In Business, the First Casualty of Innovation Is Security

August 13, 2021

  • Cloud growth is increasing, but few organizations understand how to secure data in it.
  • Too many organizations believe that if they’re in compliance, they’re secure.
  • Visibility, discovery and classification capabilities help drive costs down while improving the customer experience.

 


 

Pandemic-driven development initiatives have brought more organizations into the cloud, but very few have had the resources or the know-how to secure sensitive data there. Today, many of these organizations face significant challenges in simply discovering and classifying data in cloud-based environments. To make matters trickier, they will soon need to comply with more robust data privacy regulations or face significant consequences.

 

The news isn’t all bad, though. Organizations with the right strategy and tools can close the gap between innovation and security – and turn a potential existential threat into a great opportunity.

 

 

How Did We Get Here?

In the days before digital transformation (DX), an organization might have used three-to-five approved standard databases while development teams and DBAs tried to funnel every application into them. The native logging and database activity monitoring (DAM) tools they used for auditing and reporting allowed them to meet compliance requirements. Today, those three-to-five databases are going to 10-15 and in some cases 20-25 – many of them cloud-based and incompatible with traditional logging and DAM tools. Cloud vendors are required to provide a secure architecture, but responsibility for data security lies with the organization.

 

Innovation, however, marches on. Taking advantage of the cost-efficient, pay-as-you-go models and scalable database capabilities offered by cloud environments, DevOps teams and DBAs can spin up and take down databases in cloud environments in a few days or weeks. They can also populate testing and search tools with unprotected sensitive data and then forget about them. The result of these activities is a largely unsecure data estate that’s vulnerable to breaches and theft, often without security teams’ knowledge. Gartner reports that by 2024, more than 80 percent of organizations worldwide will face modern privacy and data protection requirements. Secure data is no longer “nice to have.” It’s a full-blown business imperative.

 

 

Data Compliance is Not Data Security

For many years, most organizations figured that if they were able to “check the compliance box,” their data was secure. In reality, even well-funded enterprises that have committed significant resources are not much closer to data security than those who have done little. The tools they use were not designed for the complexities of the modern database landscape. The security components featured in these tools are not really effective, not actual security controls, and not widely used. For most organizations, “database security” is a misnomer – they really just have database compliance programs that don’t protect their data. These organizations and countless others must do more to secure the giant data estates they have created.

 

 

Start With Visibility

After rapid digital transformation, gaining visibility into your data assets needs to be the first step in closing the gap between innovation and security. Seeing what you need to see for compliance isn’t enough to stop data breaches. Most organizations that have fallen prey to high-profile data breaches were actually in regulatory compliance. Creating complete visibility at the database level is critical because it drives everything else. More often than not, making visibility the top priority enables most organizations to address most compliance requirements. It also provides the raw intelligence that security teams need to fend off cyberattacks. Without sufficient visibility, you won’t know where data is and what’s going on with it. You won’t be able to mitigate security risks. To establish some level of baseline behavior, you must know the “6 Ws” of your data: Who is accessing it, what they’re doing with it, why they need it, where they’re accessing it from, when they’re accessing it and which servers they’re using. Without this information, you can’t create an access control policy and truly secure data.

 

 

Finding a Needle in a Stack of Needles

With true data visibility comes a tidal wave of information. The next step to closing the innovation-security gap is enabling security teams to separate actionable data without inducing alert fatigue. Using a security information and event management (SIEM) tool is a great place to start. The downside of a SIEM tool is the more data you feed into it, the more costly it can be to process. Alternatively, organizations can choose a data security solution that natively performs analytics in a single unified platform – one that enriches data and aggregates key views with contextual information like vulnerability assessments and identity access management. This drives SIEM costs down and dramatically reduces the volume of potential security threats that SOC teams need to consider.

 

 

Data Discovery and Classification

The next phase of data visibility is classification. Cybercriminals are out there, using every means at their disposal to gain access to sensitive personal data and personally identifiable information (PII). Once these bad actors create a breach, they may leverage the sensitive data they steal for crimes such as extortion or fraud (or, they may sell it on the dark web). No matter your industry, if you retain PII you must be able to comply with new data privacy rules. Current and future privacy laws raise the accountability for failure through costly audits, penalties and fines, as well as damage to your brand reputation.

 

There is considerable work to do here. 54 percent of companies have reported not knowing where their sensitive data is stored. Further, 65 percent say they’ve collected so much data that they’re unable to categorize or analyze it. To close the security gap, you must have a consistent and scalable way to discover and catalog sensitive information (from employees and consumers, for instance), and make it ready for data subject access request (DSAR) responses.

 

Choose a data security solution that fosters complete and automatic visibility into all data and user activity through a single UI. This eliminates concerns about DevOps teams or DBAs spinning up databases with no warning and old databases holding sensitive data that’s no longer used, yet is still part of the estate. A single UI makes discovering and classifying personal data and PII much easier and faster, whether it lives in structured or unstructured data sources, on-premises or in the cloud. The solution should constantly scan your entire data estate and find correlated attributes of sensitive data that constitute PII, so you know exactly what to protect.

 

 

What’s in It for You?

A recent Pew Research study revealed that 79% of consumers are very concerned about how companies are using the data they collect. AvePoint reported in 2018 that the average cost to fulfill a data subject access request (DSAR) from an individual is close to $315,000. A good data security solution should help an organization's data manager fulfill a DSAR in a few minutes. The Gartner report noted earlier says that by 2023, companies that earn and maintain digital trust with customers will see 30 percent more digital commerce profits than their competitors.

 

These points (and many others) are clear indicators that catching data security up with innovation is good business. And because robust, data-centric security strategies bring quantifiable financial benefits, maintaining alignment between innovation and security may be considered more like a revenue-generating program than a cost to be reduced.

Ron Bennaten
SVP & GM for Data Security | Imperva
Ron joined Imperva through the acquisition of jSonar, where he served as CTO and co-founder. He has been a “data security guy” for 25 years and has worked at companies such as J.P. Morgan, Merrill Lynch, Intel, IBM and AT&T Bell Labs. He was co-founder and CTO at Guardium, which was acquired by IBM, where he later served as a Distinguished Engineer and the CTO for Data Security and Governance. He has a Ph.D. in Computer Science and has authored 11 technical books.