My reflections after visiting RSA Conference 2016
RSA Conference has long been the place where security vendors announce new products and services, and industry trends are made. I was told by Centrify that recent breaches demonstrate the urgent need to secure enterprise identities against cyberthreats that target today’s hybrid IT environment of cloud, mobile and on-premises. Other vendors are taking the approach to “encrypt data everywhere.” I think we need a broad combination of a few key approaches.
Increasing regulatory compliance requirements
Organizations are faced with increasingly complex industry and federal regulatory compliance requirements and wrestle with the scope, cost, and resources necessary to maintain information technology compliance standards, including FISMA, HIPAA, PCI DSS, and NERC.
Measurable objectives and achievable goals
Organizations need help to understand, measure, and validate the wide range of compliance initiatives. They also need help to develop roadmaps and strategies or to build a reliable security program. Many organizations are asking for a security strategy that has measurable objectives and achievable goals.
Shortage of IT security skills
The increasing shortage of IT security skills may require organizations to seek external help. In many cases they need help from experts with IT & Security credentials, including CISSP, Certified HIPAA Professional, PCI Qualified Security Assessor, Certified FISMA Compliance Practitioner, and Certified Information Security Manager (CISM).
Rising security costs
Security costs are rising dramatically. “Organizations once spent about three percent of their IT budgets on security; now that number is about eight times higher. But money doesn’t create a silver bullet fix,” Senior Vice President of Global Security Services Chris Richter told PRNewswire.
Locate sensitive data
We know the first step in any security initiative is to locate sensitive data in databases and file systems. I have seen cost-effective approaches based on agentless technologies and cloud-based solutions that quickly search all popular databases, file systems, and application environments.
Less cost and time
Cost and time can be reduced in many cases by using experienced data discovery engineers to effectively help clients locate sensitive data within corporate environments. One example is the PII Finder solution combined with Compliance Engineering’s security consulting services.
The largest collectors of personal data
Research company Government Technology recently pointed out that as “one of the largest collectors of personal data, the government is in the unique position to both use and lose valuable constituent information.” An expert panel took to the issue at RSA Conference discussing the risks and necessary next steps in this space. “Due to the ever-changing nature of data collection, data use and privacy concerns,” J.R. Reagan, Global Chief Information Security Officer with Deloitte, told Government Technology, “there is simply no easy way to flip-flop between acceptable and unacceptable data uses when presented with the aggregate nature of huge amounts of digital information.” We know that the Internet of Things and mobile are generating large amounts of sensitive data that is aggregated in cloud and big data. This data needs to be discovered, classified, and protected.
Inventory of all sensitive data
“One primary issue of data in the digital age is the fact that much of the data being collected is not properly accounted for,” Wyoming CIO Flint Waters told Government Technology. “In talking with CIOs around the nation, we have a history of agencies that have siloed data collection and we truly do not know all that is gathered by them,” he said. “In many cases, we’re finding government entities, through some legislative or reporting or audit mandate, have gathered additional data sets from other entities and now they have workforce and transportation and education data sitting at the Department of Health.”
Many organizations are under pressure by new regulations and the current threat landscape and unable to answer the following questions: What is their critical value data? Where is it located? Who has access? And what do those with access do with the data? Without knowledge of what you are attempting to protect, the threat cannot be managed.
Data retention
Government Technology brought attention to “the lack of guidelines for data retention.” Lee Tien, Senior Staff Attorney with the EFF, told Government Technology that “as storage capacity grew within government, more agencies moved to hold onto constituent data — especially in the cases of law enforcement agencies. This is a radically underdeveloped area because historically they didn’t have any rules about retention and as long as the state IT capacity was not all that great, they didn’t need to think about it that much,” Tien said. This data is not kept out of necessity, Tien suggests, but rather as a source that might prove beneficial in the future.
Data encryption, masking, and tokenization can protect the data that you need to retain. Data discovery can help you to make this decision.
Processes to enforce retention
Most importantly, organizations are looking for solutions that can help in limiting data storage amount and retention time to that which is set by legal, regulatory, and/or business requirements. There are specific retention requirements for different types of data and a need for automated processes for secure deletion of data when no it’s longer needed. The automated processes should identify and securely delete stored sensitive data that exceeds defined retention.
Conclusion
The increasingly complex industry and federal regulatory compliance requirements are making it necessary for organizations to understand, measure, and validate the wide range of compliance initiatives. To do so, it is essential that they develop roadmaps and strategies that aim to build a reliable security program.
With cost-effective approaches possibly based on agentless technologies and cloud based solutions, these goals are attainable.
The first step is to locate sensitive data in databases, file systems, and application environments and then identify the data’s specific retention requirements and apply automated processes for secure deletion of data when it’s no longer needed.
