Breaking Down the Best Practices & Tools for Data-Centric Audit and Protection (DCAP)
Data classification, discovery, and encryption: We reached out to 18 security experts for insight on implementing a data-centric audit and protection program in an organization.
18 Data Security Experts Reveal the Best Practices & Tools for Data-Centric Audit and Protection (DCAP)
A term used by Gartner to describe data-centric security, data-centric audit and protection is often referred to as simply DCAP. DCAP's focus is on data classification, sensitive data storage, data security governance, monitoring and auditing, and, of course, protecting sensitive data from unauthorized access. The practice of data-centric audit and protection is growing in popularity among highly regulated industries. For instance, DCAP is used in the healthcare industry to apply more stringent data protection to the most sensitive data, patient health information, or PHI. The U.S. Department of Defense is also eyeing data-centric audit and protection solutions to better label and control access to sensitive information.
But DCAP isn't only useful for companies facing strict regulatory compliance requirements; companies of all stripes can benefit from putting data, and data classification, at the center of their security policies. Given its multi-faceted, data-centered approach, effective DCAP means making use of sophisticated tools and employing best practices to apply the right data security policies to the right data throughout your organization. To help companies identify the right tools and implement DCAP effectively, we reached out to a panel of data security pros and asked them to answer this question:
"What are the best practices and tools for Data Centric Audit and Protection (DCAP)?"
Meet Our Panel of Data Security Experts:
Read on to find out what best practices and tools you should be taking advantage of for Data Centric Audit and Protection.
Danny Sandwell is responsible for the strategy, messaging, and strategic alliances for erwin. His experience includes various roles in data administration, database design, business intelligence, metadata management, and application development.
"Many incidents where IT security protections and controls fail to..."
Keep sensitive customer data or IP private are the result of not having put in place an ecosystem for understanding the context of data that makes true data governance possible. It's only when you know all the aspects of data, from its location to how it's used, that the organization can secure and privatize relevant assets as part of a data governance plan that encompasses everything from policies to culture.
A strong data governance practice gives businesses the needed visibility into their data, what they're collecting, why they're collecting it, who can access it, where it's stored, how it's used, and more. This visibility can help protect data because knowing what you have, how it's used, and where it is helps improve data protection.
But data governance is more than protecting data (and by extension, your reputation). It is, when done well, a practice that permeates the organization. Integrating your data governance strategy with your enterprise architecture, for example, helps you define application capabilities and interdependencies within the context of your overall strategy. It also adds a layer of protection for data beyond your Level 1 security (the passwords, firewalls, etc., we know are vulnerable).
Combining data governance with a business process and analysis component helps enterprises clearly define, map, and analyze their workflows and build models to drive process improvement, as well as identify business practices susceptible to the greatest security, compliance, or other risks and where controls are most needed to mitigate exposures.
There are multiple components to inform what will support data governance policies and drive actions to assure data security and privacy:
- Do data modeling. You can't know what to do with your data to secure it unless you know what data exists in the company and how it is structured.
- Leverage enterprise architecture modeling. Knowing how data that services the business relates to each other, whether stored on site or in the cloud, is more than just a value path for data analytics but also a way to understand vulnerability paths to protect against them.
- Create business process models. Knowing what data flows across systems to understand where to place controls acts against sensitive information exposure.
A strong data governance operating framework, informed by data modeling, EA Modeling and BP modeling provides the blueprint and roadmap that will inform and guide your DCAP planning, capability, and execution.
Sophie Miles is the CEO of CalculatorBuddy.com and is leading the expansion to North America and Africa.
"I would say: clean up first..."
The idea is easy: You cannot filter information or reveal data that you do not have. And, it was the best strategy we could apply to reduce the costs of a high standard of service.
The best practice we have set up to mitigate the risk of data breaches is the careful selection of useful information. We have realized that the first step is to know if your information is useful or not. Before encrypting, or buying any software to protect your data itself, delete the unneeded data. We did this through a deep analysis of all the areas of our company. It is really important to know if your available information will be used at any time and if it will be required to achieve the goals of the company.
