05 Jun Systancia: Data protection and Data governance | Cybersecurity series Part 3
In this series, thanks to our experts, we will report and evaluate the latest developments in Cybersecurity from a European point of view. Access the Introduction (ECA), Part 1 (Eperi) and Part 2 (ECA).
Data protection and Data governance
When one speaks about data protection, the first concept which comes to mind is confidentiality, and encryption. Enterprises deploy laptop encryption solutions to protect enterprise data spread out in corporate-owned endpoints or devices: but once the password barrier crossed, the laptop user has access to all the data in clear. This is an example amongst many, which shows that security always requires a multi-pronged approach and that you can leave no dimension out of the scope. In this article, we would like to emphasize a key dimension to data protection: if you don’t know “who is who” and “who is entitled to access what”, your data are not protected.
We also have to bear in mind that enterprise data are both in-store and in flux. They rest in storage and move from a place to another. You need to protect both. If you protect the warehouse but not the truck which transports the wares, it does not work. It does not work either if you leave the key of the warehouse or the key of the truck to someone you don’t trust enough. Data can also be hidden in a database behind an application interface (whether user or programming): the same risk applies. The data can be encrypted in the database; if an authenticated user or program can extract and export the data, the risk remains. It shows the importance of authentication in data protection.
It takes both a data governance approach and an identity and access governance approach to better protect your data assets. At the intersection of these two practices, you find the notion of “who has access to which data”. It regards both the upstream part of the governance (discover, define, enforce) and the downstream part of the government (collect, analyze, (re)act): and as I write it, it is not even or no more upstream and downstream, it is a kind of infinite loop, similar to DevOps, that we could call “Data GovOps”.
As a matter of fact, the “identity and access management” (IAM) component plays a key role in protecting enterprise data.
- The first aspect regards identities and entitlements: knowing who is concerned and which rules apply when it comes to data access. It may seem obvious, but in reality and in operations, it is not. Firstly because some business situations may be complex and are not always well captured in the commercially available solutions concepts: in the same enterprise, the same business contractor can have a director role in an organization and a contributor role in another. You can also face technical constraints with regards to the management of access rights in applications: not everything is managed with an AD, for example. Secondly, it is of uttermost importance that the theoretical access model is actually implemented right away and synchronously within operations. It if takes a day to provision and de-provision access rights when a change occurs, you have a risk.
- The second aspect regards authentication: once the door is open (the user is authenticated), the user can visit the house. Authentication plays a key role in data protection. And you have two aspects of the authentication. You have the strength of the initial authentication, that you can reinforce (adaptive authentication: consider where and when the user authenticates; multi-factor authentication: complement credentials with what the person has or who the person is – biometric type). If a decryption key is one element to unveil data, authentication keys are another one: data protection also requires key protection. But again, as strong as the initial authentication can be, if it is a third-party service provider working from home during a crisis, what guarantee do you have that it is still the same person behind the keyboard, mouse and screen after the authentication? That is where technologies like “continuous authentication” come into play: they are based on AI/ML-powered analysis of the user’s behaviour. You can steal a password or a key: you hardly steal a behaviour.
As one can see, IAM is like a good foundation for strong protection of IT assets: data, and beyond data. You need to know “who is who” (identity management) and “who is entitled to do what” (access management), and these rules must not only be defined but they must be actually enforced in your IT system, and then monitored. And you need to care, at any moment in time, “who is behind the screen” (authentication): is it still the person you expect? And what is her or his behaviour (behaviour analysis based fraud detection is an effective way to protect data)? And then, beyond this identity and access management “fence”, you find all the other data protection techniques you can put in place in the “house”.
This is confirmed by the analysts’ recommendations and has been increasingly recommended since the promulgation of GDPR in Europe for example. “DPOs and CISOs must work closely together”, and “jointly develop a data security governance strategy”; “this also creates an urgency for collaboration between the CDO and CISO teams, because many of the life cycle issues overlap, with potentially different perspectives and responsibilities” (Gartner). ” If the one who has the data is the king, then the king needs to protect his kingdom”. Most often, the purpose of identity theft is data theft. Data privacy needs data protection.
Systancia, Chief Product & Marketing