There is a tectonic shift in the data security space caused by three major forces- Cloud, Collaboration and Content Variety. However, gauging the accurate scale of this challenge eludes us as we seek insights from small-sample vendor survey results or data from multi-year forecasts by Analyst firms. As helpful as these data sets are, their insights don’t always provide a here-and-now look at the true scale and complexity these tectonic shifts pose to Data Security today.
Towards this end, we at Concentric looked at real customer data of large technology providers that are operating at scale to compile the true magnitude of these three forces and reflect on how they are impacting the Data Security landscape.
Unmistakably a big trend impacting Data Security is the movement of IT infrastructure and applications to the Cloud. Amazon AWS is the best proxy of the scale of this trend, with Microsoft Azure not far behind. In April 2019, Amazon AWS unit reported that its revenues increased over 40% YoY. This is phenomenal growth building off a large base. More specifically, Amazon has had significant success in building data lakes.
According to Andy Jassy, AWS has over 10,000 data lakes built on S3. This phenomenal migration of infrastructure and data to the cloud also brings with it challenges in maintaining data security.
The challenge isn’t limited to structured data. The recent phenomenon of diffusion of content into companies like Box is adding a new dimension; and most of this data is unstructured. Applications such as Box, Dropbox, etc. enable file sharing with anyone and accessing this data from any device. Box, a file sharing app has over 90,000 paying organizations. Many of these collaboration and file sharing apps store enterprise data outside of the firewall, a practice common not only in the US but across the world.
Simple acts of omission can lead to significant security issues. Box itself correctly states the following example in its annual report as a security challenge that could impact its reputation - "A Box user can choose to share the content they store in Box with third-parties by creating a link that can be customized to be accessible by anyone with the link. There is a possibility that this data can be discovered and accessed by an unintended third party."
The second trend disrupting data security is the phenomenon of collaboration. Employees are increasingly using collaboration applications to get work done with their peers and also partners outside their company. To quantify the scale of collaboration applications we looked at data from Okta. Okta is an identity cloud company with over 6000 customers and millions of end users are authenticating into cloud applications via Okta each day. This trove of raw data that Okta possess gives them a high vantage point to quantify and assess cloud application usage.
A recently published Business At Work (2019) Okta report reveals that Office 365, a collaboration app, increased its lead as the most popular application and is growing its active unique users by 55%.
Increased usage also means that the attack surface just got that much larger. Enterprise information is exchanged and stored in Office 365 Sharepoint environments; hence enterprises need to contend with securing high-value enterprise data within these collaboration applications. A CISO recently told us that he had an 18-month mandate to move to the cloud/Office 365, but the CISO didn’t want his design docs to move to the cloud, knowing well enough the potential data security risks that it entails.
This exodus to the cloud has increased vulnerability, attack area and leaves gaps in the data security. Anytime we disrupt the technology stack and move to a new stack it introduces discontinuities in security. We saw that in the transition from the old client server architecture to Web 1.0, and later to the Web 2.0 stack. In the new age of IT, the core tenets around security are still applicable but it is a lot more complicated challenge to manage.
The third major aspect disrupting data security is content variety. Sensitive enterprise content isn’t limited to databases and personally identifiable information. Much of the sensitive data is stored in documents, pdf files, videos and the like. Though enterprises always had this variety of content, the introduction of Cloud and Collaboration have dramatically raised the stakes in protecting this data.
How does an enterprise ensure that in this ‘wild-west’ environment its sensitive data is adequately protected from getting into the wrong hands?
Each of these trends noted above is driven by different ecosystem players. In a complex, interconnected and dynamic new age of IT there is no magic bullet to protect your data. However certain ground truths are universal and apply both in private and public cloud environments.
1. Know what data is truly sensitive. This is a critical first step because all security actions follow from this critical piece of knowledge. Moreover we need to continuously monitor and update our knowledge of what information is really susceptible and presents a business risk because enterprises continuously produce data in structured and unstructured form.
2. Know where your sensitive data resides. If you know what data is confidential, it is much easier to track where that data resides.
3. Know who has access to sensitive data. Sensitive data by definition must be available only to people with a need to know. Knowing who has access to the data enables us to keep the data restricted to those who have a business purpose to know.
4. Ensure sensitive data is adequately protected. Adequate controls both at the infrastructure, application and access rights layers must be implemented to protect the data appropriately.
5. Investigate and get context-aware insights. In the event of a data breach or data incident, despite of best efforts to prevent it, be able to investigate and get data context-aware insights into what might have happened.
In this new age of IT, it is essential not to jettison existing security approaches. However, it is critical that we also adopt new data security strategies that are better suited for our hyper-connected digital world that is driving organizations to shape-shift and become more agile and nimble.