As reported by the BBC and many others, the personal data of 200 million U.S. citizens was accidentally exposed online due to an improperly configured security setting.
Here’s my favorite comment/quote from the story:
"Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access." [emphasis mine]
Handing off data for analysis: The new focal point of risk?
Shocked? No, of course we aren’t. We’re used to weekly bulletins about data breaches and misconfigured access control, varying only in the number of users impacted and the data set exposed.
The fact is that with the amount of data flooding through even small organizations, the governance problems surrounding that data are only being compounded. If you read farther down in the BBC article, it comes to light that this breach happened on the watch of one of those “increasingly high-powered data analytics operations.”
Now, don’t get me wrong. Some of my best friends are data scientists. But this episode demonstrates that they probably know more about analyzing data than they do about protecting it.
Twice in two months
In the wake of two recent, major ransomware attacks – WannaCry in May and Petya/NotPetya in June – all organizations have some important questions they need to be asking themselves about their governance practices and the people who control them:
- Are we monitoring only the data deemed critical or tagged by some data governance solution?
- Why doesn’t data governance of critical files alone work?
- How often are we truly evaluating our access control methods?
I can appreciate that data scientists make big decisions with other people’s data. But they are the new focal point of risk in an organization. As the amount of data grows, many of these data analysts likely aren’t considering the repercussions of their data manipulations and how that creates further security risks both internally and externally.
Out-of-control access control
As this episode shows, when you get a bevy of data scientists and analysts blending what may be innocent data sets, it becomes even more important to control access to the resulting larger sets of information. Those 200 million records probably sneaked up on them as they kept on adding data sets to the pile, and that is why access control issues will always loom large in organizations of any size.
Access control is essential to mitigating risk with all data, including blended data, protected health information (PHI), personally identifiable information (PII) and industry-regulated data. Access control goes beyond the data you think you need to control; it applies to ALL DATA.
Find out who has access to which file servers and how they obtained it
The best way to secure the future of your organization and that of your customers and partners is to ensure that you continually assess and audit your access controls. When was the last time you performed an audit to understand who had permissions to which file servers and how they obtained that access within your environment?
This is no longer about protecting just the critical files and data. With the evolving role of data scientists and continual work of blending data sets, it’s even more important to monitor access control.
Frankly, that’s easier said than done unless you have data classification across terabytes or petabytes of data. So what can you do? You can start right now to determine who has access to which files and where. Maybe it’s time to review your access control settings again. Unless you want to see your organization’s name next to the word “data breach” in some headline, it’s time to baseline your entire organization and ensure you have the proper access control in effect before somebody exposes your data.
Start with Active Directory. AD is at the heart of access control, authentication and authorization in more than 90 percent of the world’s enterprises, so it’s important to evaluate and track access control there.
We’ve released a white paper, Designing a Multilayered, In-Depth Defense Approach to AD Security, in which we examine the logical and administrative layers of security that you can implement to improve your AD security posture.
You can’t wave a magic wand and tighten up access control, but you can put tools and processes in place to keep an eye on who has access to what.