DataSecOps: Applying the DevSecOps Mindset to Data Security
Organizations that adapt quickly and develop a strong DataSecOps approach with clearly communicated processes can accelerate their data-driven innovation.
- By Ben Herzberg
- September 20, 2021
With data driving today's innovation, enterprise leaders are turning to data democratization (the process of making data widely available to employees across an organization) as they optimize data analytics to accelerate their success. However, security leaders are struggling to reconcile the growing need for data accessibility with the rising tide of data breaches and malicious attacks dominating today's cybersecurity landscape.
The elevation of data has quickly turned it into a veritable and valuable enterprise asset that requires special protection. It is a lucrative target for bad actors who stand to make small fortunes selling the proprietary market intelligence and PII housed in enterprise data stores.
Tech leaders looking to secure their data are taking inspiration from other security practices, such as "shifting left" -- i.e., implementing security earlier in development or at the source of a data asset, to succeed. As a result, a growing number of enterprises are embedding data security into the foundations of data governance and use, believing that if data must be widely distributed across an enterprise, security administration and ownership must be distributed across data users and stakeholders as well.
DataSecOps: Enabling Secure User Access to Data
It is time to redefine security stakeholders where data governance is concerned, and take inspiration from DevSecOps -- the process by which security is introduced and built into DevOps, or the development life cycle -- to integrate security into the foundations of data governance and use. The idea of distributed security is a core tenet of DevSecOps, which establishes cybersecurity as a shared responsibility with developers. As the rise of data produces unending branches of data users, from formal DataOps teams to intrepid marketing interns, security leaders must consider how to integrate security in a similar manner across these channels. Enter DataSecOps.
DataSecOps is an agile, holistic, and security-embedded approach to coordinating the ever-changing data ecosystem for both applications and users working with data. It embraces the foundational and distributed security tenets of DevSecOps while looking to secure data for democratization. In other words, DataSecOps' objective is to support delivery of quick data-to-value practices while keeping data private, safe, and well governed.
How do you secure future data-driven innovation and adopt DataSecOps policies? Here are the key characteristics of a DevSecOps mindset that you can apply to data security initiatives.
Introduce and maintain a clear data access policy
The open lines of communication established in DataSecOps are meant to, above all else, uphold a clear data access policy and highlight its consistent application across all data users. This is in stark contrast to the often ad hoc decision-making process currently dominating enterprise data access. A disorganized approach muddles visibility into access and introduces critical security gaps. To avoid ambiguity, disseminate a clear policy that directly states who can access what types of data and at what sensitivity or anonymization level.
Establish and align data users and security teams to the same set of priorities
The sheer amount of data that enterprises collect and process has reached critical mass in a market lacking the skilled labor required to handle it. The only way to maintain safety in such circumstances is to prioritize risk effectively. For example, when working with data, the biggest risk tends to lie with the integrity and protection of sensitive data. This requires knowing (or at least discovering) where sensitive data is and allocating the corresponding share of resources to protect it. It is critical to establish a hierarchy of risk across the data access policy, as well as clearly communicate the individual responsibilities required to address it.
Open and maintain continuous lines of communication between data users and security teams
Security and data teams must work closely together for DataSecOps to succeed. This approach often must overcome cultural hurdles similar to those seen between speed-oriented developers and security teams in DevSecOps. The security risks disparate groups jointly protect against can serve as a rallying point and encourage cooperation if open lines of communication are maintained to keep their collaborative data security efforts alive and top of mind. Thus, in addition to being able to rely on policy as a single source of truth, data users must have communication channels with security teams and vice versa. This requires a proactive approach by data security champions and regular calibration meetings between teams.
Streamline data access while maintaining security
Security is often viewed as a limiting force in enterprises -- one that specifically stifles data-democratization and the speed of innovation by interfering with data accessibility. It is time for security and innovation leaders to reconcile and strike a balance between business and security needs. This means that security teams must prioritize simple and quick data access; projects to simplify data access (such as implementing a self-service portal) remove a lot of the bottleneck that is burdening both data and security teams when data consumers want to use data. By setting and implementing simplified data access policies, the security team's burden (but not its responsibility) goes away.
Change from an ad hoc to a continuous approach to security
Ad hoc security, governance, and privacy projects must morph into continuous (ongoing) projects. For example, a sensitive data scan often becomes obsolete after a few days (or even hours) when data changes or moves. Enterprise security and data teams can easily avoid this by continuously scanning data for sensitive information instead of performing scans on an ad hoc basis.
Organizations that adapt quickly and develop a strong DataSecOps state of mind with clearly communicated processes can accelerate their data-driven innovation with far fewer unplanned changes dictated by security, privacy, and governance teams. However, this change requires buy-in from the entire organization -- a seemingly impossible task given the apathy security usually meets.
If security leaders hope to be taken seriously by data users, they must clearly express their appreciation for the need to keep data as free flowing as possible as well as the competitive edge inherent in the data they protect. By combining and aligning data security goals with data agility, enterprise security leaders can close the technical and human security gaps to keep data safe.
Ben Herzberg, chief scientist at Satori, is an accomplished hacker and developer with experience in endpoint security, behavioral analytics, application security, and data security. His past roles include serving as CTO of Cynet and leading the threat research group at Imperva. You can contact the author via email.