Blinded by Rainbows

Suchit Mishra — 5/15/2023 — 4 Min Read

Blinded by rainbows

Watching the wind blow

Do you sleep at night?

I doubt it — Rolling Stones

Imagine flying on a plane with a pilot who is blind. Scary right!

Photo Credits: Bruce Warrington on Unsplash

Unfortunately, that’s how most security teams operate in today’s economy with fewer resources and sub optimal budgets. CISOs are grappling with protecting the crown jewels of an organization but don’t know where and how much of it is at-risk to be protected. While there is some truth in taking a layered defense in depth approach for protecting the underlying infrastructure that hosts the data and assuming that is good enough security; the reality is that you cannot truly protect what you don’t know.

In the legacy data center ecosystem where the security teams acted as the gatekeepers, it was possible to check each and every system and the data it would hold before deployment to production. Gone are those days. Now, in the cloud-first world, any developer can spin up a new stack and data store at a click of a button leaving the security teams completely in the dark.

Of course from a business perspective, data is becoming invaluable and it makes sense to empower the development teams to innovate fast and continuously delight the customers. As a result, companies seem to be collecting and storing humongous amounts of data, which is why the data volumes are exploding at an unprecedented rate and very soon zettabytes of data will be produced and consumed at a global level. Most organizations need data to make intelligent decisions to compete in the market by leveraging analytics leading to actionable insights.

Clearly, this trend is not slowing down. Another fact that’s shaping the industry is the digital transformation and move to the cloud. Coupling the two together makes for a great growth story for the business. However, the security teams now have a much tougher job to manage the data exposure risks that surface from this shift.

Photo Credits: PixaBay

So what are the security teams supposed to do?

Visibility is the key and prioritizing the risk remediation based on the context is quintessential when it comes to the success of the security program. Most solutions in the industry today only point at isolated vulnerabilities which is necessary but not sufficient to influence the business and development teams to address the risks. The holy grail in security is not simply about finding more security issues and drowning the teams into alert fatigue but instead quickly getting the issue resolved and moving forward.

Lack of risk contextualization is a key reason for teams not addressing security in a timely manner. And in today’s resource constrained environment, it’s important to look at the data in scope, whether it’s personally identifiable data or personal data or Intellectual Property in addition to the security vulnerabilities in deciding whether or not to address it. The modern tools today don’t lend themselves to providing that 360 view. There are good security and privacy frameworks to choose from. A good example to follow would be the new NIST cybersecurity framework 2.0:

Govern: The first order of business for an organization is to define data classification and handling policies and procedures to manage the data risk exposures.

Identify: Then automatically discover the at-risk highly sensitive data across the company. Create an accurate inventory of data and map it back to the classification model and compliance regimes and tag them accordingly.

Protect: Now that the data has been discovered, mapped, and tagged; apply the appropriate security controls viz. access, encryption, tokenization, masking and codify the data treatment leveraging the CI/CD pipeline.

Detect: In fast growing, dynamic environments, things are bound to change. A mechanism to automatically detect drift in real time and continuously monitor for deviations from the policy is key. Once the aberrations are detected, alerts need to be sent to the data custodians and/or owners to course correct quickly.

Respond: Despite all the preventive and detective controls, there may still be blind spots and slippages that lead to a breach scenario. Determining the blast radius of the data risk exposures and business impact becomes imperative in such cases. Have the capability to query and fetch answers to aid forensic analysts. The output of the investigations can be used by the privacy legal teams to craft the breach notifications to customers and regulators.

Recover: After it’s clear what data sets have been compromised the security teams should be able air gap the tainted data from the pristine data sets and assist the IT and/or data teams in pulling the clean data from the backups and jumpstart the business as per the disaster recovery plan.

Conclusion

Just like a pilot cannot drive a plane safely without clear visibility in sight, security teams cannot adequately protect the crown jewels in the organization without proper knowledge of where the at-risk data resides.

Today’s data economy is made up of exabytes of data that are now the responsibility of security teams to safeguard. A good inventory of data assets, followed by data mapping tied to sensitivity based on classification and the compliance requirements will help security teams to navigate around the modern data landscape. Hopefully with this framework in place, CISOs can actually sleep at night.