Fortinet: Protect your critical data with risk and threat assessment

The pathway that your data take from the keyboard to the CPU to the screen is fraught with danger. In a closed system, ie the good old stand-alone PC, there was virtually no risk. But today, when each keystroke goes who-knows-where, processing can take place across continents and end users are far removed from the source data, the integrity of your data is under threat at each node and pipeline. Any ‘weak link’ in the data stewardship process can be problematic.

 Mapping your data highway

The more dispersed your data, the more risk you carry. “With the advent of the cloud,’ says Gary Gardiner, Fortinet’s A/NZ Director of Engineering & Services, “your control over your data gets less and less. Just knowing where and how your data moves through the system is difficult enough. Uncovering the security profile of the various processes along the way can be well nigh impossible. But it has to be done. Otherwise your organisation will be carrying an unacceptable level of risk.”

The first step is to classify your data in order to ascertain which data need the most protection. You’ll probably find that the vast majority of your organisation’s data are non-critical, redundant or out-of-date. While you need to protect them, it’s not a priority. What’s left, though, are the family jewels: sensitive financial, personal and commercial information. These databases need to be secured from unauthorised access.

Storage: Here, there, anywhere

Data have to reside somewhere. “Once you have identified which data need the most scrutiny,” continues Gardiner, “you need to ascertain where the data are stored. Internally data can be in-use, in-transit or at rest. Complicating the issue is that the data can take on a life of their own after capture. In a point of sale system, for instance, the raw data are stored at silo A, they are processed at cube B and disseminated to applications C through Z. And between each node, there are conduits that represent a risk.”

Where the data lives behind the firewall, the process is relatively straightforward. “You can set your own access rules,” he explains, “monitor network activity and take action if any anomalies are detected. Indeed, you can set thresholds to automate many of theses activities. But even in a closed system, there are threats.”

Preventing ‘access creep’

System administrators, typically via the database management system (DBMS), can assign read and write privileges to specific data sets within the organisation. “No problem there,” Gardiner continues. “But as people move through the organisation, roles, requirements and permissions can evolve. If unchecked, it can lead to what is called ‘access creep’. It is essential that database administrators review read/write privileges (specified within your access policy) on a regular basis to ensure that only the appropriate people/roles have access to sensitive data.”

Help is available

There are guidelines available to help you navigate these fluid processes. For instance, the ISO/IEC 27002 standards have been specifically designed to help database managers track and secure data. Vendors are responding by embedding these principles into their solutions. Similarly, ITIL’s (formerly an acronym for Information Technology Infrastructure Library) Security Management section, based on ISO/IEC 27002, describes the structured fitting of information security in the management organisation.

But regardless of the standards subscribed to, it is essential that you have an overall map of your data, where it goes, who has access and what they can do with this information. Then it is a carefully-designed process of adding security to each of those stops and conduits along the way. The enabler is a policy that spells out - in as much or little detail as necessary - exactly who has access to what data and where, how those data are used and the how the data get from point A to Z. If you can map the processes on a (large) white board, you are well on your way to identifying potential threats and reducing risks.