The following post is an excerpt from GovLoop's recent industry perspective, Protecting Your Data in the Cloud. In the brief, we examine the challenges of cybersecurity in multi-tenant cloud environments, and offer three steps to achieving data transparency and security.
According to Sol Cates, Chief Security Officer at Vormetric, agencies must take three steps to accomplish a security strategy that includes cloud considerations and complies with regulations:
Step 1: Identify Your Data
Before agencies can secure their information, they must determine the scope and type of data that might require protection. This is no easy task. “I’ll steal the three V’s from big data,” said Cates. “You have a lot of velocity. Your data is moving very fast to new locations in new ways. You have variety — where your data lives and what it looks like is drastically different than it was 10 years ago. And then volume is just increasing drastically. It’s been said that every two years, data is doubling.”
Unsurprisingly, this velocity, variety, and volume often hinder agencies from truly understanding their information. However, Cates stressed that it can be done.
“There are ways to identify your data and what it does for you, but you have to put in a lot a time and effort,” he said. “And that’s not just to buy one technology and get it done. You have to bring in the expertise to identify the information — where it is and what it looks like. At Vormetric, we coach our customers about how to identify their information, categorize it, and then classify it.”
Step 2: Assign User Rights
Categorization and classification are especially necessary in order to complete the second step to data security. Agency data isn’t made safer simply by mapping where and what it is. Organizations must take the next step to delegate access to those who require it and restrict access to those who don’t.
What’s more, this designation of user rights must be applied to every employee and account. “Don’t ever show the data to anybody who shouldn’t see it,” Cates said. “It sounds simple, but the problem is we have these things called administrators or privileged users inside of every system. How do you stop them from seeing the data? That’s where many data breaches have happened. They’re almost always from an administrator’s privilege being abused.”
Therefore, effectively assigning user rights is a two-fold objective. First, it means categorizing data rights by user group. Then, agencies must protect that same data from the very people who administer privileges.
Step 3: Protect Your Data
Once your data is mapped and your user privileges are categorized, it’s time to install protections that safeguard all of that data from anyone who shouldn’t be able to access it. This is easier said than done.
As previously noted, government agencies’ security solutions must comply with NIST SP 800-53. Additionally, protections must extend into a cloud environment where other organizations’ information also resides. Finally, security systems and protocols should allow or restrict access for different users.
Unsurprisingly, these various requirements often lead agencies to adopt myriad security systems. But that tactic adds yet another level of security concern because agencies must then create a strategy to manage and maintain their multiple key and certificate management solutions.
In our industry perspective, we explain how applying integrated encryption and key management can remedy these difficulties and secure your data.
Photo Credit: Flickr/justgrimes