This week we return to the topic of a Zero Trust security implementation. So far, I have covered how to secure your devices and applications in a Zero Trust framework. Today I will talk about how to secure your data with Zero Trust. You might be surprised to hear my advice on securing your data: take some basic steps now but otherwise watch this space.
Why You Should Proceed Carefully to Secure Your Data
Here is why I am less than gung-ho on the topic of securing your data.
How Big is This Problem in Your Organization?
The discussion around securing your data seems to start with the presumption that every organization has lots of data that needs to be secure. But is that really the case? We have customers that conduct agricultural research. These customers tell me that their goal is to share their research as widely as possible. Organizations that operate in a capitalist context (for instance, US pharmaceutical companies) have a different level of data security than non-profit organizations focused on advancing social good.
Your organization may have little data that you need to secure. Or it may have a lot. Regardless, securing your data depends heavily on defining and assigning labels for content. I have argued before that it is time to take this challenge on. I still feel that way. But I also recognize that defining and assigning labels requires considerable effort.
We Need More Mature Tools
It is virtually impossible to manually label all of an organization’s content. Examining content file by file is a soul-crushing task. To borrow from Marie Kondo, it does not bring anyone joy. And remember, content continues to be created, at an accelerating rate. Talk about a Sisyphean task.
The tools for scanning content and applying labels are still evolving. There is one tool for use with on-premises content and another for cloud-based content. And there is a tool you can use within Microsoft Office and another for non-Office files. It is cumbersome to have multiple tools that perform a similar function; you must know where to use each. This leads to confusion and mistakes. I would prefer “one tool to rule them all,” you might say.
Scanning and applying labels to content is a perfect application for machine learning. I am happy to see that Microsoft has a machine learning tool in preview now. I hope to test it out and let you all know how easy (or not) it is to train the tool and use it. If you are game to try the tool before I get to it, let me know what you think, and I can share it on our blog.
Define the Data You Need to Secure
I recommend that you start securing your data by answering this question: what data needs to be secured? If you are a grantmaking organization, you want to operate as transparently as possible. You publicize the grants you award. It is possible that you make grant applications available to the public. You file a Form 990 every year that describes your financial statements. So, what content do you need to secure?
Every organization has Human Resources data that must be secured. As well, non-public financial data should be secured. What about Board deliberations? Strategy documents? Anything else? Remember to include data that could be used to harm the reputation of your organization and staff.
Next, Find Your Data
You cannot secure your data if you don’t know where it is. Yes, this is one of those “duh!” statements. And yet, I often find that customers do not really know all the places where organizational data is stored. If you are in that camp, your first order of business is to find out what kind of data is being stored where. Start with the data repositories that are officially sanctioned, such as file servers or cloud services like Google Drive. Move on to the ad hoc repositories. See who is expensing their Dropbox account and find out what data they are keeping there.
Secure Your Most Confidential Data
Here is where we dip our toe into the information labeling waters. Identify the data that is the most confidential. What data is only shared with a small number of people in your organization? Secure your data by starting with this content. Create a label—Super Secret Confidential—and define what kind of content gets this label. Define a policy that will encrypt data with this label. Now, that data is encrypted until it is unencrypted by the people you have named in the policy.
Congratulations. You have equipped your most confidential information with its own shield. Rest a little easier, knowing that even if that data leaves your organization it is still protected.
You have secured your most confidential data. Before you move on to the next tier of confidential data, take some time to see how things are working out.
Monitor and Remediate
Perhaps the reason why sensitivity labels are hard to define is because they try to operate on the meaning of data. Way back when I used to read about the difference between information and data. I grew tired of the hair-splitting and moved on. But the lesson I took from that discussion is that data only has value in context. What do the words on the paper (I said it was a long time ago!) mean? I can use the word “sensitive” in a document that I wouldn’t consider “sensitive.” If defining the sensitivity level of content were as easy as identifying a particular character string you would have been able to secure your data long before now.
Why am I telling you this? It’s simple. Defining a sensitivity label, and then defining actions based on that label, is not a “set and forget” kind of task. You want to see if the label and its resultant actions are doing what you intended. To properly secure your data you will want to confirm this.
Watch the rule work. See where you find false positives (applies the label when it should not) as well as false negatives (does not apply the label when it should). Next, see if there are cases you did not account for when you set up the label. Tune the label and policy.
You have taken an important first step to secure your data. Keep track of those tools that can automate the process. When the machine learning tools are ready, you will be ready to expand your label set and policies. I cannot wait for that moment. I hope you feel the same.