Six Steps to Apply Risk Management to Data Security
Securing data is as important as securing systems.
Cybersecurity evolves daily to counter ever-present threats posed by criminals, nation states, insiders and others. To address the changing threat landscape, the National Institute of Standards and Technology (NIST) periodically updates its Risk Management Framework (RMF), a standards-based, security-by-design process that all IT systems within DOD agencies must meet.
DOD and civilian agencies must implement the RMF to the best of their abilities. As an added precaution, federal contractors should be held to the same standards. Vigilance is required, as advanced persistent threats can gain a foothold on an agency’s network and remain undetected, sometimes accessing and stealing information for months or even years—and that poses a huge risk not only to the compromised organization but also to the federal agencies they do business with.
When compared to the legacy approaches to tracking threats and breaches, the RMF sets the stage for near-real time defense of informational systems. Ensuring all systems follow the NIST RMF is a given. Beyond that, securing an agency’s data assets contained within those systems is just as important. While systems are critical, an agency’s data is its most valuable asset and must be handled just as carefully as its systems.
In a large agency, sensitive information can make its way from highly secure systems like databases onto file servers where data is often open to everyone and no one is monitoring access. Once attackers are inside, they’re often able to access any files that aren’t protected. For many agencies that amounts to millions of files if the right security measures aren’t put in place.
Would your organization’s data security approach hold water to the RMF policy? Let’s take a look at how the RMF could be applied to an agency’s data security approach:
Step 1. Categorize: Prepare by taking an inventory of all the enterprise data in your environment, whether residing on a Windows file on a local drive or in the cloud in Office 365. Identify sensitive data that is open to unauthorized users and stale data with no immediate operational value.
Step 2. Select: Once you have identified critical information, you must select the relevant controls for your system based on FIPS 200 and NIST Special Publication 800-53. At the data level, reduce risk by quarantining, archiving or deleting stale data in keeping with your agency’s policy on data retention and disposition. Restrict access to sensitive information by reviewing global access groups and eliminating unused or empty groups or those with non-expiring passwords. Fix inconsistent or broken access control lists. Remove expired or so-called ghost users.
Step 3. Implement: Create or refine the incident response plan by training staff on day-to-day management, reporting, and user permissions and active directory management. Once you know where your most important data resides, continue to monitor who has access. Initiate entitlement reviews to confirm data owners, monitor new folders that require access and continue to prune unnecessary access. Be prepared to investigate unusual patterns of access—important files accessed from a new Internet protocol address in the middle of the night is an emergency requiring immediate investigation and remediation.
Step 4. Assess: Be ready to respond by investigating potential security risks and prioritizing remediation. Automation helps ensure that an agency’s security policy is maintained, deviations are corrected and a least-privilege model is maintained. Continuously monitor and quarantine files and ensure your agency’s sensitive and stale data is handled appropriately.
Step 5. Authorize: Implement authorized data workflow and policy. In the event of an incident, be prepared to enforce policy by correcting deviations and return to a trusted state. Then ensure data that may have been affected as part of the incident is protected by archiving, deleting and migrating to alternative locations.
Step 6. Monitor: With data security in place, you must sustain and continuously improve. Monitor security controls via automation and ensure your organization’s cyber hygiene is maintained and monitored. If an incident should occur, you must map to the killchain and stop data exfiltration. The RMF emphasizes continuous monitoring. The status of security control compliance should be monitored, and a change in status should initiate a review of the authorization at any time. Gone are the days of getting an authorization and not checking in for three years.
Agencies can no longer afford to treat cybersecurity as an add-on. To better ensure they stay one step ahead of the latest cybersecurity threat—including insiders and attackers backed by nation states—agencies and their contractors must take a data-centric or data-first approach to securing data. Applying the RMF to data sets the stage for reduced risk, decreases complexity and helps improve operational efficiency while maximizing storage usage.
George DeLisle is the federal director, Varonis.