Firstly, this is the specific question we posed to everyone with the intention of neither expanding nor elaborating. "Your data needs to be accessible to varying degrees by staff and 'outsiders' from anywhere. Where's the safest place to store it and how do you protect it?"
It's fair to say that we were absolutely inundated with the number and variety of responses. Some were so long and insightful that they will feature in later one-on-one pieces with just a few comments extracted here. Stay tuned for those. In addition we must apologise in advance - we simply couldn't include everything that everyone said - this summary represents a little less than half the submissions.
With all that in mind, let's start however, by examining some of the 'problem framing' comments from a few of the responders.
Honesty, we think that Garrett O'Hara, Principal Technical Consultant at Mimecast put it most succinctly: "If data is the new oil, then humans are swimming through an oil spill."
O'Hara continues, "First things first: you need to understand what the data is. That can be an incredibly difficult thing to work out for bigger organisations. Employee data, customer data, operational data, marketing data, sales data. Where is it being generated or collected from? How sensitive is it? Can it be deanonymised? Does it contain personally identifiable information? And if the work involved in understanding the data doesn't make you curl into the foetal position in a warm shower shuddering with anxiety, you probably haven't understood the size of the task… especially if an organisation hasn't been founded and grown with security/privacy by design."
Tim Mackey, Principal Security Strategist at the Synopsys Cybersecurity Research Centre is of a similar mind. "I'm most interested in who created the data and what it might represent. E.g. if my employer were to supply me with a fitness tracker with a proviso that I share the activity stream with them in exchange for major discounts on health care costs, that's a very different type of scenario than say Tesco building a shopping profile on me."
Taking a slightly different tack, Terry Burgess VP Asia Pacific SailPoint offered, " To determine the most effective data storage and protection strategy, business leaders must ask the following; what are employees accessing in the organisation? What are they doing with that access? And, how is that access being governed (or not governed)?"
With that in mind, Stephen Burke, CEO of Cyber Risk Aware continued, "The short answer is to store the data where the data owner has the ability to fully monitor all activity against the data. There's no point in making it easily accessible without good visibility and protection," and Martin Holzworth head of cyber security, Oceania, Fujitsu added "Organisations need to find a balance between making data available and keeping it secure."
Richard Bird, Chief Customer Information Officer at Ping Identity offers an IT interpretation of the artist's concept of 'negative space' by suggesting, "Ultimately, the best place to keep data is where it can be well guarded and monitored. This probably helps us identify places where critical data shouldn't be stored better than indicating where it should be stored."
And the ever-hungry Monzy Merza, Vice President, Security GTM at Databricks suggests "When it comes to data access needs and security needs - there are lots of mouths to feed. One size does not fit all. Customers might want results, marketing might want utilisation statistics and security teams might want to monitor all of the activity."
But we have to leave it to Corne Mare, Director, Security Solutions at Fortinet, to give us the literary context. "Hamlet was not sure if Claudius killed his father when he told us, 'the play's the thing wherein I'll catch the conscience of the king,' but in today's age, it would be a different story. I'm sure it would have read, 'with this new application, I'll capture the King's data and behaviour." With that in mind, we must thank Corne Mare for the (not so subtle) link back to the first piece in this series.
Having set the scene, comments seemed to accumulate into a relatively small range of activity domains. Perhaps we could start with 'security.'
Somewhat stating the obvious, Chris Drieberg, Director Pre-Sales / CTO, Hitachi Vantara ANZ suggests that "From a compliance, governance and security perspective, for many organisations, control is an illusion at the moment."
Daniel Comarmond, Security Software Engineer at Thycotic adds, "We must not forget that cyber security is not just protecting data, it's also protecting people, and their ability to get stuff done. People interact with people that they trust - it's how mercantile commerce has worked for thousands of years - and the net effect was summed up by Francis Fukuyama: 'One of the most important lessons we can learn from an examination of economic life is that a nation's well-being, as well as its ability to compete, is conditioned by a single pervasive cultural characteristic: the level of trust inherent in the society'. "
Chris Drieberg adds, "When building a framework to stop the bad guys, organisations must address the people, process and tech pieces all at the same time."
So, where is the perimeter? Graham Sowden, General Manager Asia Pacific at Okta suggests it's pretty-well everywhere. "The shift in the way we work around the globe has proven that people are the new perimeter when it comes to data security. The ubiquity of cloud software and the new, dynamic 'work from anywhere' mentality means that a strong data protection strategy starts with the user."
That's fine, but Comarmond responds, "Assuming trust by getting people to simply jump onto a corporate VPN for some organisations has not been the 'Promised Land' and has introduced risks of its own."
