moving
from chaos to confidence:
A PLAN OF ACTION
Given all this new complexity, and the new threats that have arisen in response to it, how can IT and security leaders feel confident in their data security solutions?
And how do IT and security leaders inspire confidence at the executive and board level, so that when something happens-and it's "when," not "if"-their "I've got it" is good enough?
While cloud adoption has become a cornerstone of modern business practices, some organizations remain hesitant to fully embrace the shift. Challenges, such as understanding application dependencies, comparing on-premises and cloud costs, and assessing technical feasibility, often serve as significant barriers.
Many businesses also harbor misconceptions about the inherent security of cloud services, assuming that cloud providers will take full responsibility for safeguarding their data. This reliance can lead to a false sense of security, leaving organizations vulnerable to risks, such as data breaches or loss, particularly if something catastrophic occurs.
A Zero Trust security model
In contrast, other organizations are turning to a Zero Trust security model, which assumes no user or device can be inherently trusted, regardless of location.
While this approach can bolster security, it is labor-intensive and requires meticulous planning, including the assessment of every device, application, and user within the organization. The rigorous nature of Zero Trust demands a significant cultural and operational shift, which can drive up costs, increase complexity, and disrupt workflows. This makes it difficult to implement without slowing business velocity, presenting a trade-off between security and operational efficiency.
There's another way. Managing hybrid, globally dispersed data begins with an awareness of where things are. Sensitive data should be located and classified, so companies can identify and protect potentially sensitive targets as early as possible.
For example, through our Rubrik telemetry of production data, we can tell that our customers' sensitive structured data sits in these environments
(Rubrik telemetry - Production data)
And that its biggest caches of sensitive unstructured data are estimated to sit in these environments:
(Rubrik telemetry - Production data)
SECURING YOUR sensitive data
As an IT and security leader, even with this amount of information, you can start to make some decisions. Ultimately, you care about all your data, but the stuff you really care about is your sensitive data.
Knowing how much of it you have and where it lives is your first step to better securing it.
From there, you can start to break down just how sensitive your cloud and SaaS data is. Here are some examples to get you started.
And you can start to pinpoint just where that highly sensitive data is.
Then, you can start to draw a clearer picture of what sensitive data might include.
PERSONAL
PII (Personally Identifiable Information), including: Social Security numbers, birthdates, addresses, phone numbers, etc.
Digital
Intellectual property, including: product designs, source code, R&D insights, strategic plans, supply chain logistics, inventory information, etc.
Business
API keys, usernames, account numbers, IP addresses, mobile device IDs, etc.
Financial
PCI data (Payment Card Industry data), including: transactions records, banking information, credit card/debit card information, tax filings, internal audit reports, etc.
This exercise is the first step in reasserting knowledge and control. It's also a great way to get board-level support for your security strategy.
The high-level message changes from
establish clear and comprehensive policies
After increasing awareness of data location and data type across the hybrid system, it's important to establish clear and comprehensive policies. Unfortunately, at present many companies have a haphazard approach.
No sensible risk management approach assumes everything is state of the art. The fact is, critical business data stored in cloud applications and SaaS platforms is more vulnerable to accidental deletion, ransomware attacks, and policy misconfigurations than its on-premises counterpart.
Controlling your backup capability, off prem as well as on, is a crucial part of controlling corporate security.
This is beyond a technical problem. It's a strategic blind spot.
Let's refer to a real world example with the GitLab database incident of January 31, 2017.
1.
An engineer accidentally deleted the production database, resulting in the loss of six hours worth of critical data. This included issues, merge requests, and comments.
2.
The recovery process failed due to multiple backup failures—primary backups were corrupt, LVM snapshots were outdated, and replication was unreliable.
3.
This incident exposed the risks of assuming cloud-native environments inherently provide robust backup protections. GitLab's postmortem revealed that their backup strategy was insufficient compared to traditional on-premises practices. 1
1: GitLab - GitLab.com database incident
Addressing the problem requires action: a unified approach to data protection that extends backup and recovery policies beyond on-premises systems into the cloud-native world.