We live in the information age and threats against organizations’ information infrastructure continue to increase. This is no surprise since the value of information stored by companies is great and information security professionals are in an uphill battle to protect this sensitive data, which is often housed behind vulnerable applications. There are several challenges that infosec professionals must address:
Classify Your Data
First we have to face the facts. There is too much data in too many places throughout the organization, and too many applications, with too many interconnected components. So pick your spots wisely.
Each business application within an organization should have an associated data classification. This allows security architects & engineers to appropriately define controls around specific systems housing more valuable data. Let’s face it – it is useless to spend time, effort and resources to secure an application housing data with little value and it takes precious resources away from securing what really IS important. In many cases I have seen organizations waste time building strong security controls around applications containing public data which have minimal or no impact on revenue generation. Security teams should be providing value to the business lines they serve (this is a concept that sometimes gets lost in the day-to-day grind – at the end of the day everything done should be to serve the business!), and efficiently classifying data is an effective way of doing this.
Map Application Data Flows
Architects must understand how data flows between various applications and systems for processing and storage. Today’s enterprise systems have become super-interconnected to other systems both inside and outside of the company walls. This makes the mapping of application data flows critical! Security teams should be mapping all egress and ingress data flows to enterprise systems.
Additional value can be gained by further mapping vulnerabilities to these data flows to understand how the system is exposed. Particular focus should be given to systems with sensitive data classifications with egress data flows to less secure systems. For example, a system housing PII which has been wrapped in strong security controls is worthless if it is sending data for further processing in a vulnerable or poorly secured system.
Security professionals must take into account data classifications and data flows when planning vulnerability remediation efforts. As I mentioned above, there is much value to be gained by mapping vulnerabilities to application data flows. This is an effective approach to prioritizing vulnerability mitigation efforts, since the most sensitive data traveling over the most vulnerable application connections are addressed first! I personally have seen too many cases of sensitive data being sent to a vulnerable FTP server, where is sits… unprocessed… waiting to be compromised!
Overall as security professionals we must ensure we are better serving the business and prioritizing the security of the very applications the business lines use is a good start!
Receive notifications of new posts by email.