Adding a level of temperance, Garrett O'Hara adds, "I really like the use of the word 'safest rather than 'safe' here. 'Safe' implies an absolute which doesn't exist. An attacker with enough motivation, time and resources will be able to get into anything."
Indeed. iTWire is familiar with the physical expression of security being expressed in hours. As-in, how many hours would it take for a determined and well-resourced attacker to get in, retrieve the 'gold' and safely get out again.
So, where is the safest place to store our 'crown jewels?' It seems that most of our commentators prefer the cloud. But not all.
Location - on-prem or cloud?
Jayden Zullo pre-sales lead, Fortinet security solutions, Wavelink contends that "Cloud-based systems can provide a more flexible way for people to access data but, without proper precautions, can also be a source of data leakage." Similarly, Matt Oostveen, CTO APJ at Pure Storage adds, "Many organisations have shifted to public cloud services in an effort to galvanise their existing IT service delivery and keep up with remote working demands."
Chris Drieberg points out that, "Cameras, video software, collaboration tools, [are] all creating data that is stored somewhere. Unless 100% of your remote staff are accessing / sharing / storing company data and approved applications via a VPN 100% of the time, with no workarounds and no usage of personally preferred apps etc., you've got data stored on unapproved applications, home computers, personal clouds, public cloud services and more."
Similarly, and rather stating the obvious, Oliver Noble, Encryption Specialist at NordLocker adds, "If you look for scalable accessibility, cloud storage has no contestants in the field. However, it raises some security issues as uploaded files remain unencrypted and can be easily accessed by third parties."
We have to ask, how often has that been a problem?
To summarise this section, Monzy Merza tells us that "In modern environments, data isn't produced or stored in a single location - so the safest place for data isn't just a single location. It's also not just where the data is but 'how' data is stored - beyond encryption. Curated results may be stored in a structured data warehouse where security controls might be applied at the record-level, application level or user level. Cloud-scale, raw data needs to be stored in a data lake where controls might be applied at the API level or source level. What's needed is a cloud native, multi-cloud lakehouse - combining the best of security and accessibility of a data lake and a data warehouse. This lakehouse needs to be multi-cloud and built on open specifications so it's accessible no matter where the data is, but also open so it can take advantage of native, cloud security controls, be monitored, inspected and secured."
Of course backups are important, as Matt Oostveen reminds us… "Business leaders must develop a data strategy with security and recovery performance built into the infrastructure - regardless of whether the data lies in the cloud, with a third-party service provider or on-premise." Wise words indeed.
Of course the big 'spanner in the works' (or choose your favourite metaphor!) for 2020 is COVOID-19. Our experts were happy to give some context to the original question.
Chris Drieberg told us, "Once the impacts of Covid19 hit, any medium to large organisation that used to have a handful of physical offices to manage, from an IT and storage and data management perspective, suddenly had hundreds or thousands of offices to manage." Martin Holzworth, Head of Cyber Security, Oceania, at Fujitsu concurred. "Even before COVID-19 mandated remote working, it was becoming important for organisations to make data accessible from secure and non-secure locations."
Now we have the great big unexpected universal problem for every IT shop throughout the land. The sudden need to 'work from home.'
Never mind the fact that you're stuck ripping a door of its hinges to act as a table; or that you have 3 children under 12 all set to 'zoom' with their teachers all day (when they're not demanding food, attention or whatever else it is that they want - fill in your own blanks!), you have work to do.
Do our experts have any solutions? Perhaps….
Work from home
The experts were keen to point at the problem, solutions were somewhat limited.
Chris Drieberg offered, "Let's be real. If you're an organisation that suddenly has most - if not all - of your staff working remotely, you've got data everywhere right now." Whether you want that or not. Of course ALL your staff have Chromebooks, right?"
Daniel Comarmond expands on this… "You could try to restrict the devices permitted to connect to your data store, but not everyone was handed a corporate asset by their employer when deserting work sites to work from home. With many organisations being forced to face BYOD (bring your own device) enforcing trust per device is not a practical option."
We're unsure if he's describing the problem or a potential solution, but Daniel Comarmond adds "In the migration away from centralised work sites that 2020 has accelerated (what is this 'office' that you speak of?), trusting by location has become increasingly problematic." Matt Oostveen, clearly agrees, noting that "Effectively protecting data in a remote working environment means prioritising data protection by design."
Of course probably the biggest issue (aside from not being hacked, of course) is maintaining a suitable level of corporate collaboration.
Chris Drieberg opines, "Collaboration is different. The tools that are being used are different, and many that are being used right now are not considered enterprise grade. But companies and employees have just had to make it work and deal with that."
Suck it up, princess!
