Six Steps for Deploying Data Security Controls (Part II)
Earlier this week I made my case on why it’s time to move from infrastructure-only security to infrastructure AND data security control. Below are six steps for a successful data security control implementation.
Step one: Calculate the value of your data
Without a plan, this can be the most difficult part of the process. Data values can rise and fall as quickly as financial markets. The key to solving this problem is working with your executives and information owners. Determine a simple formula to estimate the value of your data.
One of the best examples I’ve seen comes from research group, Securosis. Data value, frequency and audience is quantified within a table and allotted a score. Examples of data types include card data, PII, IP, sales data and any other specific data you are required to protect. An overall score is then defined based on the type of data. Below is an example:
By scoring the data types, you can prioritize the importance of the data. Including frequency and audience also helps determine the likelihood of data-loss and again assists when prioritizing where and when to apply an action.
Step two: Make your ROI case
To increase security spend, and roll-out new data security controls, you must demonstrate ROI. This means clearly quantifying the immense value that comes when you know where your data is, who is accessing it and how it’s being used. My colleague, Jason Clark, Websense CSO, has provided some excellent tips on how to communicate this with your C-Suite and board members in a separate Websense Insights blog.
I strongly believe it’s critical to analyze, communicate and share the financial and organizational impact of stolen and lost data.
Step three: Monitor and log your data
Next, start monitoring who has access to data and observe its movement around your network. Many organizations will turn to a data loss prevention (DLP) solution for this. The best DLP solutions have the ability to monitor the perimeter entry/exit points for data in motion and thoroughly monitor endpoints for data in use.
The initial monitoring phase should not last longer than a few weeks after deployment, even after tuning your policies to remove false positives. A good solution should quickly provide clarity into common data movement trends. Just remember, don’t forget to monitor EVERY location where your data flows, including the often-overlooked printers, scanners, mobile devices and cloud services.
Step four: Apply data security controls
I often speak with organizations that are stuck in step three monitoring and logging mode. Identifying incidents as they happen, but they are still not confident in applying controls to stop data leaving the organization. This is a mistake.
Gartner Inc. demonstrated some time ago that passive security controls were dead. The same goes for DLP used exclusively in a monitor-only deployment. It doesn’t demonstrate ROI to most businesses, especially if a significant loss or breach occurs, while you are “monitoring.” We must apply controls.
First, revisit your most valuable data. Start amending the rules and policies to begin active protection of those crown jewels. I don’t recommend enabling all block rules immediately. In my experience, I have seen that a phased approach is the most efficient way of applying data security controls.
Step five: Find your data
Once you have a score associated with each data type, and the funding, the next stage is to locate the sensitive data on your network. Based on the scoring exercise iterated above, it’s always advisable to begin this process with the most valuable data. Focusing on your crown jewels minimizes the negative impact to your network. Unfortunately, stand-alone discovery and mining services are usually expensive and take a considerable time to run.
Another option is relying on DLP solutions. Most leading DLP solutions offer a mechanism to discover, identify and fingerprint data in periodic sweeps. These sweeps can often take place daily, weekly and monthly. This process provides a marked increase in visibility and improved efficiency through identifying duplicate data and flagging it. Many organizations waste large amounts of money backing up and storing duplicated data. To a security officer, reducing the cost of this process is great additional justification for the purchase of a DLP solution.
Step six: Implement proactive protection and up employee education
As user awareness becomes more prominent, the number of blocked incidents will stabilize and the number of monitored incidents will go down. Why? A typical end user is much more aware prior to clicking on a link or sending an email if they understand that these actions will result in a block and notification. As a result, information owners and security teams gain tremendous value through proactive protection, as well as a beneficial reduction in the IT team’s workload.
Below is a graph showing proactive protection in action. The number of incidents steadily decreased when a 2,500 user enterprise activated blocked actions in October 2012.
I may have made the previous steps sound easy to implement—they should be. A data security control strategy can add more value than any technical solution deployed within an organization.
Have any questions on these steps? Feel free to leave me a comment or send an email to email@example.com.