May 21, 2020
All links and images for this episode can be found on CISO
Series (https://cisoseries.com/defense-in-depth-data-classification/)
The more data we horde, the less useful any of it becomes, and
the more risk we carry. If we got rid of data, we could reduce
risk.
Check out
this post for the basis for our conversation on this week’s
episode which features me, David Spark (@dspark), producer of CISO Series,
co-host Allan
Alford (@allanalfordintx), and
guest Nina Wyatt,
CISO, Sunflower
Bank.
Thanks to this week's podcast sponsor, Cmd.
Cmd provides a
lightweight platform for hardening production Linux. Small and
large companies alike use Cmd to address auditing gaps, implement
controls that keep DevOps safe, and trigger alerts on hard-to-find
threats. With out-of-the-box policies that make setup easy, Cmd is
leading the way in native protection of critical systems.
On this episode of Defense in Depth, you’ll learn:
- Usable, user-friendly, viable-in-every-scenario data protection
that is invisible, seamless, and always on does not exist, but
could exist, and should exist.
- Classification tools that tout automation, really aren't. There
is still a good amount of manual intervention.
- Another way to solve the data protection issue is to get rid of
data. Our data protection problem amplifies as we find ourselves
protecting more data. But a lot of data simply doesn't need to be
protected. It could be classified for non-protection or just
destroyed.
- Data is mostly unstructured and it needs to be structured to
the sense that you know how data is flowing, and that is extremely
difficult to do.
- We spend more time on hardware and networking diagrams but what
we should be doing is diagramming data flow.
- Mandate retention limits on data. People don't like it, but
it's going to make you a lot safer. Just mandate the lifespan of
data. If it's not needed or accessed in a certain period of time,
archive it or possibly kill it.
- People think holding onto data is costless, but reality is the
more you hold onto it becomes very costly from a security
perspective.
- Utility to you vs. utility to the bad guys is relative. For
example, a bank statement from five years ago has little utility to
you now, but if a bad guy is looking for information, that has the
same value as a bank statement from today.
- The questions you need to be asking: Is your data sensitive,
does it have open permissions, how long has it been since the data
was accessed?
- Data with PII is both an asset and a liability.
- Classifying data also has a major problem with consistency.
Often data can be put into multiple categories or classes.
- Security of data is usually not the factor many consider. We
are often thinking about the security around data.