Three Key Steps to Sensitive Data Protection
Author(s): Francis Ofungwu, Posted on September 4th, 2014
At the heart of every security strategy is the objective to protect sensitive information from unauthorized disclosure. Whether you’re designing a defense-in-depth approach to security, or addressing the requirements of compliance standards like PCI-DSS and HIPAA, your approach to success requires a firm understanding of how various actors within and outside your organization interact with sensitive information.
What follows is a summary of three key activities that need to be accomplished for an effective sensitive data protection strategy.
Data discovery is a key step because it allows you to identify the scope and complexity of your data protection task. Sensitive data protection can be a complicated objective and it is recommended that you take an iterative approach towards achieving success. It is naïve to believe that you can protect all data that flows through your organization, not only will this be a massive undertaking in terms of financial and personnel resources, but more importantly, why would you? For example, if you have information that is classified as public or non-sensitive, you do not need spend resources protecting it.
The data discovery exercise should include the following phases:
- Data Classification: Using policy or compliance requirements to classify your sensitive information. For example, Patient Health Information (PHI), financial information, and payment card data.
- Data Flow Analysis: After classification, analyze how this data flows in and out of your environment. This can be done as a tabletop exercise or by using proprietary or open-source data loss prevention (DLP) tools.
- Gap Analysis: Based on the output of your flow analysis, you can identify gaps in your approach to sensitive data. These gaps will form the basis of your protection strategy.
From the data discovery work stream, you now have a good handle on how sensitive information is transmitted, stored and processed in your environment. The next key step is to isolate the people, processes and technologies that interact with your sensitive data. For example, your data discovery exercise may uncover that cardholder data traverses your entire network, lives on multiple data repositories (web servers, databases, application servers), and is accessible by a large number of individuals who do not need access to this information. In this scenario, your large attack surface leaves you more susceptible to a breach.
Data isolation is a way to reduce your attack surface by using access control and encryption to ensure only authorized systems and users can access sensitive information. For example, the Unisys Stealth technology can ensure that only authorized users and systems can access sensitive information by making data repositories undetectable to unauthorized users and endpoints across any private or public network.
As the phrase goes, change is the only the constant, and this is especially true in an IT environment. Whether it is a system migration or adding and terminating authorized users, your IT environment is typically in a state of flux and the results of your discovery and isolation exercise can be obsolete in a matter of days.
To avoid the possibility of changes introducing new vulnerabilities, implement a system that will monitor your isolated sensitive environment for changes that breach your policy objectives. You can automate this process by deploying activity monitoring and event management solutions that will learn your baseline configuration and report on anomalies.
For example, if you have an authorized user that typically accesses a database that contains sensitive financial information from a certain source IP address and endpoint, you can implement your event management system to flag any access from that user that is not inline with the established baseline. Online banking applications now use a similar approach. Whenever I access my bank account from a different computer or IP address it flags the access and requests additional access credentials, even though I am using my correct username and password.
With data discovery, isolation and monitoring, you have three building blocks to an effective data protection strategy. We have looked at these three areas at a very high level and the details and execution will involve a little more complexity, but if you implement this iterative approach to your sensitive data protection strategy, you can effectively manage the different phases required to achieve success.