Network controls have been historically proven to be very capable in limiting access to networks and therefore the data held within them. As our networks have evolved, so have these controls.
However, even with these more complex controls, the fact still remains that network criteria have been chosen as the main standard for determining access to network elements. For example, if we look at traditional web controls, defining HR access via HTTP (or Linkedin, on an application basis) is an often-used rule, and is completely acceptable in most cases.
But what if HR were to draw personal data from LinkedIn, and combine it with other data provided by an individual? While HTTP is a legitimate means by which to transfer or access the data, and the applications used may be allowed by an organization, over time the storage and processing of that personal data will create risk exposure for the organization – something that simple network or application controls do not deal with.
Clearly, organizations need better visibility regarding the content of the data they are using; an organization’s risk exposure to the use of different sets of data depends on the type of data being stored, processed or shared. Increasingly, organizations want to log how sensitive data is being used so that they can limit their exposure to the risk of storing or processing excess data. It is important that they hold as much useful data as possible for business purposes while limiting the overall data load to reduce liability.
The main problems organizations currently face are that of a constantly changing dynamic environment, human usage, and Shadow IT. For example, Personal Data: organizations simply no longer have control of where personal data is held. An organization may have developers that create applications and will use personal data lists to test those applications. Management will be unaware of this usage of data, while nevertheless being held responsible for it. Other examples are sharing and interrogating data with 3rd parties via Amazon S3, which almost always falls outside of the network, application and operational security teams.
Organizations also need visibility into the usage of different types of data for compliance purposes; i.e. learning whether specific types of data being transferred in an encrypted manner?
Clearly, an automated way of discovering, classifying and tracking all types of data flow, specifically data of a highly sensitive nature such as personal data, is necessary for most organization’s if they are to keep up with their ever-changing threat landscape in terms of the usage of sensitive data.
Starting with privacy management and control, 1touch.io has initiated a paradigm shift in which data automatically and perpetually comes to the solution operator, and is categorized according to the data type. We give clear visibility into how it is being stored, processed and shared. This can only be done with network analytics at the core of the technology.
By giving clear, perpetually-updated visibility into what types of data are being processed, and where the data lives, 1touch.io enables organizations to make intelligent decisions about compliance, security policy, and enforcement.
The post Dear CISO: All Organizations Need Perpetually-Updated Data Visibility appeared first on 1touch.io.
*** This is a Security Bloggers Network syndicated blog from 1touch.io authored by Itzhak Assaraf. Read the original post at: https://1touch.io/dear-ciso-perpetually-updated-data-visibility/