Leaving that to one side, let's turn our attention to one of the current 'burning' security issues, do we enforce trust, or do we wallow in a sea of zero trust?
Zero Trust vs. Trusted
Jason Duerden, ANZ Managing Director at BlackBerry Spark asserts that "Enforcing a Zero Trust framework for software defined networks and cloud access, provides the foundation for AI-driven security solutions to continuously monitor and authenticate users." Strong words!
To counter, we have Daniel Comarmond, who offers "This leaves people as a factor you CAN trust... and I'd rather encourage 'trust' than 'zero trust'. Why? Because when discussing the safest place to store and protect data with the owners of afore-mentioned data and the owners of the budget for such a project, the term 'zero trust' cannot be expected to be clearly understood."
Comarmond continues, "That's why protection of data starts with people you trust - start with what you already know: the 'known good', not the 'unknown bad', and then determine the varying degrees of trust per person or, ideally, per group of people.
"What about 'insider threats', I hear some say? Great question. But if we trusted someone enough to hire them, then they need to be afforded the tools (and rights) to do their job. Hence, we trust but verify - as highlighted in the ACSC Essential Eight references to re-validating privileged rights.
"Hang on, how did we get to talking 'privileged rights'? Because as the question poses - your data needs to be accessible to varying degrees. If only some staff and some outsiders are permitted to access it and not others, that's privilege right there. This is where I feel that managing privilege is not well understood... It's about what data a person can possibly access or actions a person can perform - privilege is not just about the account that unlocks access to said data or elevated actions.
"So protect access to data wherever and however it resides, with a privilege management suite that lets the same people you know and trust to do the same job, ideally with the toolset they are already familiar with, no matter the form of data. This gives you a centralised tool to define which people (internal and external) are mapped to which resources and data sources, challenge people to prove who they are with multiple factors of authentication, and then broker sessions to authorised resources."
Terry Burgess would counter: "Many organisations - like University of Queensland and Microsoft - are adopting the 'zero trust' philosophy to manage employee access and secure data. By continuously authenticating users across the network, nothing inside or outside the organisation is trusted until it is verified. This framework transforms identity from being "just another IT problem", to a business-wide concern that must be managed at the board level."
Graham Sowden attempts some middle ground, offering, "A Zero Trust framework throws away the idea that we should have a 'trusted' internal network and an 'untrusted' external network. With this framework, a 'never trust, always verify' mindset is used to ensure that only the right people have the right level of access to the right resources in the right context.
"An identity platform is a foundational security layer that enables a Zero Trust framework and allows organisations to give varying degrees of access to employees, contractors, partners, and clients - wherever they are, without adding friction for the user."
Stephen Burke is also probably on the side of zero-trust, "A lot is being talked about Zero Trust data security. The simplest way to think about it is that no network traffic is trusted as it comes from the office, the home, the coffee shop, desktop, laptop and the phone. You simply cannot setup firewall rules at the perimeter. You have put zero trust controls around the data assets themselves."
However, reading between the lines, we're not entirely convinced that either the proponents or opponents in the trust vs. zero-trust fully understand the concept. But we will leave that for another day.
Many of our experts were very interested in describing exactly what data is being stored… and where… and why.
What is stored?
Basically, far too much! Richard Bird describes the problem thus: " 'Data sprawl' has basically resulted in all of this important information being copied and then copies being made of those copies and then those copies being copied from. Very few companies have any idea of how much or where all of this data resides because of years, even decades of failing to control or contain this information in a secure way. First, companies have to get their arms around where all the data has migrated to and then build a strategy to protect it and secure it going forward.
"Business critical or sensitive data shouldn't be stored in emails, or file shares, or cloud based storage solutions or in unsecured databases. The reality? This is exactly where data is stored today and many times, it has been copied from the strongly guarded locations that are the best place for it. Data security isn't a technology problem; we figured out how to protect information decades ago. Data security is a people problem and a process problem. Are we surprised that we keep getting broken into when we keep making 'just one more" copy of the door keys for another user with special requirements or who needs the data "just to do their job?"
Jayden Zullo adds "Most organisations store at least some personal and potentially valuable information such as payment card details, drivers licence information, or other sensitive data. While there is no single security product that can secure everything, it's important to mitigate the risk of a data breach."
Martin Holzworth expands on the same theme - "Many organisations save data just in case it may be needed in future as opposed to saving it based on any real governance policies. This can create issues down the track. Instead, it's important to consider what data organisations need to store and to do so in a way that protects the accessibility and integrity of that data."
Garrett O'Hara continues, "Purging data that is not useful, or needed, helps with the job of storing and securing the data. If we can avoid storing a dataset, and ideally not collect it in the first place, then we have fewer things to think about."
