How to get Data Integrity right in an organisation?
Within most organisations, the security teams’ resources are scarce. Their focus is on the confidentiality and availability of data, rather than data integrity. It’s not a surprise that this is not considered a priority, but there is a critical need to revise threat models to include hacks targeted on data integrity. Unfortunately, many of these attacks go unnoticed until it is too late.
Risks of not focusing on Data Integrity
Over the years, organisations have focused and prioritised two arms of the CIA triangle – confidentiality and availability and lacked focus on the third arm which is data integrity.
There exists an unspoken expectation that data integrity is implicit. We regularly see data breaches expose the risk to the confidentiality of an organisations’ data but very little is written about integrity. However, there are increasing examples where the integrity of the data is the object of a hack.
The attack that targeted the world anti-doping agency (WADA) compromised the integrity of athletes’ drug test results and led to inaccurate accusations. This issue is further compounded by the calls of “fake news” to facts that don’t align with the objectives of particular groups. Data trust can take time to build but seconds to destroy.
Organisations need to start thinking more about data authenticity and ensuring that as it is moved around and manipulated, integrity and trust are maintained throughout. Focusing on managing the lineage of the data will be the key.
Adoption of machine learning/ AI solutions has placed data integrity under increasing scrutiny. There are many examples of small tweaks to data successfully tricking machine learning/AI products into making the wrong decision (example: traffic signals being altered in very minor ways to confuse self-driving cars). This could have an impact on the next generation of security products that are embedding these algorithms at the heart of decision making and data integrity hacks could undo all their positive benefits.
Challenges in addressing Data Integrity
One of the key challenges that a lot of organisations face is not knowing what they have that would require protection. Some organisations struggle with identifying the technical assets that should be under management (asset inventory) so adding a data inventory to the picture might seem overwhelming.
Also, data classification is something that could aid the prioritisation in protecting data integrity. However, data classification is also a notoriously challenging area.
Finally, data is very fluid within organisations so mapping the data flows and multiple copies of data could be a real challenge.
Data Integrity and GDPR
At its core, EU GDPR is about ensuring customer and employee data has integrity and is not being used incorrectly and ensuring that data is not susceptible to risks. So, in principle, it is now incumbent on organisations to take steps towards addressing this or they risk severe penalties.
However, within that accountability model, what the CISO brings to the table is the piece of the picture that is at the core of their role – security and protection against threats. Managing the risks to reduce the likelihood that the data defined within the GDPR regulation would be exposed to a data breach.
EU GDPR can be seen as either a burden or an opportunity for security teams. If it is viewed as a burden or nasty compliance thing that is imperative to adhere to, the danger is that the security team would end up with a clunky compliance driven solution, which can be a hassle.
It is important to keep in mind that, if a security team views this as an opportunity to drive best practice, they can end up with the EU GDPR becoming a catalyst to evolve security to a higher standard, making the organisation focused on improving security.
Ultimately, EU GDPR is only one piece of the compliance landscape. And as such, CISO’s commitment should be on solving for best practice and using it as a driver to enhance data integrity.
However, it is crucial to remember that compliance is not the same as secure, so organisations really need to model the threats to their business and appropriately account for this emerging threat.
How to get Data Integrity right?
It’s not straightforward, but organisations must become more focused on understanding their data and how it flows about their organisation.
Also, it is crucial for organisations to take responsibility and ensure the authenticity of the data they receive and provide assurances to their partners that they are delivering trusted data.
Protecting the data at rest (encryption) is still important and properly managing privileged access to key data sources. At any given point, a security team should be able to answer WHO has access to WHAT, WHY do they need it and WHEN are they using it? A mature PAM solution will be the perfect solution to address these questions. Also, it is imperative that security teams start treating data as one of their crown jewels.
More of this data is going to be stored on cloud infrastructure as well, so identity and access management policies in hybrid environments need to be thought through.