Article: Data, Data Everywhere!
by Chris Swafford
Chris Swafford is a Consulting Architect at Fulcrum Technology Solutions. Swafford has been a part of the Infrastructure team since 2014.
We live in an information age. Data is everywhere: each day, 4 petabytes of new data is generated on Facebook alone. By 2025, by one estimate, 463 exabytes of data will be created globally each day. There is a lot of focus on Cybersecurity these days, and rightfully so, but what about Information Security? Every company has data spread out across the organization. Companies will find data within Office 365, SharePoint Online and on-premises, file server shares, and cloud storage providers such as OneDrive, Google Drive, or Dropbox (to name a few). Information Security is all about finding a balanced approach to protecting the confidentiality, integrity, and availability of your information assets while avoiding impact on the productive use of this information, which is so costly to generate. Does your company know if the security access assigned to each data set is following the least-privilege model? How about knowing who has been accessing your data recently? Information Security is a bit of science and a bit of art, but due to the shear size of its data, companies of all sizes need help to address this growing area.
In Data Management Body of Knowledge, Data Governance is defined as “The exercise of authority, control, and shared decision making (planning, monitoring, and enforcement) over the management of data assets.” The CISO and their team are tasked with protecting data of which they are not the owner. They typically do not know the value or risk profile of all the data in their charge, so they are unable to properly define policies to protect it all. What does the CISO end up doing? The tendency is to either under- or over-invest in the security of the data using incomplete knowledge about the security risks of disparate data sets. The company, in turn, can have a false sense of the security that is in place. A struggle for most organizations is the ability to have any classifications for their critical data sets. They spread their limited resources into protecting non-critical data with the same protections as critical data, or worse – the critical data is mis-identified, and protections are never put in place. The need is great for Data Governance to be put in place to identify the data and decide how best to maintain it, but this is a huge hurdle for many companies to get Information Security efforts off the ground.
Do you really need to take on this effort though? Perhaps a better question a company needs to ask itself is if they like to produce information free of charge for someone else, or worse, are you willing to risk going out of business? The money, time, and resources used to take data and create your proprietary information is one of the most valuable assets each company possesses. In some cases, that information is the only reason a company is in business. Your company is already fighting the good fight in the cybersecurity arena with deployments of firewalls and endpoint protection, but perhaps it is time to take on the harder fight of taking back control of that sprawl of data within your organization.
There are multiple ways to tackle this effort; but, in every case, internal champions are needed, and experienced staff such as the team at Fulcrum can walk a company through this problem. There are multiple software solutions that can be used to plan, monitor, and enforce information security policies, including Varonis, SailPoint SecurityIQ, or even Microsoft 365. Which solution is best for your company depends on the other technologies being used and the goal you are trying to achieve. In any case, here is where to start:
- Identify where the data resides within the business. What policies should apply will depend greatly on where the data lives.
- Identify who owns the data. Each Data Governance solution can help support this discovery, but the without identifying data owners, you cannot identify the risk associated with each data set.
- Identify the type of data a company possesses. Not the file type, but what is producing the data, and why is it important to the business.
- Identify the risk associated with the data set. All data is not the same, so you need a full understanding of who is worried about it.
- Start slowly and simply. Do not tackle every data location at once or try to identify the data owners of all data at the same time. Create a strategy of how to work through this process and be consistent and determined.
This journey will take time, but with strong champions and a skilled group of people like Fulcrum beside you, this is a journey any company can and should take. Complete corporate cybersecurity cannot be achieved without including Information Security as a pillar of that strategy.
The Fulcrum Difference
At Fulcrum Technology Solutions, we differentiate ourselves from other technology- and business-consulting firms with a unique guarantee: when you hire Fulcrum, we commit to finish the job. Whether working under a time-and-materials contract or a cost-plus arrangement, we will not leave until we’ve delivered exactly what we said we’d do. Our word defines us, and motivates us to give you the service that you deserve!