We live in an interconnected world of hybrid work, cloud data environments, digital business processes, and workflows. As we integrate new technologies such as generative AI (GenAI) and prepare for post-quantum security, defining our data has become critical to how organizations mitigate risk and protect data.
This recent keynote from BigID’s Digital Summit on the Future of Cloud Data Security, featuring Heidi Shey, Principal Analyst from Forrester Research, delved into how organizations redefine data, reassessing how we think about data security, clarifying the scope of what is “data,” where it is, and mitigating data risks.
In the session, Heidi explained that the challenge with data and data security is often a lot of confusion around what it is. Heidi then elaborates on how the meaning of data (structured vs unstructured) is not universal and the difference between data security as an outcome and a technology control capability (encryption, tokenization, masking, DAG, etc.). Regarding the “data security” category, several types of data security capabilities make the definition a bit murky. Data security is also confusing based on how you acquire control capabilities; in most cases, it is a feature or standalone solution. There are many layers that organizations must sparse through to be better aligned with organizational goals.
Redefining data security, as described in the session, will help to strengthen thinking around the topic and narrow down the requirement for controls to cut through the noise and make the right decisions. The three key items include looking at sensitive data, the scope of the environment, and data risk:
- The importance of defining sensitive data across the 3P’s (PCI, PHI, PII) and intellectual property as what she considers to be Corporate Data and Value (CDV), which can include business processes, API keys, AI Models/LLM’s. It’s about identifying what organizations must protect, including GenAI and post-quantum preparations.
- The scope of data environments that require data controls regarding where it is generated or collected, where it sits, and where it is used or processed. This requires organizations to look specifically at data on-premises, in the cloud, in other infrastructures (storage, back-up), and data on edge (IoT, sensors, AR, etc..).
- Data risk should be looked at in three ways. Risk to the Data includes cybersecurity threats, resiliency concerns, and asset disposal. Risks from the data include unethical use, data sprawl, and non-compliance. Risk in Data highlights the qualities of the data, such as the integrity and data lifecycle (ROT).
Heidi then closes the keynote with details on data security and defining data, focusing on the path ahead and how to get there. She suggests taking a step back to determine what you consider data security. She considers ‘data security” to be the ability to enforce policies for data access, use, and lifecycle but that all start with defining data, which is the foundation of your data protection strategy to get the best business outcomes.
Heidi then goes a bit deeper into the concept of defining data; it’s more than identifying where and what the sensitive data is. She says,
I think today, defining data also requires that you’re able to do things like map its flow. This is also where things like data security posture management come in, capabilities around secret detections, and thinking forward capabilities like cryptographic discovery and inventory as well. These could all be things that could fall under this category of being able to define your data to better inform what you do with it next, in terms of controls, how you protect it and how you handle it.
Beyond defining data and security, she suggested two foundational capabilities that will support your approach moving forward, which are:
- Aligning requirements with your CDP/CAO and IT infrastructure peers
- Defining a shared vocabulary in addition to outcomes
She strongly believes these strategies will help organizations streamline their approach, identify the critical data-centric controls to protect data, and build a comprehensive data security strategy.
As cybersecurity in the cloud becomes more arduous, the keynote provided a solid basis for a streamlined organizational approach and support to align requirements to adapt to the future of cloud security, ensuring data protection, compliance, and risk management.
Heidi closes the session with her theme: “Stay warm, respect the fire, and handle it with care.”
Other Sessions from The Future of Cloud Data Security Digital Summit
The Digital Summit on the Future of Cloud Data Security also features speakers from Panda Restaurant Group, JPMorgan Chase, Morgan Stanley, Cisco, Optiv, and Avalara. They explored the dynamic world of data security and risk management in the era of multi-cloud computing. They shared actionable strategies to navigate the compliance landscapes, fortify cloud data defenses, and stay ahead of emerging threats. It was a summit to remember!
Dive into the fun by checking the links below and experience it firsthand!
- Managing & mitigating risk across the multicloud
- Cloudy with a chance of breaches: navigating the cloud data security landscape
Next Digital Summit on AI
Stay tuned for more on our next Digital Summit in March: Elev-AI-te: AI Security, Risk, & Innovation!