Continue in 2 seconds

Opinion Checklist to ensure data security steps meet compliance requirements

Published
  • February 12 2018, 6:30am EST

Whether it’s process, practice and/or technology, IT security is not something that should ever be put on the back burner, particularly with all of the data breaches of late.

Adding to that, with the ongoing and new security compliance regulations coming into force, data breaches present much more than data loss to a business. They bring significant financial and reputation implications as well.

So, what best practices can your organization implement to help secure your businesses’ data? Following is a recommended checklist:

1. Refresh/Realign/Recommit to Data Governance as Part of Corporate Strategy

To protect the data your organization holds, it is critical to follow a data governance model. There are four pillars to this: define, implement, enforce and revisit.

When defining your model, it’s essential to make the strategy simple. It should clearly outline the rules and regulations within the company as well as the regulations and compliances that affect your business. To help ensure the model is followed, it’s critical to secure board and C-suite buy-in at the outset, and establish internal committees to help with the process. Don’t forget to determine what granular control policies, persistent encryption, conversion needs, etc. are required to make this a success as well.

To implement this, you need to identify your encryption and key management solution and establish and apply identify and access control policies. When enforcing the data governance model, it’s key to track all of your data – live, cloned, replicated, deleted virtual machines, etc. – and know where it is at all times. Auditing and reporting procedures should be established, and all users should be trained on policies. Communication must be clear and regular.

With regards to revisiting the model, set a lifecycle for this and stick to it. There’s no better time than now to ensure your data governance model is relevant and aligned appropriately with your business and that it is agreed to and followed from the top down.

2. Ensure Your Business is Ready to Address new Security Compliance Regulations

It seems like there’s always a new security compliance regulation coming out, and your business needs to be adequately prepared.

For example, with enforcement of EU GDPR around the corner, nearly every IT vendor has something to say about it. However, it’s important to keep in mind that few organizations will be starting from scratch, considering that data protection laws have been in place across Europe for years, and many organizations will be complying with existing standards, e.g., PCI DSS.

So, assess what, where and how EU resident personal data is stored, processed and transferred within and outside your organization’s structure. Check every department from marketing to HR, legal and IT. Then, determine where the GDPR gaps are, fill in those gaps with appropriate business practices and protective safeguards, and take a proactive and engaged approach with regular risk assessments and ongoing employee awareness.

3. Protect the Data Center

Data centers are evolving. They are no longer simply server banks used for simple back-ups, disaster recovery or server processing. Many enterprises are transitioning their infrastructure to become virtualized, and most have begun shifting workloads to the cloud. While simple in concept, and ultimately a cost-saving and agility-producing measure, there are significant complexities with changing out IT infrastructure.

Migrating workloads from older systems to newer ones can also create a maelstrom of incompatibilities and security issues if done in patchwork fashion. Solutions such as hyper-convergence which combine compute, storage and networking into one solution are being quickly adopted as a means to efficiently consolidate data center infrastructure.

But what about consolidating data security solutions?

The potential trouble with these newer “data center models” is that virtual machines and solutions are often much easier accessed than in the physical world. Easier access generally results in less control. That is particularly dangerous when it comes to controlling sprawl and migration of your critical data and workloads using a mix-match of data security solutions.

Given this, it’s critical to ensure you have one data security approach that provides persistent virtual machine-level encryption, so that no matter where workloads are located within the environment – active use, dormant, offline or in backup – the data remains protected. It’s also necessary to prevent unapproved copying and snapshots and relocation of virtual machines outside of your boundaries to protect your data.

4. Create Virtualization and Cloud Checkpoints

With the greater use of virtualization and cloud solutions comes the potentially greater risk of data loss as mentioned. To help protect data in virtualized environments and the cloud, it’s key to establish and enforce policies specific to where data can be accessed, used and stored. Also, revisit and, as necessary, refresh who has access to the virtual machines.

In addition, check that you have the necessary tools to audit, discover and manage virtual machine encryption to reduce the risk of unprotected workloads.

Finally, make sure you maintain a centralized repository of encryption keys, separated from the hypervisor, to provide your enterprise with exclusive control of your keys and eliminate the risk of exposure to unauthorized parties.

5. Don’t Forget About Endpoint Security

Most organizations have a myriad of operating systems and devices (e.g., Windows, Apple, Linux, USBs, self-encrypting drives, etc.). These all come with separate management and reporting tools, with varying levels of data security protections. This disparate array of solutions becomes further problematic when it comes to managing things like software upgrades. Enterprises need to look at ways to gain efficiencies in their endpoint environments, while improving data security.

By unifying endpoint data security solutions you can put yourself in a position to be agile enough to make decisions regarding investment in emerging technologies. You’ll also benefit from continuous protection of data and workloads wherever they travel within the approved environment and reduced cybersecurity protection premiums with unified controls and visibility.

Data breaches will continue to be a significant threat for organizations across the board. By addressing the points in the aforementioned checklist, your business will be best positioned to protect one of its most valuable assets in 2018, and beyond.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Mark Hickman

Mark Hickman

Mark Hickman is chieff operating officer at WinMagic, a Toronto-based IT security company.