Data Protection Guidelines for the Obama Administration
Although considerable sweat and tears have gone into data protection standards, it's time to spur discussion about how our data protection thinking and schemes might benefit from new ideas and technologies.
by Johnnie Konstantas
The new U.S. administration has brought considerable focus and effort to retooling many aspects of government and governance. It stands to reason that amidst this sea change, data governance mandates and regulations may also see a makeover.
Standards and regulations for protecting digital assets (SOX, GLBA, HIPAA, FISMA, ISO, FERC/NERC, and PCI DSS to name just a few) span across every type of public service, from health care and legal to energy and financial services. The challenge with these regulations is that they vary greatly in how prescriptive they are, yet fill pages and pages with technical guidance. For most businesses, this has resulted in the need to procure expert advice and consulting services to sort through and apply the regulations in a meaningful way.
Although many years’ worth of work have gone into the conception and evolution of our data protection standards, the time is ripe to spur discussion about how our data protection thinking and schemes might benefit from the application of new ideas and technologies.
10 Reasons Why Data Vulnerabilities Are at an All-Time High
Let’s begin by examining 10 reasons why risks to data from malicious activity and insiders are at their highest levels in a decade despite the government’s best efforts to legislate and mandate consistent practices for securing digital information.
1. Data is being created at the fastest rates we’ve seen, nearly doubling annually according to some analysts’ estimates.
2. Many of the regulations we’ve come to regard as canonical IT best practices were conceived more than 10 years ago (albeit with periodic revisions and updates to reflect current trends). Thus, the regulations may not offer advice that reflects the latest developments and techniques.
3. Although SOX is the precursor to many information security standards, some of these have since evolved to reflect the needs of particular industries and data types. As a result, businesses are confused about which regulations to apply, how to apply them, and whether there is reciprocity among them, causing delays in the application of best practices and compliance efforts.
4. For a long time, the focus has been on protecting the network perimeter from malicious outsiders, leaving access by insiders unaddressed by regulations.
5. Current economic conditions have frazzled nerves and sent many employees to their network file shares looking for information that will give them a competitive advantage over other job seekers if they are “downsized.”
6. The technologies which house data (i.e. storage devices and file systems) have benefited from technical advancements in performance but little progress has been made on the controls for security and monitoring.
7. As is to be expected, innovation outpaces the processes for revising regulatory mandates due to the timely process involved in doing so. Consequently, some of the best ways to secure data are not known to those who rely on government standards for guidance.
8. IT departments are under extreme pressure to maximize data availability and efforts in that regard are much more visible and “felt” by network users. By contrast, regulatory compliance is often a time-consuming annual or bi-annual event that is to be “gotten through” in whatever way possible and with minimal disruption to business flow. Thus, any efforts to protect information and data in a “compliant” way are seen as diverting precious resources rather than being a part of the fabric that is in continuous operation.
9. Certified and accredited products are plentiful, but there is no guarantee that they will provide a concerted and integrated approach for scalable data protection. Although many government IT procurement mandates specify technologies that have passed rigorous certification and testing, these regimes often do not include “protection profiles” for newer technologies. Newer technologies may be in the marketplace and deployed for a number of years before the companies that supply them undergo the expense and commitment that comes with continuous lab testing, validation and certification.
10. Complying with regulations and best practices for data protection can be expensive, especially given the costs of consulting, third-party assessments, and the manual effort related to implementing, maintaining, and managing the technologies and processes.
Five Things the Obama Administration Must Have to Ensure Proper Protection of Federal Data
This brings us to the question of what the Obama administration must do to ensure that data is properly protected. To begin with, we must not ignore the fact that data is being created at an explosive rate. Businesses and federal institutions alike are constantly generating important, sensitive and critical information as fast as our storage devices and media outlets can serve it up, outpacing the government’s ability to update the data protection regulations that are already in place.
Let’s suppose that we are free of the constraints of existing regulations and certification regimens. What should the government’s digital information protection “wish list” entail? Below are five data protection “must-haves” for the Obama Administration to consider.
1. Accountability: Any organization and business must have the means to identify the owners of their data and give them the technical capabilities to monitor and manage important information on behalf of the business or agency in whose service they are employed.
2. Transparency: All networks must maintain a detailed log of who can do what with digital assets and who is using the privileges they’ve been given and how. This capability will allow any inquiry of data use and access to be answered in detail.
3. Completeness: Accountability and transparency should address important data wherever it resides and in whatever form it is stored.
4. Scalability: Part of the enormous challenge or crisis is the complexity of managing the projected data volumes based on current rates of growth. Network protection schemes need some future-proofing so that accountability and transparency do not become diminished by the size of the data.
5. Agility: The makeup of data networks is changing rapidly, mostly around our demand and emerging innovations for increased data availability. Our regulations and guidance to IT managers and organizations must evolve to include more frequent updates that reflects current data protection trends and challenges so that application of regulatory mandates benefits rather than inhibits productivity.
Implementing the Data Protection “Wish List”
The above “wish list” includes a healthy helping of common sense. How can President Obama and his team go about executing it?
I suggest bringing together an advisory board of the country’s most innovative CIOs. In many cases, these people have mandated, devised, and implemented network and data protection schemes that include the latest the industry has to offer. Their approach can offer road maps and a reference architecture that not only government agencies but organizations of all types can follow.
In fact, such an effort would help with modifying the language of government mandated regulations (e.g., SOX, GLBA, and HIPAA) so they are more prescriptive, meaning they specify the technology types and vendors recommended for varying challenges. Many overworked and underinformed IT managers and information officers will be relieved to receive proven direction for ensuring data security instead of trying to figure out a way on their own.
Although most organizations and businesses already have a stimulus of sorts to cut some of the costs and burdens of compliance, government-sanctioned reports on best products and practices can go a long way toward making the “wish list” a reality.
Johnnie Konstantas has more than 16 years of experience in the network-security and telecommunications fields. As vice president of marketing for Varonis, Ms. Konstantas champions data governance for the company’s worldwide markets. Prior to Varonis, she held various senior roles in marketing, product management and engineering with start-up companies. You can reach the author at jkonstantas@varonis.com.