By EK Koh |
Recently Forrester published a report titled “Twelve Recommendations for your Security Program in 2014”. There are many good recommendations. One of them is: “Define your Data and give it an Identity to better protect it”.
This is timely.
In a recent Ponemon Cost of Data Breach Study, the cost of a data breach is estimated at $5.4million per incident, and in a separate Ponemon Cost of Cyber Crime Study, 43% of respondents indicate that information loss is the largest impact in a cyber-attack. Clearly, data is the highest value at risk.
In addition, as corporate perimeters start to disappear, and users expect to access data from any device anywhere, it has become harder, if not impossible, to lock down the infrastructure. With cloud storage and SAAS, sensitive data no longer resides within the firewall.
It therefore makes sense to focus on protecting data. But how?
Forrester recommends the following:
- Discover your data. Know where your data reside. Until you know where they reside, you cannot effectively protect your sensitive data.
- Classify your data. You want to clearly identify your data and classify them into different categories. Forrester specifically called out payment card data, personally identifiable data, personal health information, and intellectual property as examples of data that need protection. In our experience, companies often want finer grain content classification, based on project level or program level. In addition, not all data are of equal value. In fact, in a separate Forrester study, Intellectual Property was by far the most valuable, compared to customer custodial data, even though breach of custodial data makes most of the headlines.
- Clarify data use and handling roles. Forrester also recommends that you clearly specify how data can be used and handled
All these make a lot of sense, except it is not clear how you “clarify data use and handling of roles”. What is the best practice recommendation? Do you continue to use Role Based Access Control to govern data usage? Will the solution scale?
Would attribute-based policies be a more scalable way to control data access, with roles being one of the attributes?
What is your recommendation?