Concerned About Risks to Your Corporate Data? DSPM Can Help.


“Data is like garbage. You’d better know what you are going to do with it before you collect it.” – Mark Twain

By Rob Wayt, Structured Director of Governance, Risk and Compliance —

Organizations large and small, in both the public and private sectors, have voluminous amounts of data, much of it sensitive. This data has been collected and stored on connected digital systems since the birth of the information technology department. This problem has only been exacerbated by the implementation of cloud services. Services, by the way, that are inexpensive to use and accessible to all employees, wherever they are working from. 

To defend the data stores, IT organizations prudently implement technologies for the security architecture. These include next-generation firewalls (NGFW), endpoint protection platforms (EPP), encryption, and identity management with multifactor authentication (MFA). It is a responsible course of action.

However, without knowing exactly where sensitive information lives, how long it is kept, and who has access to it, is the security architecture effectively working to manage risks to acceptable levels? Possibly. Or is it missing the mark, leaving the organization open to breach or liability from compliance penalties due to improperly placed technical controls? Also possible… and disturbing.

On top of those concerns, more compliance requirements exist now than ever before, regulating:

  • How sensitive data is managed,
  • Which security controls to employ,
  • How long the data can be kept, and
  • With whom the data can be shared.

In these scenarios, data security posture management (DSPM) can provide critical insight into where your data resides, how sensitive it is, who it is important to, and where the appropriate security controls should be placed to safeguard assets and lower operational risk. 

DSPM Starts with Data Discovery

In order to tune your security architecture and risk management efforts, it’s critical to begin by knowing where your sensitive data assets reside. Data management, including inventory, is a key pillar in the Zero Trust architecture recommended by the federal government and included for implementation in the “Zero Trust Maturity Model” from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Even more recently, the National Security Agency highlighted data discovery and flow mapping in its Cybersecurity Information Sheet titled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar.”

Whether the data is on-premises or in the cloud, contained in unstructured stores like file shares and email or held in relational databases, a DSPM can crawl your repositories to inventory the systems on which the data lives and map the flows of information across your business processes. 

DSPM Reduces Organizational Risk

Once data flows and locations at rest are identified, sensitivity can be determined based on risk and compliance requirements. Is role-based access restricting permissions to the minimum number of staff members required for business functions? Or is something more permissive allowed? Is excessive organizational risk caused by data residing in the wrong location?

DSPM provides valuable insight into what data you have with compliance requirements, and therefore what special controls need to be in place for security, privacy and retention. A DSPM can also provide a lens into risk requirements and notify administrators with alerts to potential or real problems with access control, data access, and privacy discrepancies.

DSPM Enhances Compliance Efforts

A finely tuned DSPM can provide valuable information regarding privacy requirements. Seventeen U.S. states have enacted laws for privacy that are currently enforced — or soon will be. These laws have provisions for data subject rights that must be adhered to, and these rights can be difficult to comply with if data us not properly inventoried and protected.  These rights include:

  • Right to limit use and disclosure,
  • Right to opt-out,
  • Right to correct information,
  • Right to know what has been collected,
  • Right to be forgotten

In addition to these rights, many laws contain breach notification requirements, some with timeliness requirements. It is far easier to know who must be notified of a breach if the subject data set was already discovered and classified, enabling a quick turnaround on accurate inventories of affected parties.

Conclusion

Over the past few years data management requirements have been increasing on government and private sector agencies through governance, compliance, security and privacy regulation. The current trend is for that regulation to continue on an increasing trajectory, heightening the responsibility on data owners and controllers. If you are charged with safeguarding data at your organization and assisting with regulatory requirements, Structured can help guide you on your data journey and provide guidance and solutions such as DSPM to increase your visibility and control of your data assets. 


About the Author
Rob Wayt

As Director of Governance, Risk & Compliance for Structured, Rob Wayt applies his 30 years of critical experience in IT security, compliance and networking to design and implement comprehensive security programs, focusing particularly on compliance assessment and audits. With core competencies in PCI, HIPAA, ISO 27001, FIPS/FISMA, FERC/NERC CIP, FERPA, GLBA/FFEIC/NCUA and Governance, Risk and Compliance (GRC) solutions, Rob is an incredible asset both to Structured and to its customers.

But while it’s clear he has a slight interest in GRC, he’s hardly one-dimensional. Rob also is an avid and accomplished cyclist and outdoor enthusiast who enjoys life wherever it takes him. For 26 years it was Japan, but he and his family currently reside in Alaska.