What every CSO should know about data security challenges
Varonis is the leader in unstructured and semi-structured data governance software. Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times from all devices, all use is monitored, and abuse is flagged. Varonis makes digital collaboration secure, effortless and efficient so that people can create and share content easily with whom they must, and organizations can be confident their content is protected and managed efficiently. Varonis has more than 4,500 installations worldwide and is headquartered in New York, with regional offices in Europe, Asia and Latin America.
Info Security PG: What will be the biggest data security challenges for organizations in 2013?
David Gibson: There’s a growing gulf between the people who know how to find the right information quickly and those that don’t. Organizations need to get their employees thinking about what needs to be kept, what can be removed and how to intelligently archive their information. So much data is being stored that intelligent search, retention, and archiving will be a competitive advantage.
There’s also growing disparity between how people use technology in their personal and professional lives. With a huge portion of the workforce connecting remotely, the traditional infrastructure is being assaulted by new requirements, devices and services. This will impact a number of business areas. For example, who owns the intellectual property of documents created on a personal device? The enterprise must be the master, yet still offer the flexibility that the workforce demands.
While organizations are used to collaborating internally, the need to collaborate with third parties like business partners, contractors, vendors and customers is increasing. Files are growing – too many and too large for email. We need to introduce processes that ensure the right sensitive information is shared with the right people, securely. We require solutions that will intelligently archive this information, while automating management, retention and protection.
Finally, while technology exists which allows us to store and analyze huge amounts of data, there is a serious lack of data scientists to interpret the results and make informed decisions. More information doesn’t always lead to better decisions. But, if you have the automation and the talent to distinguish causality from coincidence, you can gain an edge.
About David Gibson
David Gibson has been in the IT industry for over fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. A respected expert, he is frequently quoted by the press on business and technology issues related to big data, data security and data management. David holds many certifications, including CISSP. As a former a technical consultant, he has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems.
Info Security PG: How does the Bring Your Own Service (BYOS) movement - the use of cloud services such as file sync services, impact compliance and data protection? And how can you police your data if you don’t know where it’s stored?
David Gibson: Organizations can no longer afford to ignore file synchronization services. They are here, and employees will use them whether you allow them to or not. While cloud-based file synchronization services are incredibly tempting, organizations are losing control of more assets each day. The line between personal use and corporate use has blurred, and employees are storing corporate data in cloud services without corporate knowledge, approval or oversight. In fact, unless you’re actively blocking all cloud services, it’s almost certain that your employees are using them. If you do block them (without offering an acceptable solution) then it’s almost certain that your employees are using them anyway—working on their personal devices entirely outside of the corporate network.
So we face a difficult choice - one where we either let things go as they are now, where end users use personal devices and free cloud services to store organizational assets wherever they choose, or select a separate, cloud-based file synchronization service that will add additional management overhead, and new risks that are difficult to quantify.
There's also a new approach that provides file-synchronization services with an organization's existing infrastructure, taking advantage of the storage that they already own, authenticating with their existing user catalog, and integrating with protection and management technology and processes they already have.
Unless organizations choose an alternative course and implement it quickly they run the risk of landing in an impossible situation - data that their organization relies on to function and data that they are responsible for will reside in myriad servers, datacenters, and workstations over which they have absolutely no power.
Info Security PG: What would you advise CSOs on implementing a secured Data in Motion strategy that avoids disrupting operations?
David Gibson: First and foremost, gain visibility. Know where your data is stored, who has access to it, who uses it and what it contains.
Second, reduce areas of high risk -- for example, sensitive data that may be exposed to too many people.
Next, align data with its owners, and involve them. Once the right people are making the right decisions, opportunities for automation become clearer. Start providing owners with actionable information about their data, and start doing automated entitlement reviews, which discover and reduce excess permissions to unstructured data.
Then, enforce process with your audit trail and detective controls to ensure that no permissions change or privilege escalation bypasses normal workflow (with owners, etc.) and use automated analytics to establish a baseline for normal use, identify and alert on potential abuse, and enforce retention policies.
Using this methodology, IT organizations can transform chaotic collaboration into a secure, organized model that keeps pace with personnel and data changes, ensuring that only the right people have access to the right data at all times, from all correct devices, all use is monitored, abuse is detected, and data is kept only as long as it’s needed.
1250 Broadway, 31st Floor, New York, NY 10001 U.S.A.
Founded in: 2005 CEO: Yaki Faitelson Public or Private: Private Head Office in Country: United States Products: Varonis Data Governance Suite, Varonis Data Transport Engine, and Varonis DatAnywhere Company's Goals: Varonis will continue to deliver innovative, world-class solutions for unstructured and semi-structured data governance, retention and digital collaboration.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN