Ensuring their organisation has a robust data security strategy in place should be a top priority for modern CIOs. But how can this be effectively achieved? In our recent Digital Forum, Intelligent CIO Africa’s Jess Phillips was joined by Adam Rosen, Vice President, Product Strategy, Stealthbits; Daniel Wright, Regional Sales Manager MEA, Stealthbits; Sayed Mabrouk, CTO, Logix and Cyril Esedo, Director/CTO, Logiciel Information Security Solutions Ltd, for a discussion on how visibility is key to good data security, as well as how Stealthbits is working with partners to support customers on their own journeys.
What does ‘proper’ data security look like?
AR: A big part of ‘proper’ security involves making sure that access to data is exclusive, that everyone has sufficient privileges to do their job and access the data necessary for legitimate business purposes. Nothing more, nothing less. I think that’s kind of the core fundamental building block that everything revolves around.
DW: I see three components to data security and the engagements that we have. There’s the access governance, which is obviously a business of Stealthbits. We typically see classification of data and the Data Loss Prevention (DLP) side of it as well. And we see Stealthbits at the front end, because the access to the data, who granted it and who’s interacting with it is something that you need to really have visibility and a handle on before you do the second two stages.
SM: Data governance is one of the most important parts. Also, the audit element is very critical for customers. And of course, you must have full control over the platforms.
CE: For me, data security is a process of protecting files, business data or an account on a network, for example, by adopting a set of controls, applications and techniques that will identify the relative importance of these different data sets – their sensitivity and regulatory compliance requirements, and then applying appropriate protections to secure those resources.
Proper data security is one that embodies the core elements of data security, which are confidentiality, integrity and availability. Of course, we know confidentiality ensures that data is assessed only by authorised individuals, integrity ensures that the information is reliable as well as accurate, while the last component, which is availability, ensures that data is both available and accessible to satisfy business needs.
What kind of challenges are Stealthbits customers in this region facing right now?
AR: One thing that we see frequently when we engage with a new organisation is over-provisioned access to data. So the big challenge is when people move within an organisation or leave the organisation, keeping up with the necessary changes to their privileges to the various different resources, be it unstructured data, structured data on-prem in the cloud or collaboration platforms. We tend to find that people have access to data that they don’t need and they don’t know where to start remediating that problem. So that’s usually the first thing we address and we come in and do an assessment with a new organisation. We see all this over-provisioned access and we start giving them a map of how to get it down to an appropriate alignment.
DW: Enterprise and businesses have gone through the accountability and the visibility of what their users are doing with applications within the organisation, but the data side of the business has not really been addressed yet. We only need to read the press to see this is where the attacks are typically happening. When we go and engage with customers, it’s almost quite alarming to see the lack of control and the lack of visibility and the lack of understanding these businesses have over their data, and who’s got access to it, which is a big concern and something that businesses need to address.
Could you tell us how the Stealthbits Credential and Data Security Assessment (CDSA) solution is helping to address some of these key challenges?
AR: The CDSA starts by analysing the different data stores within an organisation – where their sensitive information is and who has access to it – and draws out a path of how different misconfigurations can be abused to mishandle that information.
So, everything from privileges directly to the data itself, all the way through misconfigurations within Active Directory or the underlying system that could result in that data being compromised. It gives high, medium and low priorities so you know where to start. These are the high-risk items and then you kind of work your way on down. But it uncovers not just what the problems are, but how to address those things.
How does the solution provide visibility and enable calculation of risk assessment?
AR: Visibility starts with understanding where there’s sensitive information, who has access to it, what kind of risk is associated with that access and how, across a whole host of different systems in an enterprise. So that could be everything from sensitive attachments to emails to sensitive files and collaboration platforms like SharePoint and SharePoint Online and OneDrive. And what the credentials and data security assessment is geared towards doing is giving you a holistic view of where the risks are across that data and all those different systems and prioritising.
How can CISOs adopt this into their strategy?
AR: A big part of it is risk prioritisation. So starting with understanding where all the risks lie, all the unknown unknowns and that’s what really helps roll it up into a broader strategy, starting with ‘okay, here are the things we’re doing well out, here are the things we don’t quite understand yet’. And then bringing back the necessary data points to prioritise that. This is where Stealthbits really helps shine a light.
What best practice advice would you offer CIOs for ensuring a robust long-term data security strategy and posture?
AR: I think the key to securing data is equally considering what’s exploitable throughout the system level and with the credentials themselves. So, looking at the data is just one piece of the pie. You also need to think about the credentials that grant access to that data and the underlying systems that can be exploited to access data inappropriately.
DW: Brand protection is another area that’s driving CIOs to look at such solutions. We’ve had conversations with CIOs that don’t really understand to a deep level what they need to be doing, but they know they need to protect their brand because this is where the breaches are happening and they don’t want to be in the news.
The CDSA solution itself is unique. That actually helps in our conversations with businesses and CIOs on mapping out their roadmap, because the vulnerabilities and the data that comes out of our assessment is quite often a surprise.
The roadmap on what we do first is based on what information we get from the assessment. It provides a baseline to what’s important and what potentially needs to be addressed first.
SM: I think you have to establish a risk baseline as a first step to securing any organisation, as a reminder of what level of risk you are willing to tolerate.
Every business is different. You must access your data workflow to find out what the key risks are that would damage your business and then plan to add resilience in an order based on the threats that each one poses. It’s unlikely you will be able to cover every base. So to extract maximum value from your resource, you have to make sure you understand where your baseline is and apply a frank approach.
The other thing which is very important, is the segregation of audits. You should not depend on the administrator to get the audit – you must have the upper hand into your system so you can collect whatever you want without depending on the administrators. You can use a very easy tool like Stealthbits to help and give you all the required information with good dashboards, very easy access and configuration.
CE: I now advise CIOs to take a much more proactive approach to data security. They must be aware that there are security risks and threats which hit organisations when it’s least expected. So it’s important to stay on the watch with vigilant monitoring software. They must have pre-planned policies that cover risk monitoring and mitigation.
CIOs must treat risk as something that is bound to happen, which means that using tools to identify potential risk will help them with their mitigation efforts. I also think that CIOs must take audits seriously. A security plan is not complete without regular audits.
In summary, I think for CIOs to ensure optimal data security, it can be achieved through a first-class, security-first culture across organisations, no matter the industry. Security should be treated as the number one priority and all employees must be trained and educated accordingly.
It’s only through these continuous efforts that an organisation can achieve a sustainable level of resilience.
- Click here for more information on Stealthbits.