Ruslan Rakhmetov, Security Vision
In the previous article we told you about DCAP class solutions. Today we are going to cover the topic of data protection and today we will tell you about the data-centric approach to cybersecurity, data management processes and methods of data protection.
In today's medium and large companies, the digitalisation of business processes has reached a level where cybersecurity is one of the top priorities and a prerequisite for successful business development. In the traditional economy, before the fourth industrial revolution, the main values of a company were physical assets - buildings, machinery, machines, material, products. Now, more and more often the main assets are digital objects - data, applications, information systems, and business processes, which are also often dependent on IT infrastructure. The objects of cyber attack and cyber defence are people, processes, technology and data, which tie together the first three elements. The tasks of ensuring information security of data - its confidentiality, integrity, availability, unreliability, accountability, authenticity, and reliability - are becoming more and more urgent.
In modern cybersecurity, several approaches can be conventionally distinguished:
1. Activocentric - a classical approach that focuses on information systems, business processes, applications, and services that help businesses generate profits and fulfil the company's mission;
2. Incident-centric - a more modern approach in which IS processes are designed to prevent critical cyber incidents (so-called unacceptable events);
3. Datacentric - an approach that focuses on data protection during data processing (including creation, storage, use, transmission, modification, deletion, etc.).
In the 2010s, IS experts began to talk about the need to use a data-centric approach (data-centric security) instead of the classic model of network security (network-centric security), which has certain drawbacks: the spread of cloud infrastructures and remote work did not allow to effectively protect the blurred network perimeter, and the possibility of unauthorised access to data by employees and IT administrators led to leaks and was not closed by classic security systems. The datacentric approach began to be applied in companies whose main value is data - for example, source code of software products, drawings, schemes, chip topologies, formulas (mathematical, physical, chemical), personal data of clients, payment information, intellectual property objects, Big Data. In addition, the interest in the data-centric approach and the demand for appropriate security features are also fuelled by strict legal regulations regarding the processing of personal data (152-FZ, GDPR, HIPAA, CCPA), financial information and payment card data (GOST R 57580.1-2017, PCI DSS, Central Bank Regulations No. 672-P, No. 719-P), and trade secrets (98-FZ).
In foreign literature, the concept of data governance (Data Governance) is often encountered, which means a set of processes for data management and a data governance model that includes authority, management, decision-making parameters in relation to data that are created or managed by the company. Several maturity levels for companies have been adopted with respect to data governance:
1. Data-informed (or Data-aware) - the company collects data, organises and documents data processes, and employees know where the data is stored and how it can be used, with no business decisions made based on the data available;
2. Data-driven - the company applies Data Science (works with Big Data), uses the processed data for decision-making and for planning its development;
3. Data-centric - Big Data processing is the core of the business, the results of processing directly affect business decisions.
To build a data management process, two sets of tasks should be performed:
1. Data classification, which should answer the questions:
- Where did the data come from?
- Who is the owner of the data?
- Who controls the data?
- Where and who is the data stored?
- What is the type of this data?
2. Formation of corporate data protection requirements, where for each of the data classes the questions should be answered:
- Who (what) can use the data, exactly how, for what purpose, under what conditions?
- Where and for how long will the data be stored?
- How should the data be protected (in transmission, use, storage, backup)?
- Can the data be disclosed, to what extent, with what precautions, is it necessary to transform the data beforehand or to set special tags?
Once data has been categorised and data protection requirements have been established, you can move on to developing corporate data governance policies and rules, which should take into account legal and business requirements, and should also contain requirements for authentication of users and roles in business applications and rules for business applications to access data.
There are five main data governance models that differ in the way data governance policies and rules are formed:
1. Top-down - company executives create data governance policies and pass them on to business units for execution;
2. Bottom-up - employees in the field form data management practices and communicate their findings to management. 3. Centre-out - employees in the field form data management policies and pass them on to management;
3. centre-out (centrifugal) - a dedicated group of experts form corporate standards for data handling;
4. Silo-in (centripetal) - representatives of different departments of the company collectively form rules for working with data;
5. Hybrid (hybrid) - joint use of the above models by employees at different hierarchical levels in the company.
Several data governance frameworks have been developed to implement the described models, for example:
- DGI Data Governance Framework (DGI Data GovernanceFramework );
- Data Management Body of Knowledge (DAMA-DMBOK);
- Data Management Capability AssessmentModel.
The following measures are used for data protection:
1. organisational:
- Data Classification;
- Formation of corporate requirements for data protection;
- Development of corporate data management policies and rules;
- Introduction and maintenance of a trade secret regime (in accordance with the requirements of 98-FZ);
- Development of a package of ORDs on protection of personal data (in accordance with the requirements of the 152-FZ);
- Development of a package of ORD on protection of financial information and payment card data (in accordance with the requirements of GOST R 57580.1-2017 and PCI DSS standards, CBR Regulations No. 672-P and No. 719-P).
2. technical:
- Data discovery (inventory);
- Data classification (based on content and context analysis, metadata analysis);
- Separation of duties;
- Implementation of the principle of least privilege;
- Provision of access to data only if there is a justification and agreement on familiarisation with data, use and storage of data, connection to the information system (need to know, need to use, need to store, need to connect);
- Actualisation of data access rights;
- Restriction of access to data by time;
- Segmenting and controlling access to data using the Zero Trust approach;
- Application of encryption at data storage, data in transit, data in use (data at rest, data in transit, data in use), in particular the use of homomorphic and transparent data encryption methods;
- Application of methods of static and dynamic masking, tokenisation, anonymisation of data (masking / obfuscation, tokenisation, anonymisation);
- Ensuring monitoring and auditing of all data operations;
- Creation of backups, encryption of backup media;
- Secure (guaranteed) deletion, erasure, destruction of data and media.
3. Physical:
- Providing access control and accounting for access to data processing facilities;
- Protection, accounting, control of movement of data carriers, including removable data carriers, mobile devices, workstations, servers, data centre facilities, tape drive cassettes with backup copies.
The following classes of data protection systems are used to implement technical data protection measures:
- DCAP - Data-Centric Audit and Protection, data-centric audit and protection systems;
- DAG - Data Access Governance, data access control systems;
- DLP - Data Leak/Leakage/Loss Prevention, data leakage/loss prevention systems;
- RMS - Rights Management Services, access rights management services;
- DSPM - Data Security Posture Management, data security posture management systems;
- UDM - Unstructured Data Management, unstructured data management systems;
- DSG - Data Security Governance, data security governance systems.
Some of the most advanced systems for data protection and management today are DCAP class systems, which have the following characteristics:
- File content analysis, content access delimitation;
- Audit of access rights (building a list of available objects for each subject, building a list of access subjects for each object);
- Audit of access to certain types of data (e.g. personal data, trade secrets);
- Control of access rights, reducing the number of redundant rights;
- Identification of file owners (for example, by frequency of access);
- File history (by whom and when it was created, how it was modified, by whom and when it was deleted);
- Searching for all objects (files) containing certain data (e.g. personal data of a particular customer);
- Data deduplication (e.g., to save disc space, to create smaller backups);
- Control of AI systems' work with data (what data the AI accesses, what data is loaded into the LLM, classification of data generated by the AI, control of prompts for sensitive information, detection of AI accounts and copilot-users with access to sensitive information, detection of anomalies in AI actions in relation to data);
- Detecting anomalies and unauthorised actions, blocking malicious actions (e.g. blocking an account or putting it in read-only mode in case of suspected infection by an encryption virus).
DCAP class systems may be required to solve, for example, the following practical cases:
- Putting data in order - structuring the contents of file storages, identifying sensitive data, defining effective user access rights;
- Countering cyber espionage - preventing, detecting and investigating incidents related to insiders and spyware;
- Combating encryptors - preventing, detecting and investigating cyber attacks using encryptor viruses (ransomware);
- Protect trade secrets - identifying all locations where trade secrets are stored and determining which users have accessed specific files during specified time periods;
- Fulfilment of legal requirements - deletion of all information related to a certain personal data subject who has submitted a relevant request.
Among foreign systems of DAG/DCAP class the following products can be mentioned:
- IBM Guardium Data Protection
- Imperva Data Security Fabric
- Microsoft Purview
- Netwrix Enterprise Auditor
- SailPoint Data Access Security
- Varonis Data Security Platform
- Veritas Data Insight
Among Russian DAG/DCAP class systems the following products can be mentioned:
- CTSG Docs Security Suite
- Cyberpeak Spectrum
- InfoWatch Data Discovery
- Makves DCAP
- Solar DAG
- Zecurion DCAP
- Garda DCAP
- Orlan.DCAP
- ChurchInform FileAuditor
.jpg)
.jpg)
