Tuesday, December 6, 2022

Using Business Context to Answer the Five Main Questions of Data Security

Collaboration tools have sped up the flow of work for modern enterprises but have also exposed them to new security risks. Here’s the conundrum: how do you make the best use of these powerful tools while also maintaining the utmost in data security?

Tackling this challenge requires a deeper understanding of the data you have and that employees are using. You need to understand:

  • What data do I have?
  • Who owns the data?
  • How sensitive is the data?
  • How is it used?
  • What is the value of storing the data?

While securing critical assets is (or at least should be) a top priority for any organization, collaboration security is one often-overlooked aspect. And to spot collaboration tool-related incidents, you must have an understanding of the business context of every single interaction.

What data do I have?

This is the key question to start with. What data do you have in Google Drive, Slack and other collaboration tools? You don’t know what you don’t know. The creator and the content manager may be people you’ve never met and who are in a different location. If you’re the security lead, you don’t know that you need to protect the information because you don’t know it exists.

Who owns the data?

This is the second important question. Once you know who owns it, then you can perhaps communicate with them and figure out what’s being done with that data. Because if it’s not your data, if you’re not familiar with that specific business process or owner – you’re not familiar with the data and can’t take action.

What can happen with organizations is that they don’t want to revoke access to certain assets for someone – because if they do that and it turns out the person does need access to those assets, that cuts into efficiency and productivity.

Is the data sensitive? How sensitive?  

This is the main question organizations want an answer to. How do you know what is sensitive? It can be a subjective judgment call. And if the data is sensitive, is it sensitive in all contexts, or only some?

How is the data used?

Let’s say a manager has a meeting with an employee that’s related to marketing. This is the context – the value of the meeting – for the business. Once you know what the value of the event or interaction is, the value of the data and how it’s used, and what outcome it will have on the business, then you can determine the business risk of that data. What would be the business impact if this data were exposed to someone or leaked? If you don’t know how your data is being used, you can’t protect it effectively.

That’s why context is key. The factors for business context are personas and subject. For instance, if you’re talking with the stock exchange representative, you’re probably talking about your financial information. A second layer is the subject – of the meeting, the email, the select channel. These help you understand the context.

As addressed in a whitepaper by Google’s Dr. Anton Chuvakin and John Stone, “gaining visibility into your data processing supply chain is the starting point to understanding your risk and seeing appropriate controls that can ultimately be embedded and automated to help lower the risk.” This is something too often overlooked in traditional security approaches – with significant potential impacts, like what we saw with the Solar Winds breach.

What is the value of storing the data?

Data is critical to the success of any enterprise today. It has to be stored in an organized and secure manner. A company needs to ensure that all data in the system is available when needed for analysis – especially when it comes to companies subject to different types of regulatory compliance.

You don’t need to expose yourself to risk if the data isn’t valuable. It’s important to measure the usage/exposure of the data in comparison to your desired business outcomes. Due to the nature of the dynamic modern enterprise, in many organizations, employees and third-parties have permissions for/access to sensitive data – that they don’t need. Having the business context of every data asset will help you measure the business outcome.

The value of business context 

To answer all of these questions, you need business context. When you have a highly distributed enterprise – where information is spread across many SaaS platforms, different users and so on – you must get context in order to gain control. When it comes to things like phishing attacks and ransomware, it’s much easier to understand how to protect your information when you have context; you can’t do it otherwise.

Business context helps you understand which information is truly sensitive and private – like salary information – so you can protect it without keeping people from doing their jobs. Some organizations, for instance, might try to skirt the issue by blocking the ability to share files externally via Google or disabling the ability to add co-workers from different organizations to Slack. These organizations are prioritizing security over collaboration.

But you don’t have to choose between the two. For example, in a situation where you’re using business context, your system knows that Employee A typically works from 9:00 a.m. to 5:00 p.m. Pacific Time. But it also knows that A works with customer B in Spain and that activity took place on A’s work device at a time that would make sense in Spain’s time zone. The system can therefore look for the justification first to enable the action and allow A to continue working without being blocked.

Context strengthens security

Modern organizations need to be able to work together across departments and across time zones. Collaboration tools enable them to do so efficiently and productively, yet it also creates opportunities for threat actors due to security vulnerabilities that no one was aware of.

A vast amount of sensitive data is being created all the time, and it needs to be protected. The good news is that data can be protected effectively without hindering business progress. It happens by using context to answer the five main questions above.