Jason Duerden adds, " With this new working style, comes new rules. For example, it is critical that individuals delete data that is not needed to protect the greater good. If there is nothing the adversary wants to steal, then you are not the target. Simply put: the less you have, the simpler it is to defend."
To something of an aside, Tim Mackey notes, "Some employers have taken to monitoring an employee's activity level via company supplied fitness trackers - in effect installing a health datalogger on the employee. From a health perspective, these actions may have benefits for both employers and employees, but can also increase the risk of accidental data exposures while simultaneously failing to meet regulatory requirements.
"While from a user perspective, centrally managing fitness data and then granting access to specific data attributes to third parties like employers might seem workable, it presumes that users will be proactive about reviewing their data sharing decisions on a periodic basis. Central management also has the complication where data sharing between organisations is subject to data transfer legislation, and when data is shared internationally, GDPR and digital trade agreements like the now invalidated EU-US Privacy Shield mean that users are unlikely to be abreast of the latest in privacy laws."
So, the consensus to the question of 'what is stored,' would be "far too much and far too many copies."
So, the IT team is stuck right in the middle of this. Is it possible to help them? Is it possible for these guys to have a…
Single view of everything
Jayden Zullo suggests that we should "deploy a cybersecurity solution that includes policy, alerts, reporting, and backups. When it comes to policy, alerts, and reporting, organisations should choose a solution that lets them aggregate all their cloud apps into a single pane of glass so they can see where people are accessing things from, where they're logging in, and if they're logging in twice, which could indicate a breach."
Looping back to the previous consideration around what is actually being stored, Stephen Burke notes that, "Given that not all data is created equal, if the owner does not know the different types of data they own, where all of the data resides, who currently has access in addition to establishing 'who should' or 'who needs' access, these are the most important questions to be answered at the outset. Otherwise, they will be shutting a few doors whilst leaving many other doors and windows open for cyber criminals to gain access and exfiltrate the data. I call this Data Governance' ."
Raising his voice a little, Richard Bird asserts that we need to "Stop treating data like it is some kind of independent organism that lives and breathes all by itself. Data is lifeblood for applications, pure and simple. The best way to protect it is stop letting it be used as fuel for applications and purposes that it shouldn't be used for. A great example would be something like someone innocently copying human resources information for a department to create a birthday card list or a company outing invitation list. The bad guys live for the acquisition of personal data to pursue their social engineering exploits - but we allow the use of data for activities it isn't intended for and then suffer the consequences.
"Also, stop treating data like it doesn't have an owner. Data without an owner is like putting a basket full of cash in the middle of a busy intersection. We treat data like it is something special and then we treat the owner or the identity associated with the data like an afterthought. Tightly tying data to identity results in a bond that makes it much harder for bad actors to steal that information."
Who owns the problem?
Sometimes, 'motherhood' statements get left behind in the race for something 'new' and 'wonderful,' so it's valuable that Jason Duerden reminds us, "Realistically, protecting data needs to be a collaborative effort with all the customers, or organisations, in your network presenting a united front."
Corne Mare adds to this, telling us that, "Protecting data starts and ends with business requirements. This means understanding what data users need to access in the business, and what information internal and external users or partners need to access. Certain controls and frameworks such as zero trust can guide organisations on how to better secure their data."
But, how important ais the regulatory framework? Tim Mackey believes that it's an area worth focussing on: "The limiting factor is now primarily accessibility to data and adherence to regulations. This then means that great care needs to be employed by analytics providers to ensure that details on individuals aren't accessible through their platforms."
In something of a conclusion, we should point out that no matter where your data is stored, or who has (or is supposed to have) access, it all boils down to culture. How engaged are your people to want to be part of the solution? For apathy most clearly resides in the domain of the problem.
Corne Mare sums this up well when he tells us, "So, when looking at how to protect data better, it's important to start with the non-cyber component, which is looking at the human aspect that builds culture; a strong foundation for most successful businesses. From this groundwork, it is easier to build a culture where people think before they click, which is an important aspect of security awareness. Culture is not something an organisation can buy but it can go a long way towards protecting against data threats. For example, Elon Musk expressed his gratitude when a Tesla factory employee exposed a hacking plot targeting the company. A hacker approached the employee to work as an insider to install the malware in exchange for $1 million. The employee reported the issue and worked with the FBI to track and arrest the hacker."
Finally, in closing, we'll give Martin Holzworth the final word. "Solutions are becoming available that make data self-aware so it can self-destruct when in an unauthorised location."
Wouldn't that be wonderful!
Our thanks to all the experts who contributed to this piece. Stay tuned for the third question in the series, due in a couple of weeks.