Looking at overall cloud spend can be a common measurement for comparison when determining where your crown jewels data reside
The first step to securing your infrastructure is understanding what assets need to be secured. Data classification is the process of organizing data into categories so it is simple to identify, store, retrieve and protect. This involves finding the data types you have available, where the data resides, who currently has access to it and what levels of protection are needed to follow compliance regulations. Only when you have visibility into your data can you decide what data is important to protect and how much protection is required.
A Crown Jewels Analysis (CJA) is a process for identifying the information assets that have the greatest business value and would also cause the most amount of damage to an organization if leaked or stolen. A CJA follows the premise that there is no such thing as perfect security and as such, any protection strategy that is entirely focused on keeping malicious actors out of the infrastructure is set up to fail. Assuming that a compromise is inevitable, a CJA prioritizes placing the most restrictions and security resources on the data that is mission-critical to an organization to mitigate the chance of an extinction-level compromise event.
Every organization needs to define what its crown jewel assets are. This is not an easy task, as different stakeholders across the organization often have different ideas of what data qualifies as crown jewels. Understanding these differences, however, is important, as each business unit often sits on crown jewels that are overlooked.
The process of identifying the crown jewels seems to be most successful when a CSO meets directly with other leaders of the organization, informs them of the strategy behind a CJA, and finds out what data is most valuable to them in their role. For example, the CMO may have sitting on a shared drive a draft of a press release announcing a major acquisition that could sink the deal if the news broke early. Or finance may be sharing customer contracts over unsecured personal email accounts. These actions may not break compliance adherence, but they still could cause significant damage and need to be protected accordingly.
After knowing what data is important, you can then classify and categorize. Many organizations apply a consequences-based approach to data classification. This means that the classification of data is based on the level of sensitivity and the potential impact on the organization should that data be stolen, leaked or in any way compromised. Some organizations break down data sensitivity categories into frameworks such as low, moderate, elevated, high and extreme; others use public, internal, confidential and restricted-use data. Some models are simply green, yellow and red data.
Following a CJA process, we know that we want to prioritize securing the most critical data—the extreme, restricted or red data, depending on your classification schema. But what if there are 50+ cloud assets marked as red? How do you prioritize the most critical of the most critical data?
Follow Cloud Spend to Find the Most Critical Crown Jewels
You have a data classification policy defined and know what systems are processing the most critical data. In an ideal world, you and your team would be able to work on resolving any and all security issues with these assets in concert. In reality, we are confined to the laws of time and workforce resources. Only so much can be done at once. Hence, even within the most critical data, we need a method beyond a shotgun approach to determine prioritization.
Prioritization is difficult because different resources use different measurements and metrics to determine their value. Databases focus on connection counts and data flow, S3 buckets have a number of objects and how much is being downloaded or stored, web servers have network traffic volume. What takes prioritization?
This is why we should look at cloud cost analysis as a factor of prioritization. Because cost is a simplified way to look at utilization and performance, overall spend gives you a common measurement for comparison.
Of the 50+ red-label cloud assets that need to meet compliance along with extra protection, which assets are being utilized the most? That utilization metric is directly tied to costs. Look at all the different utilization or performance metrics that are typically associated with every asset or resource and translate it back into the amount of money you are spending to service that system. Let that be the next level of prioritization that determines which systems you should secure first.
Assessing Spend in Practice
Say you’ve got three databases that are being used to process red data; they all need to be secured and protected. But from a pure cost standpoint, you see one of those databases is where the majority of your spending is going. Knowing this, you can further investigate the business use of that system and see why it costs the most. It turns out that this is the production database, whereas the other two are being used for test and development purposes.
Just by taking a step back and looking from the lens of cost, you know this production database should receive the most attention, first.
This is where it gets even more interesting. Now you know the other two databases are for testing and development. They still store and process red data and, as such, must be secured under the same strict policies as the production database. But, as they are used for internal testing and development and not external facing, they are less likely to be subject to attack. So if there are other cloud assets, say a Kubernetes cluster, that also has high spend associated with it, it may make sense to secure the highest-cost Kubernetes cluster and then come back to the test and development databases.
Another way cloud costs can help us prioritize security is by focusing on systems that you are not spending much money on. This seems counterintuitive, but because they are seeing only a small amount of spend, they are likely receiving very little attention and maybe at risk due to maintenance negligence. Potentially, these systems may no longer even have a use for the business and were forgotten about. In that case, their removal would be the best course of action. The system may also be seeing minimum spend because it is not about the quantity of data it handles, but the quality. Perhaps that data is so sensitive it is only utilized by a very small group of users for very specific circumstances.
There is no definitive “right way” to go about prioritizing data that needs to be secured. But by using cost as a comparative metric you can build a security strategy that allows you to make decisions in a systematic way. It’s a much smarter approach than picking out of a hat. This is a simple, practical method that helps raise the bar on your security decisions.
Security needs the ability to see itemized spend levels because this is directly tied to how they can operate more efficiently. In many cases, this may require coordinating with the finance team so security has access to these cost reports. At the end of the day, security always comes back to people. So whether that’s uncovering crown jewel data with the help of others or making connections to get access to finance docs, it’s the people and processes that come together to raise the bar.