Protecting data is one of the most important things that an organization can do to limit its exposure -- however most organizations put 80% of their focus on 20% of the real problem. Most organizations focus on external threats like hackers breaking into their firewall. In reality, most information leaks happen from inside a company's walls.
Data protection is one of a few building blocks within a holistic compliance program that contributes to all fashions and flavors of compliance. If you get data protection right, you've pretty much covered such compliance concerns as the Health Insurance Portability and Accountability Act, PCI DSS and general data privacy to name only a few. Most importantly, protecting your data will keep you away from what I consider the most damaging class of compliance failure. Once the media gets a hold of the fact that you let your customers' Social Security numbers slip out, your reputation is tarnished for good.
Data protection is a core strength that should be built and constantly reinforced within the compliance function, and it stems from the IT function's efficacy in two basic areas: intrusion detection and internal access control.
Defending the flanks: Evolve with data threats
The key to defending against data breaches from cyberintrusion is to recognize that it is a constant threat that is growing stronger as time goes on. Organizations seem to make the mistake of solving only today's problems, in the hopes that they won't have problems tomorrow. The intelligent IT organization realizes that this is a people issue, not a technology issue. There are very clever evil geniuses out there, who find it very amusing to crack what cannot be cracked. These people are leveraged by equally focused career criminals who are determined to get access to your data. Therefore, the key to protect against outside attack is to build a small organization that's constantly evolving with the threat. This is both an innovative team and a quick-response team, agile in nature and highly intelligent.
That handles external threats; however, as I alluded to earlier, don't overallocate in this direction. The bulk of your effort should be to protect your data from internal attack, as this is your biggest threat. For some reason, organizations seem to be naive when it comes to their own employees -- especially those who are highly educated, as in IT. They assume that people with an advanced level of education won't be mixed up with criminal activity -- wrong!
In fact, approximately 80% of all data breaches are inside jobs; everything from corporate espionage to the resale of credit card numbers. To protect against this, you must know who within your company has access to sensitive data.
Begin with data governance
To start with, engage in a comprehensive data governance strategy. You won't know who has access to your data if you don't have a very good indication of where your data is. Start by cataloging all your logical data points, and where they reside. For instance, you might have a Social Security number logical data point that resides on 17 different tables across four different databases throughout the company.
The end result should be a map of your data, indexed by logical data point, with other levels of organization like subject area, database and organizational function.
The end result should be a map of your data, indexed by logical data point, with other levels of organization like subject area, database and organizational function. This metadata repository is now the core of your data governance architecture. Reserve some properties in your metadata structure, to tag the sensitivity of each logical data point. For instance, you need to know if a data point falls under the categorization of personally identifiable information, or if a data point holds financial data that only "insiders" should know about. As an additional extension, work with your compliance department to assign roles to each logical data point. This may be a many-to-many relationship, meaning one logical data point could be accessed by multiple roles, and one role will certainly be able to access multiple data points. You can model this with an associative relationship.
Once roles are assigned in the metadata, you can now write audit scripts that compare them with the roles that are defined in your databases. As a hard-fast rule, you should never have application users in your database who access all the data as the same logical user. Instead, any individual who accesses your database should have his own individual database user identification with assigned roles. Then take it to the next level by comparing the data restricted by these roles with the information recorded in your metadata repository. This gives you ironclad access control from a holistic level, and you won't have to rely on splintered implementations throughout the company.
Sealing up remaining holes
There's only one hole to plug now -- the database administrator (DBA). And, there's an even larger exposure point with the system administrators who have unfettered access to the whole machine. This is where I consistently see issues with access control, and I truly don't understand it. Companies go through great efforts to get access control installed in their databases, then farm out the DBA function to third parties they have no control over.
Put extra controls around your DBAs, and don't farm the function out. Limit your risk by having only one or two DBAs per database, and keep external audit trails on every move they make in the database (and of course, they shouldn't have access to the audit trails). Use specialized software that's built for this purpose.
Data protection is one of your most important compliance functions, but don't make the mistake of investing too much on external protections, while leaving yourself exposed to internal attack. Build up your team of bright, innovative and agile cyberdefenders, and move on to the bigger risk -- the inside job. Build access control efficacy with good data governance and role audit scripts.
Finally, make sure to put extra controls around the super users like DBAs and system administrators. This is something that can cost your company big, so make sure to get it right the first time. You might not have a second chance.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. For more information, visit \www.excellentmanagementsystems.com. Let us know what you think about the story; email firstname.lastname@example.org. Follow @ITCompliance for compliance news throughout the week.
This was first published in January 2010