"How do you like your eggs?" Country Roads Magazine has 100 ways for cooking an egg. For something as simple as eggs, it is surprising how complicated we make a life for ourselves.
It is not surprising, therefore, that when it comes to data protection, there are many approaches as there are many vendors looking to cater to the needs of individuals and organisations of all sizes and industries, including government.
In the final leg of Readying the enterprise's data protection strategy in 2023 series, five executives offer some guidelines for IT decision-makers when considering their approach to data protection in 2023.
According to David Lenz, Arcserve's vice president for Asia Pacific, the IT complexity issue stems from multiple sources and can lead to reduced productivity, increased cybersecurity risks, inefficient backup and recovery, downtime and compliance issues.
"Reducing complexity and proactively planning for business continuity is the best way to ensure your organisation can bounce back quickly with minimal disruption."
David Lenz
He suggests starting with identifying the causes of IT complexity in the organisation and then creating a roadmap of where the business wants to go and the goals for the future. "Free up valuable time for innovation by automating testing and reporting that are repeatable and don’t require actual human intervention," he added.
One more consideration he offered is to maximise visibility with a centralised management console, track key performance metrics and troubleshoot issues from one location at any given time.
GitLab's APAC channels director, Dirk de Vos, notes that security, trust and privacy are intertwined and should be part of every data protection strategy. He recommends starting by understanding your data. "Classify your data into buckets so you know what security and compliance are needed. Have a plan for what happens in the event of a breach or attempted breach and outline the process to notify your clients or customers," he went on.
Like Lenz, de Vos suggests keeping it as simple as possible.
"While nobody can control external threats, compliance mandates or economic pressures, CIOs can control their business’ IT environments and how simple and well equipped they are."
Dirk de Vos
"One approach is using a DevSecOps platform to reduce complexity and allow you to integrate security and compliance in every step of the software development lifecycle and secure your software supply chain at the same time," he opined.
Grant Orchard, field CTO for APJ at HashiCorp recommends having some curiosity about your security controls and the workflows that you need to protect your data.
"Your first port of call should be to understand just how much of the data you have needs to be accessed by people or applications. As an example, Know Your Customer requires you to capture certain information for verification purposes, but how much of that needs to then be used as part of day-to-day customer service activities? Consider how you can shed risk by leveraging technologies such as tokenisation to retain the necessary data but reduce its usage and move it out of harm's way."
Grant Orchard
The next step, he posits is avoiding checklist controls and asking the security teams to walk you through the different scenarios that have been considered, and how they are mitigated. Using the first example of storage-based encryption vs field-level encryption for database technologies.
"Both of these will tick the box for ‘data is encrypted-at-rest’, and while both will prevent against physical access style threats, only one will also protect you from attacks on the network," he explained. "Scenario-based introspection trumps checklists every time."
The last step, according to Orchard is to look at time-based security controls. "Having a moving target successfully gain access to your data makes it much harder for attackers.
"Whether we are talking about credentials used to access data, the certificates used to secure connections to your data, the keys used to encrypt your data, or the operator sessions to perform maintenance - having the validity of these controls tied to short time windows through technologies gives you a huge reduction in risk," he suggested.
Meanwhile, Illumio's head of industry solutions, Raghu Nandakumara, says one of the best approaches for improving data protection is adopting an “assume breach” approach – something we hear regularly, and an approach some CIOs and CISOs are taking to heart.
"This means accepting that data breaches will happen and adjusting data protection and cybersecurity strategies to minimise risk. It’s also why Zero Trust has surfaced as a top cybersecurity priority, because it is predicated on the principles of “never trust, always verify.”
Raghu Nandakumara
He explained that a Zero Trust strategy is applied to networks, devices and servers and comprises technologies like Zero Trust Network Access (ZTNA), multifactor authentication (MFA), single sign-on (SSO), and Zero Trust Segmentation (ZTS). He posited that the same principles should be applied to data protection.
“Organisations must adopt a data-first mindset. This means first understanding what data you have, where it goes, and who has access. Then applying the right Zero Trust architecture to fit, prioritising protecting the most critical and vulnerable data first,” he concluded.
Matthew Oostveen, VP & CTO for Asia Pacific & Japan at Pure Storage believes that there should be a fundamental shift from reactive to proactive data protection.
While there are many different technologies that can help recover data, it is important to understand the role of each solution in the overall enterprise data protection strategy. Some important considerations include:
While it is logical to think about backup, data restoration is becoming more important, given the increasing business value of data and the cost of downtime. There must be a two-pronged approach towards modern data protection strategies:
- Real-time data backups: ensuring that backups are immutable to keep data safe from being modified or deleted even from people with admin-level access to systems
- Rapid restore solution: ensuring backups, data, and systems can be recovered quickly in the event of an emergency, in the time frame required by the organisation
As an advocate of the "one size does not fit all" mentality, he recommends organisations identify their mission-critical data and the associated business costs of not having that data available and evaluate technologies that can meet “restore” service-level agreements.
"Today, the data security threat goes beyond ransomware: data retrieval and recovery is no longer a given, in spite of paying attackers their desired ransom. This means IT decision makers’ investment considerations should include unified fast file and object storage platforms that provide the last line of defence against ransomware or rogue employees while offering quick recovery speeds."
Matthew Oostveen
* Editor’s note: Click on the links below for the series
Data protection in 2023’s cloud-first world
