There is no doubt that there is a strong relationship between identity access assurance and data. Having established the critical role that data plays in an organisation’s ability to do business, it stands to reason that having an effective mechanism to manage and control access to data is vital. Add into the mix cloud, mobile and the Internet of Things, and it’s a seriously interesting challenge.
“Any information security strategy (or similar) must refer and align with the data management strategy in its attempts to establish an organisation’s information security program,” says Leonard Kleinman, Chief Cyber Security Advisor, APJ – RSA, in an email interview with Networks Asia.
“IT security's role in strategy has evolved from what was originally a keeper of secrets through prevention controls to now being the builder of IT trust networks driven by business needs and requirements.”
In the interview, Kleinman also introduced the RSA Business-Driven Security architecture. This architecture, along with several solution offerings, enables customers of all sizes to more quickly and efficiently take command of their risk posture.
What is an effective data management strategy? Should it be part of a security strategy, a data analytics and management strategy on its own, or a disaster and recovery strategy? Is it essential for an enterprise to have one? Where and how should it fit into an enterprises’ overall security or IT strategy?
A data management strategy is effectively a mechanism that allows to plan and create strategies for handling the data created, processed, stored and managed by organisations. For it to be effective, it should be its own living document; however, it must align with business and other corporate strategies.
Data is critical to every functional aspect of a business and therefore it is not just essential but critical that organisations have a data management strategy. Leveraging data together with analytics is fast becoming a core enabler to an organisation’s strategy and operations, which provides it with a significant competitive edge.
The aim behind a data management strategy is to develop a business strategy that ensures that the data is:
- Stored, consumed and processed in a timely manner that meets the needs and requirements of the organisation;
- Managed, monitored, protected and assured using good data governance and security processes and policies;
- Stored, classified and standardised using defined and known data classification frameworks
The data management strategy should ultimately help an organisation gain the best benefits from its data and data assets. To do that it must give the business fast and secure access to all the data and analytics that it needs to remain competitive, now and into the future. The increase in the overall breadth and depth of information sharing across the organisation elevates the importance of protecting this data. The key is to ensure that the data is accurate, reliable and precise thus permitting good decision making. Any information security strategy (or similar) must refer and align with the data management strategy in its attempts to establish an organisation’s information security program.
IT security's role in strategy has evolved from what was originally a keeper of secrets through prevention controls to now being the builder of IT trust networks driven by business needs and requirements. This is what RSA calls ‘Business Driven Security’. Business Driven Security is centered on a strong framework that integrates business with security and allows organisations to take command of cyber risk and secure their data and information assets.
Given the Cloud, does the way we look at and approach data need to change? Where does Cloud fit into a data management strategy? When enterprises use a Cloud vendor like AWS, what do they need to look at with the vendor and their own security when it comes to data security, integrity and fidelity?
The fundamental steps in a sound data management strategy focus on:
- Continuously source new data;
- Capture, manage and store all data to preserve history and context;
- Analyse data to enrich it and develop insights;
- Deliver data quickly and securely to all those who need it.
Cloud technologies have had the impact of bringing big data, which is accessible anywhere and anytime, into consideration, with the ability to provide cheap and expansive storage. Recognising the first two steps, cloud can help in the creation of a logical, affordable data storage system that is scalable for future growth and needs. Such significant change and technology adoption must be considered as a strategic component in a data management strategy. Consideration of cloud must be viewed from two component areas of:
- Storage and Accessibility
- Security
Additionally, with the advent of new legislation such as the Mandatory Data Breach Disclosure and the General Data Protection Regulation, the ability for an organisation to investigate in an expeditious manner is dependent on access to relevant, contextual data.
Any solid data management strategy needs to cover areas such as:
- Know the data– Understand the volume and type of data the organisation collects and the rationale behind the storing of such data.
- Understand compliance needs– Certain classes of data must remain within physical and jurisdictional boundaries. For some industries the bar is significantly higher, for example financial services and heath care.
- Security & compliance - When choosing to adopt cloud storage and management through a third party it pays to ensure that such a provider has the credentials needed to provide a secure and compliant environment.
- Use tiered storage to reflect the performance that is needed– Organisations must remember that the focus of a data management strategy is to enable fast and secure access to all data and analytics.
