With #WannaCry, the Republican Voter data breach and bigger and more brazen ones that will be forthcoming in the future, the topic of data security and encryption will continue to feed the talking pundits and make the CISO’s life challenging.
However, what is less obvious but even more important are the dimensions of data security - Temporal, Spatial and Social – that need to be understood and factored into any risk framework. Let’s dig deeper into these three dimensions.
Temporal – As the name suggest, this refers to the dimension of time and data. Some critical questions that need to be addressed
- How long has data being collection being going on? If you are collecting the data – deliberately or unconsciously – then this question needs to be answered by you. On the flip side, this is something you should pose to your cloud service provider who may be monitoring you as well.
- When my data is 'shredded' is it truly shredded or is it held in escrow and if so for how long? Is this ‘escrow timeline’ part of my SLA with my cloud storage provider?
- If there is a data breach during this escrow period – is the liability mine or my cloud storage provider’s?
Spatial – This refers to the dimension of data and space. Similar questions that need addressing in the dimension of space should be:
- How many copies of my data exists and in what regions? This can get very complicated if you are using a combination of private data center as well as IaaS, PaaS and SaaS. But that cannot be a deterrent for you to go asking and finding the answer because this is an area of exposure that most enterprises don’t even recognize much less plan to protect.
- Are there regions of the world where this data can and cannot be accessed?
- Is there a mechanism to test the integrity of the hardware and the BIOS before the data is even allowed to be restored or accessed in a brand-new region or one where there is suspicion of breach?
- Can I separate my ‘encryption keys’ from where the encrypted data is stored? And make this a mandate?
And finally, Social – This refers to the dimension of data and humans. Questions that need answers in this dimension are:
- Who has access to my data, both within my own employees’ privileged administrator land but more critically in within my service provider (which is a black hole for most enterprises)?
- What actions can she/he do with it? Like the #WannaCry scare, imagine if your service providers’ rogue administrators can ‘encrypt’ your critical data and demand a ransom from you to access your own data!
- Can I get access to all my data when I ask and how do you determine uniquely that it is me or my authorized administrators who are requesting the data?
These three dimensions – temporal, spatial and social – are important and oft-overlooked lenses with which your data – arguably the most critical asset that every enterprise possesses – needs to be calibrated and protected against. And these are not just theoretical questions to make you uncomfortable – tools exist in the market today that allow you to measure your data risk score against all these three dimensions. And paranoid enterprises (basically, every enterprise in the world) need to start building these tools as part of their risk mitigation framework to reduce risk to a level that is acceptable to that enterprise.
Not asking these pertinent questions and demanding answers upfront is by far the biggest risk any enterprise can take today.
-Ashwin Krishnan is Senior Vice President of Product Management, Strategy, Technical Marketing at HyTrust