Don’t Lift and Shift: Evolve

It might be oft-repeated, but that doesn’t make it any less true: modern enterprises are in transformation – and so is their data. With businesses moving en masse to the cloud – particularly in battling COVID-19 – cyber security and data protection professionals must adapt.

“Data has moved beyond the traditional perimeter, but a lot of the compliance approaches, regulatory standards and ways people audit are built around being on premises and being in that corporate perimeter,” 

“Controls rely on people turning traffic back through the corporate network, which creates a massive overhead and can affect performance.”

Sian John MBE, Microsoft’s EMEA / APJ director of cybersecurity strategy

But with new technology, comes a new approach to data compliance, and John is keen to emphasise the latter.  

“Quite often people try and take the risk posture they’ve had on premise and apply that to the cloud, and that can either be too restrictive or it can actually not give you the controls you need. You might put a lot of technical debt in place that doesn’t deliver much reward because it’s focused very much on a traditional way of working,” she explains.

Spring cleaning the mindset

Perhaps unexpectedly, John takes inspiration from the work of domestic organisational guru Marie Kondo as a reminder to clear things out – unnecessary data included – as a matter of course, and not just at prescribed times.

“Whenever I tidy my house and I do one room, by the time I get back to the first room it’s a tip again because I’ve not kept it ongoing. Everyone treats data like a project and not something you’ve got to do ongoing as a programme. When you think about keeping your house tidy, if you do a little bit every day and it’s part of the way you operate [the mess won’t pile up], and so the very, very tidy people, the Marie Kondos of this world, never get a mess. With the hoarder, it all builds up.” 

But, according to John, because cloud storage has been cheap, organisations have tended more towards the hoarder model, piling servers high with unstructured data that is difficult to keep tabs on. 

But to keep a tidy data storage, you need to know your data, know what is important to you (and your regulators) and know where it is, in order to implement strong data governance. But many organisations either try to classify everything all at once, or they do nothing. 

“Instead of trying and do everything once, look at: ‘What is my most critical data; what do I need?’ Put the control tooling in everywhere, but then only really say ‘Let me focus on what the process is, the policy is’,” she explains.

“What a lot of people say is, ‘Oh I’ve got too much data, it’s too difficult to get control of my data.’ And guess what? When an attacker gets into their environment, they manage to get that data, because they don’t try and look at everything, they look for what they’re after.

“You need to get the policy right first before you do anything with technology. You need to educate people on the policy first before you roll out the tooling, because otherwise the tooling gets blamed for the policy.” 

Picking one data type at a time is a good idea, and regulated data can be a good place to start. Technology supplied by cloud providers has built-in classifications, of course, which can be effective in getting the ball rolling. But there is no substitution for policies, which must be specific to the organisation in question – because only the enterprise can know what the enterprise needs. 

“The technology is a knife and it can cut whatever you like. If you want to make a dinner, it can cut anything for that dinner – but only you can tell it whether you want it to cut up a tomato or an onion,’ says John.

Shared responsibility

At the centre of the relationship between the customer and the cloud service provider is the shared responsibility model. Customers who misunderstand this fall into two camps, says John. One assumes that the cloud provider will automatically make them secure and compliant.

“That comes with questions such as: ‘Will you create me a GDPR-compliant system?’ – which we can’t do. We can provide you with a system that you can build a GDPR-compliant service on,” she explains.

“We can make sure that what we do is compliant; we can’t make sure that the entire infrastructure of [what] the customer does is compliant without making sure that they do things right.”

The other camp tries to treat the cloud service like an outsourced data centre and attempts to monitor areas like physical security on-site (think: fire extinguishers) and even Microsoft’s own traffic. 

But shared responsibility means that the cloud provider assumes responsibility for physical security for that data centre, network, infrastructure and privacy security, as well as resilience. There are certain variations in responsibility according to the particular service agreement – for example hosting only, platform as a service, or software as a service – but the customer retains responsibility for the data on the system, its governance, policies, classification and the controls and protection around it. Ultimately, the customer must know where the data is so it can be audited, and understand who has access to that data and for how long, and what devices are accessing it.

The provider will provide the tooling, says John, ‘but even that tooling that we’ve got, if you don’t turn it on, use it, configure it, it’s no use to you.’

Insider risk

Sitting squarely on the customer side of the shared responsibility divide is managing insider risk. Contrary to the notion of data protection purely as a fortress against external attackers is the risk from within, whether that is a malicious and perhaps disgruntled employee bent on espionage, fraud or theft of intellectual property, or simply an employee in a hurry who violates policy, perhaps to meet a deadline. Regardless, managing insider risk should be part of the compliance and regulatory environment, says John. 

However, any such environment should be mindful of local employment law and must balance the privacy rights of the individual employee against the duty of care to the organisation. The general principle is: don’t go fishing. Machine learning can be helpful in identifying patterns of behaviour – for example spotting sudden and unusual downloads or connections – without scrutinising an individual themselves. 

“As a cloud provider, it is very a much how you use the tooling and not what the tooling is”, says John.

“I would summarise it as: don’t be creepy!”

Data loss prevention or data protection?

Part of making the digital transformation is moving beyond the notion of a protected perimeter, says John. Key to this is swapping from a data loss prevention strategy, where the focus is on preventing data leaving the organisation, to a data protection one, where the right data can be shared but is still protected.

The former stems from a model of data being handled on-premise and treats any sensitive data leaving the network as a risk, perhaps seeking to encrypt or to prevent data sharing.

A data protection approach, on the other hand, considers the policies around sharing data and works to maintain control over the data even after it been shared. Data loss prevention products work best when used as part of a holistic data protection strategy for the environment to determine what can leave the organisation and that the right protection is in place when it does. 

“Without a holistic strategy, once it has left, you lose control,” says John.

“There’s a lot of overlap in technology, but it’s about the mindset you’re coming from. As we collaborate more we need to move away from protection being in the network to controlling access to data wherever it may be,” she explains. 

The standard compliance journey

John has mapped the standard compliance data governance journey from: “No problems here”, through waking up to the complexities of regulation, risk and exposure, assessing the extent of the problem, putting in controls, to finally: “Sorted”. The reality, however, is a world that is continually evolving as global regulatory bodies update their regimes, and devices, apps and the nature of data itself continues to change. 

Customers approach providers at various points of the journey, depending on the maturity of past processes. But the planning stage would be ideal, John explains, before the customer has got too deeply into the weeds of designing a complex system that could be helped with existing tools. 

Sian John’s five tips for working with a cloud provider

1. If you do one thing today, enable MFA. So many breaches and exposures of systems we see are because people don’t have multi-factor authentification. If you’re going from on premise to cloud, the identity is the primary perimeter into that cloud service, so make sure that you have control over that. Get multi-factor authentification working, and get it working in as many places as you can.
2. Really understand the shared responsibility model. Understanding that things like data policy, identity, these sort of things are yours to understand, even if you go to a software as a service provider and you’re using all their tools to do it, it’s your responsibility to work out how to do it.
3. Don’t try and just reproduce what you’ve been doing on premise.  Don’t force cloud and mobile services through your network unnecessarily, provide the protection where the data is. Evaluate protections provided for the cloud services that you use and see if those you can use.  
4. Know your data, what data you need and what controls you need around that. But look at the outcome and the risk and what controls you need from a logical perspective, rather than “I need this particular piece of software that I’ve always used.” 
5. Educate the workforce. Data governance tools are just that tools, people need to know how to use them. It’s important your people understand the policies on what information can be shared and how it should protected. 

For out more information on Microsoft