In 2019, Pew Research Center conducted a study about cybersecurity in which seven in ten Americans said they felt their personal data was less secure than it had been five years prior, pointing to growing concerns about data privacy.
Many companies that handle sensitive customer information are not aware that there are probably gaps in their cybersecurity practices, particularly if they employ a standard infrastructure-centric security design. This means that they protect information by putting it in “containers,” and applying controls to those containers, assuming data underneath each layer will be protected. These controls filter out unauthorized users from accessing and sharing the sensitive data, but what happens when data leaves those containers?
Data is shared now more than ever due to the increasing use of technology at every level of a company, and once it leaves those controlled “containers,” it becomes vulnerable.
Data vulnerabilities are data access, usage, handling, and sharing events that can potentially result in cyber breach. There are six common data vulnerabilities:
- Classification – Data is improperly classified
- Storage – Data stored in improper locations
- Access – Data access granted to unauthorized users, or access denied to authorized users
- Usage – Data handled, used, or distributed improperly
- Communication – Data shared over communication channels with unauthorized users, or shared over unauthorized (uncontrolled) channels
- Visibility – Limited or lack of visibility into how data is managed, used, and shared
How to Protect Vulnerable Data
Trusted devices, application-specific access control lists, rules and permissions do not protect data directly, but a data-centric security model does. Organizations must go beyond infrastructure-centric controls to protect data directly regardless of where and how it is being stored. They must also have methods to track how initial data protection requirements are translated into technical controls and ensure protections are implemented consistently cross-system.
The Uniform Control Model from NextLabs allows companies to protect sensitive data using a central list of standard, system-agnostic controls that serve as the blueprint for all technical control applied cross-system. The goal of the Uniform Control Model is to produce a highly auditable, centrally managed set of data controls.
There are three simple steps to creating a Uniform Control Model for data-centric security.
First, data must be targeted based on value and risk. The higher the business value of sensitive data, the more susceptible it is to a cyber breach; the level of protection should match the value.
Then, data vulnerabilities as data moves through its standard process of creation, access, usage, and sharing, must be identified.
Finally, each data vulnerability must be mapped to a specific control type in the Uniform Control Model. A control type refers to a class of controls for protecting data.
Control Types and Their Functions
- Data Classification – Scans data to evaluate content or another property, applies tags to data, applies visual labels to document data and applications.
- Data Segregation – Prevents a class of data from being stored in an unauthorized location, restricts storage of a class of data to a secure location.
- Access Control – Controls access to resources, including opening, renaming, changing permissions or attributes, or deleting a resource.
- Rights Protection – Controls data-level usage, including printing, deleting, copying, saving, and modifying.
- Communication Control – Controls the distribution of data through communication applications.
- Activity Logging – Monitors data access and usage.
Once the control types are assigned, the product is a comprehensive list of control requirements. Then, a technical solution is designed to implement the controls, which typically consists of manual procedures, user education, administrative processes, and control automation. Last, technical controls are written in a language that mirrors the language of non-digital controls in the Uniform Control Model and they are applied cross-system.
In summary, if your company has a standard, infrastructure-centric security design, you should get a data-centered design, such as the Uniform Control Model by NextLabs.
For more details about the Uniform Control Model and real-world examples of data vulnerabilities, I invite you to read this whitepaper by NextLabs titled “Addressing Gaps in Your Cybersecurity.” Our webinars also hold a breadth of information regarding how NextLabs can improve your data privacy.