as we see every week in the news, no data is truly safe.
- Prepare for the Worst – Most people maintain some type of insurance, whether it be homeowners or life insurance, because they either think it’s a prudent thing to do (stuff does happen!), or because the law says they have to (e.g. automobile insurance). Data security risk mitigation requires the same level of vigilance and balance. It all starts with an appropriate Monitoring, Intelligence Gathering and Threat Assessment capability tied to the Risk Assessment discussed above. This continuous process must be a combination of automation, human intelligence (internal/external), third-party expertise, scenario assessment and testing, and most of all, imagination and planning. We stress the final point because the sophistication of threats grows each day, and no one person or organization is able to solve all problems by themselves. It does require partnerships.
- Detect and Respond – At some point many, if not all, organizations find themselves the target of some type of incident. Now many are of a small nature. It may be something as simple as a user accidentally deleting important data – which is still a potential critical impact to a firm. Or, as we have seen, it can be a rogue nation state attacking a major corporation or government. While the details may be different, and the amount of press attention may vary, the impact and disruption to those involved often feels very much the same. Your organization’s ability to proactively detect and respond when a potential incident may have occurred, to validate that it is in fact an incident, and to isolate and remediate can literally make the difference between the short- and long-term viability of your firm. Keep your company “Out of the Line of Fire.”
Securing your data architecture is a continuous process. It requires a holistic approach that necessitates looking at the strategic drivers of your organization and the systems and technologies required to support it, along with the changing competitive and threat landscapes that evolve over time. As each of these evolve, you will find that the robustness of your planning, resilience of your architecture, and overall responsiveness will prove to be invaluable assets to organizational viability and growth.