The government is firmly positioned under the spotlight when it comes to its use of data and is expected to set an example for managing data effectively and securely. Erfan Shadabi, Cybersecurity Expert at comforte AG, discusses why data-centric security is the way forward and ultimately the key for unlocking cloud-based data analytics – a key business advantage.
The importance of data today is unmatched. For governmental organisations, data can help create more efficient and effective policies. From data collected, a government can better understand the demographic, societal behaviours, crimes, religious beliefs, financial incomes, medical issues (and much more) of a population. From health and work & pensions to education and the treasury, the various governmental departments are libraries of sensitive data. The information stored is continuously being analysed, updated and shared to help departments make informed decisions that essentially help to improve the country.
Therefore, governmental organisations have an even greater obligation – compared to most – to manage data responsibly and securely, especially when it comes to personal information.
Industry-wide, as well as government-wide, business practices are being transformed by technological advancements with an ever-increasing amount of data digitalisation and data generation within government. As a result, governmental organisations are tapping into the power of data analytics to improve public services and governance as well as their own services. But to manage the resulting security and compliance risks without impeding overall impact, governmental organisations should consider a more focused approach to cybersecurity. That means protecting the asset that matters most: the data itself.
The issues faced
Sensitive information and data have always been in the crosshairs of threat actors and are commonly stolen through ransomware attacks. This is then sold across underground markets like the Dark Web. Such incidents happen often, and just recently, NATO documents were stolen from a Portuguese government agency responsible for the control, planning and operations of the armed forces of Portugal. According to the most recent IBM Cost of a Data Breach report, each public sector incident costs US$2.07 million on average while over US$1 billion in monetary penalties were issued under the GDPR last year, seven times more than in 2020.
When it comes to sharing or analysing data, there are often lengthy bureaucratic processes in place which are layered with data protection and privacy restrictions – and for good reason. The worst possible outcome, should a governmental organisation be breached, is to have this information stolen, leaked or sold to the highest bidder which in itself will lead to more devastating outcomes.
Naturally, governmental institutions are expected to set the standard and demonstrate what is expected for data privacy and protection and so sharing or analysing data shouldn’t be discouraged so long as it can be achieved securely.
Data breaches and cyberattacks are unfortunate and when such incidences occur, they delay the long-term growth of Digital Transformation projects, like cloud-based data analytics, due to the raised security and compliance issues.
Moreover, if a government organisation has cloud migration plans, the challenges of analytics and security are raised, particularly if these projects begin without data audits and classification processes.
This presents its own obstacles with the possibility of security coverage gaps appearing.
Plus, if those managing the project are likely to conduct everything in-house there may be a lack of resources or expertise to rely on. If security teams are involved from the outset, there is always the chance that outdated or traditional security controls are applied to cloud environments or, they opt to trust the cloud provider’s in-built security policies. For instance, AD/LDAP integration, role-based access controls (RBACs) and traditional database encryption for data at rest are not always sufficient to mitigate risk.
Compliance teams might exacerbate these problems by mandating project owners mask their data or not use sensitive data at all. That might make it easier to achieve compliance but will deprive the organisation of the invaluable insights which analytics could deliver.
Such approaches are not conducive to any business, nor do help with future-proofing as they hinder or limit the scope and outcome of the project. Furthermore, many view security and compliance as checkbox exercises with a reliance on legacy solutions – both will leave security gaps while raising the risk of data exposure and non-compliance. In truth, for a modern cloud-based analytical approach, governmental departments need security that can match these demands.
Data-centric security is the way forward
With such sensitive and valuable data held within the perimeters of governmental organisations, the focus should be more on protecting the data itself rather than the IT infrastructures that surround it.
As always with technology, it evolves, changes and advances with cloud technology no different as it tries to keep pace with the demands of global business. Failure to do so will only lead to delays in project completions and the likely risk of data being exposed. There is already a lack of financial resources and manpower when directed to security strategies.
In addition to this, the IT security industry is facing a shortage crisis of close to 3 million workers worldwide, leaving many businesses overstretched and under pressure.
An approach that can resolve this situation would require any organisation that holds sensitive information, governmental or not, to implement data-centric security. Data-centric security is designed to protect data throughout its life cycle – at rest, in motion or in use, and takes a Zero Trust approach alongside the principle of least privilege with regards to user access, safeguarding the most critical of assets.
There are a number of benefits that data-centric security can deliver which include having the ability to utilise the value of all data to enable data-driven governmental decisions, without compromising on security or compliance. As a result, organisations can deploy cloud data projects while being able to provide access to users faster in safe and secure manner. Overall, resources will be saved both time and money due to the simplified data management, governance, compliance and security that data-centric security provides. To conclude, unlocking cloud-based data analytics is highly beneficial so long as the institution gets security and compliance right first.