As we demand more access to data to improve decision-making and optimize business performance, super-sized data stores and large data sets are becoming more and more common—and vulnerable. Business leaders should liken this practice to stowing all of their treasures in a bank vault—they want to keep that data secure, since any loss can potentially be catastrophic to a business.
The Target Credit Card breach this past holiday season impacted nearly 70 million customers that stood in line for hours on Black Friday, myself included. While the breach was mainly due to point-of-sale infections, I joined countless bloggers and fellow security practitioners to share thoughts and attempt to answer the question: What else should we do to prevent big data breaches? Here are a few best practices from our Information Security & IT Risk Management team to get you started.
Govern Your Data Access
We live in an age where a mail truck full of bank account statements getting hi-jacked is unlikely, but a data warehouse full of social security numbers or intellectual property data getting hacked into is very prevalent. To combat these faceless culprits, you should take these steps to improve your understanding of who has access to your treasured data:
- Assess current access requirements and processes, key systems, or applications containing large volumes of data within your company environment. This is not just limited to internal employees, but also any third parties who may be receiving or using the data.
- Define baseline access requirements for these key systems or applications containing large datasets. This includes who should have access and what business justification should warrant access.
- Establish access controls for these big data stores such as strong authentication, and approvals from data owners before granting access. Or, reduce the number of users by appointing a central “librarian” to control access to data stores.
- Perform ongoing monitoring of user access against the baseline requirements. This will help you to proactively identify deviations from normal access and quickly address insufficient controls.
Limit the Data Use, Collection and Storage
Organizations often collect and hoard information that is not really required or even used, perhaps thinking there might be a need for it someday. As defined in the AICPA Generally Accepted Privacy Principles (GAPP), basic privacy principles such as “collection limited to identified purpose” and “use, retention, and disposal” urge organizations to:
- Review current data residing in big data stores and determine the business need for collecting, using, and storing them. If you are not using the data for legitimate business reasons, you should stop collecting it, as it only introduces more risk exposure.
- Understand the upstream and downstream data flow of your big data store. Sometimes the information is “fed” to us by a third party. If you want to stop receiving unnecessary data from the source, you need to first understand where it comes from.
- Follow the retention policy or schedule and diligently archive data into an approved archival solution. This will not only help you to reduce data related breaches and comply with retention requirements, but will also improve capacity management of your networks and systems.
Additionally, relying on technologies to help us secure big data is imperative. Protecting your data through end-to-end encryption or tokenization will help to minimize data from being understood by unauthorized people. However, consider these basic impacts of technology implementation on general accessibility and availability of data:
- Performance impact on data access. A few seconds may not seem to be a deal breaker, but if there are multiple databases and multiple applications across multiple platforms involved, then the sum of that lead time might be unacceptable to the end users or critical business processes.
- Business process impact. Utilizing tokenization to substitute a sensitive data element that cannot be mathematically reversed is a popular way to reduce Payment Card Information (PCI) Data Security Standard (DSS) scope. With the use of a token instead of payment card data, it might alter some of the business processes handling of payment card data.
- Complexity associated with key management. Without effective key management policies and processes, the encryption is no more secure than handing your keys over to the inmates.
Big data doesn’t always come with supersized risks. You can reduce big data breaches by defining access requirements; limiting the collection, use, or storage of data to only support your business need; and applying technical controls to protect data from intruders.