In this week’s blog post, we’re sharing insights based on our latest interview with Dimitri Sirota the co-founder and CEO at BigID. Their data intelligence platform enables organisations to know their enterprise data and take action for privacy, protection, and perspective.
Our topic for today is cloud data risk and how organisations can understand and take necessary precautions to boost their cybersecurity.
Knowing Your Data is the Foundation for Cloud Data Risk Management
Cloud Data Risk management security has been more highlighted since the introduction of GDPR. One of the main challenges regarding data security starts with knowing your data, and understanding what is your sensitive or critical data. Other challenge is that technology to know your data, is causing a bottleneck to a certain extent, since it hasn’t evolved much since the early internet.
To give an example, once e-commerce started happening in the early 2000’s, people were worried that their credit card information could be potentially floating around and representing risks. To solve this issue, certain technologies were invented, however until GDPR not many changes were done to it. And now with GDPR, it has been raised as an issue again since it focuses a lot on the privacy of people in particular. So now, as an organisation, you need to collect the data, but on top of keeping it secure, you need to be able to exactly provide what it is used for, as well as how it is accessed and ensure sensitive information will not be crossing organisational boundaries through DLP. encryption tools or tokenisation tools.
The cloud system also makes it more challenging to know where exactly your data is kept, since it can be in many places in the cloud such as in a vast amount of SaaS applications, AWS, Azure and much more. So not only is there a complexity around coverage, being able to locate this data in so many different places, there’s also a complexity around what represents personal information. If you look at that kind of the older breach regulations, they all focused on PII, uniquely identifiable data like credit card, or social security number or address. As the world has evolved and the privacy regulations require you to know all your data, there needs to be a new approach to all this data, finding all these different places and providing identity context that didn’t exist before.
Cloud Data Risks
There are multiple dimensions to risks that evolve around cloud data. On one side we have regulatory risks such as GDPR, GLBA, HIPAA, or VCI. And on the other side we have risks that are associated with cyber security such as a potential cyber attack or data breach. In general, a lot of the data that you have, such as privacy data that involves customer information, or financial data could be sensitive data or critical information can involve risks such as a data theft, especially if the data is not encrypted properly. This is why it is crucial to look into platforms such as BigID that help organisations understand their regulated risk and their security risks when it comes to their critical data. Such platforms can help organisations identify their regulatory data -for example- GDPR data and also sensitive data as a whole, as well as modules to reduce risks by creating extra security levels for them.
As the world has shifted into even more online presence and cloud usage since the pandemic, this has become even more important. Because of that, the risks around data also represent a big deal in people’s psychology and organisations agenda. Knowing that data and being able to take action on it, whether it’s blocking it from going to a third party supplier or whether it means at least alerting you to the fact that it’s residing in an open file system is something extremely important. Keep in mind that this is not only the case for big companies, as it applies to small businesses that are putting the majority of their data on the public cloud as they don’t tend to buy a server for their data centre.
Why Should You Be Building An Asset Inventory?
Historically, privacy was not as solidly described as it is now, and it was always more personal, or subjective. Although it was always about data, data integrity, and data security it was built on a kind of a notion of the database on surveys or questionnaires. You’d ask people where this data is and they would answer based on their memories. And based on this, according to Dimitri, the biggest fallacy in privacy is that you can have effective privacy if that’s disconnected from the data that’s real, that relies on recollections and where the data is and recollections are fallible. As an analogy, if people forget where they put the car keys, people certainly won’t remember where they put different bits and bytes of data and might be exposing some of it unwantedly.
To battle with this, organisations should be building an asset inventory and data inventory. What we’ve learned over the last decade is that the value is not the server itself, the value is what’s inside of the server, and the data that represents a regulatory risk or a security risk. And yet many organisations don’t have this kind of effective inventory of the data. Effective data security and data privacy begin with an effect of inventory of your data.
Major Trends in Cloud Data
Being able to look across data and understanding that data from a both regulatory and a security standpoint will continue being a major point. With that being said, improvements to ensure proper reports for privacy or taking action for preventative action or other types of actions like access control or corruption will be on the horizon.
Data is always at risk because of the value attached to it. It is a bit more untethered than it was a decade ago due to the nature of cloud storage. Starting with that understanding and knowing where all your data assets are again going to be part of the future. Risk is a multifaceted problem. At the current state, you might be thinking about the problem today and perhaps risks as an infrastructure risk in terms of people compromising infrastructure or risks such as resiliency risks. Although this should be something that you should definitely be considering, looking ahead, data will still be the most valuable to consider as it drives your business and infrastructure is there to support the data as well.
Coming back to the historical understanding of privacy, another thing that should be focused on is bringing data and this understanding together. GRC has a sprawl being realized on surveys and questionnaires but is completely decoupled from the data. You can’t separate the data from the risk around the privacy or data.
Data privacy and data protection starts with the data — literally and figuratively. In short, first and foremost it begins with knowing your data. Afterwards, to be more effective in terms of risk reduction, especially in the cloud, you need situational awareness of the data, which means you need to have an ability to dynamically understand where your data is at risk and how it is at risk. And after that providing all the various reporting and enforcement modules over top of that is necessary to be able to take action.
For now, this sums up the key points of our interview. As the Global Risk Community team, we once again thank Dimitri Sirota, for providing his insight on cloud data risk management and privacy.
More information about this topic is available in our original interview, which is accessible here.
#risk #privacy #grc #gdpr #cybersecurity #data #cloud