As you can see on our websites, after that analysis, we have stopped asking for personal information from our users. But we have focused on the data of our clients. That information is vital to provide a better service to whom we really should do it. So, our database has been decreased twice, but now we can focus on the information that truly needs data-centric security.
Also, with a small and concentrated database, you can:
- Optimize infrastructure and development costs
- Eliminate information silo so that data flows between applications and synergies are exploited
- Reduce the Total Cost of Ownership (TCO)
Remember, never forget what really matters: the customers and their interactions with the service you offer.
Paul Szyarto was serving his country in the U.S. Navy at the age of 17, where he supported naval fleet and mobile unit operations for eight years and upon his honorable discharge, transformed into an American business executive who makes running companies and entrepreneurship look easy.
"DCAP is a term which integrates DAM and DAP protection strategies on..."
Sensitive information, such as operational and customer data. The DCAP model focuses on data classification and discovery, storage of sensitive information, security governance and policy management, protection, monitoring, and audit functions, behavior analysis, and alerting and blocking. Starting with data classification, it is critical to begin properly categorizing the data to understand what is sensitive data versus what is not sensitive data. Once the data is classified, the storage model should be highly controlled and encryption protected. The goal is to protect the data before a breach could ever occurs. The governance model should allow the data to be protected without hindering the user's ability to leverage the data. Therefore, when implementing a protection, monitoring, behavior analysis, alerting and blocking model for the data, the user's focus on data usage should be taken into account at all times. Data protection, monitoring, and audits should be based on best practices focusing on the following:
- Real-time monitoring and visualization of an enterprise security model
- Audit capability to validate data access, security events, and protocols are being implemented and followed throughout the organization
- Data access control for internal and external resources based on a security role model
- Proper data classification and storage strategy which properly identifies sensitive versus non sensitive data and applies the correct security models
Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple IT environments internationally, with significant experience in ERP, infrastructure, cybersecurity, automation and digital management. He is currently CEO of OM2 TECH Consulting.
"More and more, DCAP has been a target topic for multiple businesses to implement on global scale. However, a few considerations should be taken before moving to a solution deployment, a vendor quotation, RFP, or project planning..."
Which Silos of your IT structure you plan to implement, either the DCAP approach itself or the software protection solution. Well-respected institutions such as Gartner and others, have lists and lists of concepts, silo descriptions and advice for the best approach.
However, common sense always calls for a real in-depth look into the core of your business, to understand its real value, and from there, implement some sort of information silos to be orchestrated into the DCAP practice.
Some of those silos include (but aren't limited to):
- Infrastructure as a Service (IaaS)
- Software as a Service (Saas)
- Cloud computing to distribute software and host applications through the internet
- Database Management Systems (DBMS)
- Database as a Service(DBaas)
- Big data
- File storage
All in all, best practices could be listed as in-depth knowledge of your business and its risks, using the main areas above, aligned with your business needs.
Steve Dickson is an accomplished expert in information security and the CEO of Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, CA.
"The main goal of data-centric audit and protection (DCAP) is to..."
Protect organizations' data privacy and apply it to specific pieces of information that a company stores or processes. Despite DCAP's focus on many areas (such as data security governance and protecting data against unauthorized access), I would say that visibility into what's going on with your critical assets is the core part of this approach. You really need to understand what data you have in possession, identify files that are sensitive, focus your efforts on protecting most valuable assets, and delete those that are unnecessary.
To perform these activities, you need to have a Data Discovery and Classification solution in place. This will enable you to secure your most confidential data and make sure that this data is not overexposed and is not accessed by unauthorized personnel. In a long-term perspective, using a DDC solution will help you mitigate security risks and avoid expenses associated with non-compliance.
Steve Pritchard is the Business Consultant for Ben Sherman.
"First and foremost, you should identify the most sensitive data to your business and categorize this based on how sensitive it is..."
Followed by how much it is at risk. Determine how this data is used and who is accessing this data. Secondly, what are they using it for? All data should be encrypted, but disk encryption is not enough; you need to apply file and application level encryption, matched with strong authentication processes and granular control.
