Don’t let antiquated data protection technologies define the boundaries of how you can protect your data.
Technologies like data loss prevention (DLP) have literally been around since 2000, so in essence many organizations are using a 20-year-old technology as the heartbeat of their data protection programs. Let’s face it, the way organizations have been addressing data protection is completely antiquated. Sure, some have been optimized and other new players have joined the DLP field, but for the most part the original DLP vendors are shells of what they once were. Like legacy ERP systems such as J.D. Edwards, Siebel or Baan, they probably are not meeting organizations’ needs like modern-day WorkDay, Salesforce and ServiceNow platforms are.
Transforming from old-guard technology institutions to modern platforms that meet organizations’ business requirements is an incredibly heavy lift. Not to mention the fact that data has changed, moved, transformed, and multiplied…driving organizations to purchase more point-solutions to solve the data challenge de jour.
Similar to my first blog, you are going to get my raw and (I like to think) informed opinion about how organizations should be taking a data-centric approach to securing it. Don’t let antiquated data protection technologies define the boundaries of how you can protect your data. In this blog I am going to talk about a more agile approach to securing your data, working outside the borders of your technology, introducing automation, and getting attention for the data component of your larger digital transformation initiatives.
What are you protecting? It should be an easy question, but it’s not. In fact, it’s almost impossible unless you have to have a clear understanding of how data is created, how it’s used, who owns the data stores, and what the effects are on the data when you apply different controls. To take a truly data-centric approach to securing it, you cannot be married to the technology, but instead you need to be married to the understanding of the data.
How is that even accomplished? I think the best way to go about identifying what data to protect is by defining a very targeted scope centered around the data and not around the technology. The importance of this approach is compounded when tackling the data protection component of a broader digital transformation initiative.
Digital transformation started with lift and shift of the infrastructure and computing to a cloud service provider (i.e. Amazon, Microsoft, Google, IBM), and suddenly organizations were in a new position – a shared responsibility model. Now organizations have a hybrid environment of cloud and on-prem, with on-prem protection tools and mindset. Amidst this digital transformation, throw in a pandemic and we are seeing the fastest move to the cloud ever, as well as an exponential growth of data.
So, I return to my original statement. In this world of exponential data growth sprinkled throughout the prem and cloud, how do organizations know what to protect? Organizations should consider working with a partner to help them secure their data during the digital transformation journey. How is data created, how is it used, who owns the data stores, and what are the effects on the data when you apply different controls?
For example, customers approach us with the following requirement: “I want to implement the latest and greatest SASE solution to protect my cloud environment.”
It would be easy for us to implement, configure, and hand them the keys, but is that really the best long-term solution for our customer? No.
The question should really be: “We need to protect our data. It is moving into XYZ environments, we are cloud first and are amid digital transformation at every level. How can you help?”
A good partner should reaffirm a data-first approach to protecting it. Start with an assessment to understand how the data is created, how it is used, what controls are in place today, and how they can be optimized with existing technology. Maybe the organization ultimately does need new tech, but that should be an outcome of the assessment…not a driver.
Let’s go back to my earlier comment about organizations purchasing point solutions to solve the data challenge de jour. I cannot argue with the rationale of needing multiple technology platforms to solve an organization’s data security requirements. Need a classification tool? CASB? SASE? MDM? How about privacy tools to address ever-changing regulations? Key management? The list goes on…
Adding tools to your quiver of technologies takes time, money, and resources to implement and manage. While you may be solving for specific use cases or scope, deploying siloed solutions that are managed by disparate resources almost always results in underutilized technology. This is not just a missed opportunity, but organizations are never able to realize the full potential, value, and return on investment for their technology purchase. More importantly, these disparate tools require humans to aggregate and orchestrate the outputs into meaningful and consolidated results.
Speaking of the people-equation, humans are still a key component of the technology solution, but instead of throwing more people at the tech, organizations need to take a more agile and automated approach to data protection. For example, organizations do not need a person who is triaging mass amounts of incidents and never solving the root problem, which is — why are these incidents being generated in the first place? If the same incidents are being generated over and over by people and/or systems, it is one of two things:
- There is no feedback loop. Without a feedback loop, organizations are unable to address behavior through training or information that they are getting from those systems.
- Without information from the systems, there is no good logic or feedback to tune the policies. Let’s face it, even with same input, policy tuning is a heavy lift, must constantly be done, and is typically performed by humans.
Again, don’t let antiquated data protection technologies define the boundaries of how you can protect your data
WHERE TO START
It can certainly feel like you need to boil the ocean to figure out what data to protect, how to protect it, which technologies to use, and how to manage and get value out of disparate systems.
Start with understanding your organization’s data security requirements. Not just the requirements of IT, DevOps, and the SOC, but include business stakeholders, privacy, regulations, audit, finance, and security teams. Find a partner to lead an assessment and understand how the data is created, how it is used and what controls are in place today. Benchmark against industry and regulatory standards and identify gaps requiring remediation. Incorporate the requirements of the entire business, then identify and utilize technology and automation to reduce data risk.
The next step is critical and new to many organizations — automate. To properly enable the technology, data protection programs need to rely more on automation and less on humans. Automation can be used to perform system health checks, harmonize policies, and unify reporting and analytics into single pane reporting across disparate systems. Instead of performing these repetitive and often mundane tasks, humans can be used to define requirements for automation and ultimately tune the technology based on the intelligent outputs of the automation.
Why is automation so important? If you are a cloud-first organization that is in the business of selling data, creating data, and transacting data, that data is your livelihood. If humans continue to manage, monitor and tune the systems that protect your data, they will not have a fighting chance of keeping up with the growth of the data and the ever-changing environment. When tuning a particular use case is “complete”, the policy logic becomes antiquated within days or weeks.
For that reason, I believe organizations need to take an agile-based approach, introducing automation to address data protection initiatives within broader digital transformation journeys.
Thank you for taking time to read my perspective on what I believe the best path to success in securing organizations’ data — automate what you can. Don’t let antiquated data protection technologies define the boundaries of how you can protect your data. Instead, take an agile approach to securing your data, working outside the borders of your technology, introducing automation, and getting attention for the data protection component of your larger digital transformation initiatives.
If you are interested in learning more about how we applied this approach to one of our customers, I recommend reading our Case Study about a US health plan provider that experienced the “perfect storm” of challenges in their digital security transformation efforts. Discover how Cloudrise helped them automate manual processes and secure their remote workforce utilizing the Netskope Platform.
My challenge to you: Look at large, board-approved, strategic initiatives and determine how you can apply cyber innovation to that project. It would be a small data lake project or massive digital transformation. Think about how a data-centric approach + automation could enable you to step out of the norm and do something different. Take the opportunity to challenge the way things have always been done.
By Rob Eggebrecht