In our last post, “The Data Protection Stack,” we discussed why implementing a data security practice is necessary as no other security strategy; including access control, storage security, and transport security; provides the same benefits. The reason? According to the data security stack, every layer of security has a gap after granting access at a lower level: systems booted and running are vulnerable to operating system exploits even if the storage is protected, for example.
Starting in this post, we discuss how to implement a data security practice following Seven Steps to Data-centric Security proposed by PCM, Inc, a Micro Focus partner. Our proposal includes implementing a series of processes, namely:
- Process I: Identifying critical assets, data, and intellectual property
- Process II: Evaluating threats against and vulnerabilities of these critical assets
- Process III: Addressing governance and regulatory requirements
- Process IV: Developing a prioritized security strategy
- Process V: Implementing data security throughout the enterprise
- Process VI: Monitoring effectiveness and incremental improvements
Before going on, however, we must answer a fundamental question: what exactly do we mean by process? For that, we use a definition accepted by the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU) in the Capability Maturity Model (CMM): a process is a collection of inputs, activities, and outputs that accomplish a transformative work.
Inputs in this definition are resources applied to performing the work of the process. Inputs may include documents, images, source code, or other human- or machine-readable artifact.
Activities are tasks that consume these inputs and transform them somehow. These may be human driven, such as an interview or survey; machine driven, such as a software program or tool; or both.
Finally outputs are methods of capturing the results of the activities. These again may be documents, images, or any other human- or machine-readable artifact. Specifically for data security, one core output is the transformation of a data item from an ordinary to a protected state and vice-versa.
Is it enough to have a collection of processes implementing a data security practice? For such a practice, most of these processes will be implemented in software. After all, the key paradigm of data security is software applications themselves are responsible for protecting data in memory before storing that data externally, be it in a database, file system, or some other store. So we need processes of a sufficient quality to trust that our software is actually implementing data security properly.
How can we make that assessment? The CMM defines a Software Process Framework with a number of quality levels. The minimum level we must strive for is Defined. This means all of the processes in our data security implementation must have documented inputs, activities, and outputs. Additionally, our processes need documented entry criteria and exit criteria.
Entry criteria are simply the way we measure it is time to start the process. This can be a simple metric, such as all of the inputs are available and ready for use. Likewise exit criteria are ways we know the process is finished. For example we can stop when we have all of the expected outputs.
Why is it so important to use a Defined set of processes for data security, especially when documentation can be so time consuming? Well without Defined processes, we can’t guarantee that the same level of security is available across an organization. And outside attackers always breach security at its weakest point. With serious financial consequences as we discussed previously in “The Business Value of Protecting Data.”
Over the course of the next several posts, we’ll discuss each of the processes used for implementing a data security practice. Where possible, we will identify public resources for the inputs. We’ll also define activities and outputs sufficiently that an organization can implement the process. As well as the entry and exit criteria for starting and stopping the process at hand.
Meanwhile, what are your thoughts on the subject? Have you ever implemented an SEI CMM Defined process of any type? Have you been part of an organization that has had its process quality assessed? And have you avoided a security breach due to good processes? We’d love to hear your thoughts. So please post your comments below.
Data security and encryption