Sean Si is the CEO and Founder of SEO Hacker, Qeryz, Sigil, and Workplays. A start-up, data analysis and urgency junkie who spends his time inspiring young entrepreneurs through talks and seminars.
"DCAP's main aim is to protect an organization or an entity's data privacy..."
Including specific pieces of it. So, what are the best practices and tools for this?
- Additional security against other threats. You always have to remember that data-centric audit and protection does not protect you from unauthorized people accessing your data. This means that you need to have security measures against these kinds of threats.
- Encryption key. This is another countermeasure for unauthorized people. Adding proper encryption keys only known to authorized people can be a great way to ensure that no malicious threats can access your data.
- Tracking. Another practice that you should do is to keep track of the people accessing the data. It isn't a countermeasure, but it's about knowing who accessed what during a specific time. When other countermeasures are not effective and an unauthorized person accesses the data, you can use your tracking record to see who it was.
John Snyder is the president and co-owner of Net Friends, an IT support and security firm located in North Carolina.
"Net Friends' approach to DCAP is through the..."
Data Loss Prevention tool provided by Digital Guardian. The tools and staff required to architect and oversee a DCAP program are not trivial; expect it to be in excess of $100,000 to implement a DCAP program, and require ongoing management of the program. A company would need a clear business case to justify this expense and effort, such as a major customer who requires this as a cost of doing business or clearly defined repositories of sensitive data that could be devastating to the business if they were compromised.
Sid Soil is the Founder & CEO of DOCUDavit Solutions, a Canadian based digital document scanning and storing company.
"In the past, data protection was primarily the IT department's domain sectioned off from the rest of the organization..."
But in today's world, DCAP is a company-wide responsibility, and security needs to be integrated throughout an enterprise's business processes with input and involvement from all its key decision-makers. Whether your data silos fall into SaaS, file storage, or big data, companies should look for the following security features in DCAP vendors as listed by Gartner:
- Data classification and discovery
- Data security controls
- Assessment and monitoring of user roles and permissions
- User monitoring and auditing
- Behavior analysis, alerting, reporting
- Block, encrypt, tokenize, mask, quarantine
Jeff Bittner is Founder and President of Exit technologies, an R2 certified, global IT asset disposition company (ITAD). Jeff is a serial entrepreneur and founded the company in 1989, to help enterprises cost-effectively liquidate their IT hardware.
"According to Gartner..."
By 2020, data-centric audit and protection products will replace disparate siloed data security tools in 40% of large enterprises, up from less than 5% today. The problem today is that data resides in so many places, that there is no all-inclusive perimeter anymore to protect organizational data. Hybrid IT tools such as Microsoft Azure Stack is an example of how companies manage their data in this new architecture. Data is classified and categorized. Data that must reside on premise to meet compliancy regulations is protected internally while other data can be migrated to the cloud.
With the proliferation of IoT, companies are now forced to store data on the edge as well in order to have the data be as close to their customers as possible. This requires the implementation of granular policies to create access controls for edge dispersed data. Whether data is secured at the traditional datacenter, the cloud, or multiple branch offices, centrally located administrators must have total visibility of all data through a single pane of glass interface. With the alarming rate at which data breaches have seemingly become common place, encryption for data at rest is now mandatory as part of any organization's defense-in-depth strategy. Tokenization is also a viable option as the random string of characters (referred to as the token) has no meaningful value if breached.
Clare Watson is the Operations Manager at Zolv.
"Data classification is a vital step to securing and protecting sensitive data..."
Organizations need to know exactly where all their information is stored, how it can be accessed, how much can be accessed, and by whom. Therefore, they should be classifying data as it is created, to ensure nothing slips through the net. Various tools and programs exist to help with this task, many of which discover content as it is created, so the sensitive data can be identified, classified, and protected.
Avani Desai is the President of Schellman & Company, LLC, a global independent security and privacy compliance assessor.
"DCAP is needed in today's environment where technology is..."
