How to get Data Integrity right in an organisation?

December 19, 2018

Mike MacIntyre

Within most organisations, the security teams’ resources are scarce. Their focus is on the confidentiality and availability of data, rather than data integrity. It’s not a surprise that this is not considered a priority, but there is a critical need to revise threat models to include hacks targeted on data integrity. Unfortunately, many of these attacks go unnoticed until it is too late.

Risks of not focusing on Data Integrity 

Over the years,  organisations  have focused and  prioritised  two arms of the CIA  triangle –  confidentiality and availability and lacked focus on the third arm which is data integrity.  

There exists an unspoken expectation that data integrity is implicit. We regularly see data breaches expose the risk to  the confidentiality of  an  organisations’  data but very little is written about integrity. However, there are increasing examples where the integrity of the data is the  object  of a hack.  

The attack that targeted the world anti-doping agency (WADA) compromised the integrity of athletes’ drug test results and led to inaccurate accusations. This issue is further compounded by the calls of “fake news” to facts that don’t align with the  objectives  of particular groups. Data trust can take time to build but seconds to destroy.  

Organisations  need to start thinking more about data  authenticity  and ensuring that as it  is moved  around and manipulated, integrity and trust  are maintained  throughout. Focusing on managing the lineage of the data will be the key. 

Adoption of  machine learning/ AI  solutions has placed data integrity under increasing scrutiny. There are many examples of small tweaks to data successfully tricking machine learning/AI products into making the wrong decision (example: traffic signals being altered in very minor ways to confuse self-driving cars). This could have an impact on the next generation of security products that are embedding these algorithms at the heart of  decision making  and data integrity hacks could undo all their positive benefits. 

Challenges in addressing Data Integrity  

One of the key challenges that a lot of organisations  face is not knowing what they have that would  require  protection. Some  organisations  struggle with identifying the technical assets that  should be  under management (asset inventory) so adding a data inventory to the picture might seem overwhelming.  

Also, data classification is something that could aid the  prioritisation in protecting data integrity. However, data classification is also a notoriously challenging area.  

Finally, data is very fluid within organisations so mapping the data flows and multiple copies of data could be a real challenge. 

Data Integrity and GDPR 

At its core, EU GDPR is about ensuring customer and employee data has integrity and is not being used incorrectly and ensuring that data  is not susceptible to risks.  So, in principle, it is now incumbent on organisations to take steps towards addressing this or they risk severe penalties. 

However, within that accountability model, what the  CISO  brings to the table is the piece of the picture that is at the core of their role – security and protection against threats.  Managing the risks to  reduce  the likelihood that the data  defined  within the GDPR regulation would be exposed to a data  breach. 

EU GDPR  can be  seen as  either a  burden  or an opportunity  for security teams. If it  is viewed  as  a  burden or nasty compliance thing that is imperative to adhere to, the danger is that the security team would end up with a clunky compliance driven solution, which can be a hassle.  

It is important to keep in mind that, if a security team views this as an opportunity to drive best practice,  they can end up with the  EU GDPR becoming  a catalyst to evolve security to a higher standard,  making the  organisation  focused on improving security.   

Ultimately, EU GDPR is only one piece of the compliance landscape.  And as such, CISO’s commitment  should be  on solving for best practice and using it as a driver to enhance data integrity.  

However, it is crucial to remember that compliance is not the same as secure, so  organisations  really need to model the threats to their business and appropriately account for this emerging threat. 

How to get Data Integrity right? 

It’s not straightforward, but  organisations  must become more focused on understanding their data and how it flows about their  organisation.  

Also, it is crucial for  organisations  to take responsibility and  ensure  the authenticity of the data they receive and  provide  assurances to their partners that they are delivering trusted data. 

Protecting the data at rest (encryption) is still important and properly managing privileged access to key data sources. At any given point, a security team should be able to answer WHO has access to WHAT, WHY do they need it and WHEN are they using it? A mature PAM solution will be the perfect solution  to address  these questions. Also, it is imperative that security teams start treating data as one of their crown jewels. 

More of this data  is going to be  stored on cloud infrastructure as well, so identity and access management policies in hybrid environments need to be thought through.