Today, 89% of organizations report having a multi-cloud strategy and 67% of IT professionals say their organizations will maintain a hybrid-cloud strategy moving forward.
Protecting data wherever it resides is paramount, but the lines of responsibility for protecting data in the cloud can become blurred. Some organizations may assume their cloud provider(s) will protect them, so they don’t have to worry. However, cloud providers operate with a shared responsibility model where they are responsible for security of the cloud (the platform, service, and offerings), while organizations are responsible for security in the cloud, especially for their own data.
Protecting your organization’s data in multi-cloud, multi-region, and hybrid environments can present many challenges. But the ongoing pandemic, geopolitical risk, and climate risk-related events, up the ante. Recently, ShardSecure CEO and Co-Founder Bob Lam sat down with guest speaker, Forrester Principal Analyst Heidi Shey, who provided her insights into how to manage data security risk in uncertain times. Following are just a few highlights from the discussion. For all the details, I encourage you to watch the webinar, “Trends and the unexpected: How to manage data security risk in uncertain times.”
Presentation highlights
Focus on the constants amidst uncertainty.
Heidi set the stage by explaining that despite different types of uncertainty, there will be constants. It’s about recognizing the constants you face when it comes to data security and how you can address data risk. These constants include putting people first and understanding what they need to get their jobs done successfully; having a strategic plan that guides the decisions and investments you make for protecting your data and helps avoid “expense in depth”; identifying the core controls you can enable for data-centric security; and ensuring response readiness so you can be resilient in the face of any disruptive event.
Identify key controls.
To help organizations drill down into key controls, Forrester uses a framework that includes defining data to help you understand what you are trying to protect; dissecting data to better inform your decisions about controls and risks; and defending data which includes the controls you have for data access, inspection, disposal, and obfuscation.
Leverage your ecosystem.
Remember that data security is not implemented in a silo but is interconnected to your strategy and other controls you use. Heidi encourages organizations to consider who is accessing what data and how, and the other tools and policies in place to grant and monitor access as integrating all these functions is critical for data security.
Align your threat model to actual risks.
Research by Forrester finds there is often a disconnect between an organization’s threat model and actual risks. For example, organizations tend to overestimate the risk of external attacks and underestimate the risk of attacks involving business partners and third-party suppliers. Organizations also tend to focus on the cost of a data breach, and don’t adequately consider the costs associated with failures of data governance, missed contractual obligations, lost competitive advantage, and negative impact to reputation. Effective data security is predicated on threat models aligning to actual risk, which means organizations must identify any disconnects and correct for them.
Q&A highlights
After their presentations, Heidi and Bob also fielded several questions from the audience, including:
What do you think is going to happen in the next six to nine months given the geopolitical situation?
Heidi: I expect a doubling down around data governance. I am also seeing that some of the uncertainty has stirred up heavier concerns around issues of privacy and is causing some organizations to take a second look at data sovereignty and data localization to ensure they are prepared to meet those requirements. Companies with data in the cloud and concerns around national security and public health, for example, are creating conditions and pressures around data controls to ensure their data remains under their control and cannot be accessed by a different government without their knowledge.
Bob: We are seeing that companies with data centers in non-NATO countries are re-evaluating their risk during these uncertain times and seeking more effective ways to protect and maintain control of their data and intellectual property (IP) stored in those countries. Encryption has been the method of choice for many IT leaders and encryption is a great layer of defense. However, we all know that human error, poor cyber hygiene, and challenges with key management can provide threat actors and rogue insiders with access to high-value data.
Microsharding, which is what ShardSecure offers, essentially makes sensitive data unsensitive and unintelligible to unauthorized users. It is a three-step process that consists of shredding, mixing, and distributing data across multiple storage repositories of the data owner’s choosing – multi-cloud, multi-region, or hybrid cloud. When data is shredded into microshards, they are too small to contain sensitive data. Mixing that data with poisoned data and distributing it helps to ensure unauthorized users never have a complete, intelligible data set should storage be compromised.
Can you explain what you mean by “expense in depth”?
Heidi: Basically, this is a strategy where organizations are investing in security controls and capability without a clear view of the overarching strategy and approach. Instead, organizations should spend with purpose. If you have a Zero Trust approach, use that to identify what technologies come next in your roadmap and invest there. Or do a security assessment based on your maturity and focus investments to close those gaps.
Do you have one or two questions boards can ask to understand if backups and disaster recovery are working appropriately?
Heidi: Sure. When was the last time your disaster recovery plan was actually tested? Was the outcome what you expected? Then, learn from this and take corrective measures.
If there’s one thing we know for sure, uncertainty will never go away. Companies that weather uncertainty successfully are revisiting their risk and strategies to protect their data today, as well as going forward. For more insights and recommendations on how to manage data security risk in uncertain times, watch the webinar now.