Outpacing regulations, framework, and security structure. Now data is more important than ever, and safeguarding it is a must, especially for the more mature consumer. Some of the best practices are having strong data governance processes in place. Knowing where the data is, who owns it, and who can change it. That is the minimal needed to have a strong DCAP. You must be able to appropriately discover, tag and classify data based on risk.
Along with the classification and discovery, you need a strong policy management process in place. Best practices within policy management are going to be reviewing, monitoring, and updating role-based access, especially for privileged and administrative users. Last, having one central data protection management portal that will provide policies across the organization that are updated and consistent. In the world where we have state and international privacy laws, we need to make sure the organization understands what they can and cannot do with data.
Crisantos Hajibrahim is Chief Evangelist and Coach at Prodoscore, a software company that provides insights into sales performance and time management metrics. As a highly driven, technologically savvy innovator, entrepreneur, and visionary, Crisantos founded two cloud-based companies and is a frequent presenter at industry events.
"The growing reliance on big data as part of..."
AI and machine learning activities has increased the risk in keeping data secure. Businesses must strike a balance between providing sufficient access for performing queries while ensuring a sufficient level of protection is provided for the data. A more holistic approach to DCAP is a good strategy to address each of these needs.
Callum Golds is a Marketing Executive at Lepide.
"Here at Lepide we believe (at a minimum), an effective data-centric audit and protection solution should..."
Contain these four fundamental pillars:
- Discovery and classification - Find out where your most sensitive data is and why it's sensitive
- Permissions and privileges - Determine who has access to what and whether it's appropriate
- User and Entity Behavior Analytics - Track user interaction with your data, critical systems and identify anomalies
- States and changes - Get insight into environment states that pose significant risk to your data
Uladzislau Murashka is a certified ethical hacker at ScienceSoft.
"The best practices for DCAP are..."
Discovering and classifying your data based on the associated risks, securing data storage, processing and controlling access to it with the use of Identity Access Managements tools (e.g., IBM IAM), and analyzing user behavior with User and Entity Behavior Analytics tools.
Chinh Nguyen has more than 10 years of digital marketing experience and is responsible for the company's overall inbound marketing programs. Prior to joining Finale Inventory as the Co-founder and VP of Marketing, Chinh held leadership marketing roles at a number of high-technology companies in support of software, solutions, and educational products.
"Building a successful data center must also incorporate the right data audit protocols..."
Complying with the right DCAP while making sure data silos have both drive unification and the bridging of silos can reduce both risk and cost. With that said, to be cost effective, companies need to find ways to adhere to security and compliance policies across structured, semi-structured, and unstructured data without the need for 10 or more specialized experts on board.
Drew Farnsworth is a Partner of Green Lane Design LLC.
"DCAP is about decoupling the hugely complex world of..."
Courage governance from the comparatively simple task of protecting data. Not all data is created equal and needn't be treated the same. High value data requires incredible safeguards that are different between object storage and block storage. If the marketing team gets hacked, it is very different from the payments processing team getting hacked, yet many companies treat them the same way. DCAP ideally gives more resources to those who really need it.
Baruch Labunski is an entrepreneur, internet marketing expert, and author from Toronto, Canada. He currently serves as CEO of Rank Secure, an award-winning web-design and internet marketing firm.
"The purpose of DCAP is to..."
Understand and classify which type of data needs to be secure and how best to secure without creating inefficiencies within an organization. This is a process that involves a few different components:
- Classifying data
- Storing sensitive data
- Data security governance (who has access to what data?)
- Protecting data against unauthorized access
- Ongoing monitoring and auditing to ensure long term security
Instead of being solely focused on avoiding being hacked, it's more about protecting the data itself. So, when we identify that a certain type of data needs a high level of security it would first need to be classified this way, and then a method of encryption would be determined. The last piece is then determining who or what should have authorized access. The power of data is when it can be shared and openly used, but it does depend on what the data is and there are limits to who should have access to what. DCAP is all about keeping data safe while not getting in the way of the businesses requirements for processing and analyzing the data itself.