With today’s ever-expanding threat surface, businesses face critical challenges in protecting vital data from compromise. Mitigating data security risk is top of mind for security professionals at corporate and public sector agencies alike. An indication of the severity of the problem can be found in the latest Binding Operational Directive from the Cybersecurity and Infrastructure Security Agency (CISA). BOD 23-01, which was announced last October, is designed to enhance federal agencies’ ability to identify vulnerabilities in their networks in order to prevent and better respond to cybersecurity incidents.
The CISA directive focuses on two core activities – asset discovery and vulnerability enumeration. According to the directive: “Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Vulnerability enumeration identifies and reports suspected vulnerabilities on those assets.”
While CISA directives are compulsory for U.S. government departments, agencies and companies doing business with the government, other regulations around the world are aimed at how private sector data is collected, processed, stored, transmitted and disseminated. Failure to achieve compliance with regulations, such as the General Data Protection Regulation (GDPR), can come with hefty penalties. For example, EU authorities levied a total of €1.64bn in fines at the outset of 2022. This represented a year-on-year increase of 50%.
GDPR is one of many regulations that require compliance. Healthcare organizations face HIPAA regulations that require the protection of patient health information. Financial institutions, retailers and e-commerce companies must comply with PCI-DSS regulations that protect credit card data and online payments. The California Consumer Privacy Act (CCPA) mandates that California consumers can demand to see all the information a company has saved on them, as well as a full list of all the third parties their data is shared with.
An Avalanche of Data: Good for Business, Tough for Compliance
Businesses around the world leverage massive amounts of data to fuel innovations and power growth opportunities. While this avalanche of data represents a gold mine of insights that can be harnessed for the good of the business, it also creates a cybersecurity risk and potential compliance nightmare.
When one considers the sheer volume of data being generated each and every day, it’s easy to see why achieving data compliance is no easy task. The latest statistics indicate that approximately 328.77 million terabytes of data are generated each day. By 2025, global data creation is projected to grow to more than 180 zettabytes. That’s 60 million times as much data as was contained in all of Netflix’s digital movie catalog as of 2013, according to the website The Measure of Things.
As companies add new tools, applications and technologies, transition to hybrid and remote work environments, and migrate vast amounts of data to the cloud, the need to ensure compliance with all pertinent regulations becomes more complex. On top of this, encryption, access, permissions, misplaced data, and the constant need to maintain data privacy make compliance maintenance increasingly difficult for security professionals.
Three Ways to Get Proactive About Cloud Data Compliance
Being able to constantly and consistently monitor and analyze data to detect risk is a business imperative, not just an IT or security issue. With cloud migration and generative AI, regulators are increasingly requiring companies to be intentional about their use of data. As a result, data is becoming a primary business asset rather than a siloed IT burden, and businesses have a responsibility to understand what data they have and how they’re using it.
The following are three areas that organizations and their security teams should focus on to get their data house in order to prove and maintain compliance more efficiently.
- Know Your Risks – In order to stay compliant, know what applicable data regulations relate to your business, such as GDPR, HIPAA and CCPA, or others specific to your industry. And, to fully understand your risk exposure, conduct a thorough risk assessment to identify potential data security exposures. It is also vital to identify stored data that is no longer in use, but contains sensitive information. Stored data can come in three forms: Stale data that is no longer used. Ghost data contained in snapshots of data stores that no longer exist. And Copy data contained in backups, which are vital for ensuring data resilience and business continuity, but some of which may be redundant.
- Secure, Don’t Constrain Data – Locking up data used to be the way of the world. But this can disrupt business and influence people to look for ways to work around security parameters to get their job done more expeditiously. Instead, businesses need observability and automation capabilities to respond to unexpected activities in real time. Sufficient controls that only allow access to authorized individuals is crucial for data security and maintaining compliance. For example, multi-factor authentication and data encryption are essential for protecting sensitive information. This enables the people who need data to grow the business, while thwarting threat actors.
- Stay vigilant – Threats and attacks can happen anytime, which means security teams must constantly monitor and audit data usage. By employing observability and automation you’ll discover potential risks, understand the business and security context, and automate the appropriate response if a data breach occurs. Continuously evaluate the data you are creating, consuming and managing to power these initiatives. Identify the ongoing risks from security, privacy, regulatory and governance perspectives, and remediate exposures that exist, such as addressing configurations and user permissions, highlighting architectural vulnerabilities that are introduced in product development or customer engagement strategies, or creating or refining policies governing how your staff leverages the data you are collecting to drive growth strategies for the future.
As data volumes continue to explode, the challenges of ensuring regulatory compliance become equally daunting. Data security posture management platforms can empower security teams to stay ahead of data regulations and risks by automatically discovering and classifying all data, across all clouds and data stores. Knowledge and insights are a security team’s greatest weapons.