- Have a disaster recovery plan and test it regularly– That is a big part of cloud storage. All the backups in the world mean nothing if you cannot recover.
Simply put, organisations need to make a list of everything the cloud provider needs to do for data protection and ask them how much of the list can they cover. This is a risk based business decision and organisations must remember that they cannot transfer all risk related to the data simply by storing it with a third-party cloud provider.
How does data management fit into things like IAM? How can we ensure that data is accessible to those with the right credentials and access rights?
As I mentioned earlier, the data management strategy needs to address the areas of ‘know the data’ and ‘understand compliance needs’. Therefore, understanding the critical data assets is paramount in considering a fit-for-purpose Identity and Access Assurance program (IAA). A strong IAA solution is integral and forms part of your implementation program to support an organisation’s data management strategy and bring it to life.
There is no doubt that there is a strong relationship between identity access assurance and data. Having established the critical role that data plays in an organisation’s ability to do business, it stands to reason that having an effective mechanism to manage and control access to data is vital. Add into the mix cloud, mobile and the Internet of Things, and it’s a seriously interesting challenge.
The consumerisation of IT has changed the expectations of users. They want seamless access to the resources and data they need to get the job done. Recall the earlier principle of the Data Management Strategy - it must give the business fast and secure access to all data and analytics. Protecting business data is more than simply restricting access to only authorised parties. The right IAA solution needs to allow the right people the right access conveniently and securely while ensuring compliance. It needs to tell you things like:
- Who has access to what, and how did they receive it?
- Are users who they say they are?
- How compliant are you regarding high risk applications and data?
- Can you analyse a user's specific situation and determine if their location or the device they're attempting to log in with has changed?
As part of the Business Driven Security framework, RSA’s SecurID Suite together with RSA Adaptive Authentication permits real time risk based decisions together with context. It also allows the application of remedies to violations while delivering convenient and secure access to users.
Does Big Data factor into this as well? As we consider unstructured data and sources like IoT, what concerns should we have? Should data analytics be part of a data management strategy?
The data management strategy must consider the business use cases of data throughout the organisation. This is not just a system for maintenance of records. In determining this, most organisations will come to the conclusion that such use cases will require the consumption of vast volumes of data i.e. Big Data. Big data is a term that describes the large volume of data that an organisation generates and consumes – both structured and unstructured.
Additionally, I earlier stated what the fundamental steps in a sound data management strategy focus on:
- Continuously source new data;
- Capture, manage and store all data to preserve history and context;
- Analyse data to enrich it and develop insights;
- Deliver data quickly and securely to all those who need it.
Therefore it stands to reason that any effective data management strategy must consider big data and the use of analytics to analyse the data to derive valuable insights, in particular of the non-obvious kind. Note that robust analytics relies on comprehensive data from multiple relevant sources.
The data challenge (structure, unstructured, IoT etc.) is that there is an ever increasing amount being generated from more sources. Additionally, there are other challenges relating to capture, backups, querying and privacy. But it's not the amount of data that's important. It's what organisations do with the data that matters. This is where an organisation needs to critically analyse its business use cases to ensure it is only collecting the data that is necessary.
We've heard a lot of enterprises talk about going digital. What does this mean for data security, integrity and fidelity? How do enterprises deal with data when working with partners, suppliers and customers as they go digital?
I refer to the definition of “Going Digital” as a way of doing things to unlock growth in business. It can include:
- Critically examining the current way of doing business and understanding where the new opportunities of value are. For example, the Internet of Things.
- Understanding the client/customer’s engagement journey with the business and considering how digital capabilities across the business can provide an improvement to their experience.
All things being said, it is predicated on the analysis of data to make decisions based on intelligence that deliver personalised services and experiences to the client/customer. Going digital means that data will be even more critical to the success and survival of a business as will the basic security principles of Confidentiality, Integrity and Availability.
The question that needs to be asked of organisations going digital is: “Are we as a business equipped to protect ourselves online?”
This questions applies to all engagements from up-stream and down-stream supplies and partners through to the client/customer. RSA provides an eco-system of technology solutions based on a strong linkage between what security technology is telling us and translating that into business risk, therefore, empowering an organisation to get on with its business. Our technology vision delivers the right picture, the power of speed and insight, the right actions, and knowledge of business impact, providing the modern CISO something that no other cyber security company can – true Business-Driven Security.