Congratulations and best of luck with your new company. Whether your company provides products or services you obviously have big ideas on how you want to direct your new enterprise.
The current hot-topic buzzwords that likely come to mind "big data," "cloud" and "mobile." However, before you start investing in data-related services you need to think about the inherent risks associated with data and data infrastructure.
Smart startup entrepreneurs always address two critical risk factors when building a new company: legal which in this context would include regulatory requirements; and finance. However, there is a third critical risk factor which is, unfortunately, too often ignored and that is data. No company can survive without data but it is often treated as a disposable commodity, or left to the responsibility of the IT department.
Recent data breaches and system compromises, however, have forced company executives to look at data risk management with more scrutiny; meaning that ownership of data and data infrastructure risk management ownership has been transferred from the server room to the board room. Aside from people, data is your most valuable business asset. This blog will provide guidelines on addressing common data risk factors as you start your new endeavor.
What is data and data infrastructure?
Data is often assumed to be customer information (which is correct), but it is much more. For this blog, data refers to information that drives business value, whether that value is through customer information, intellectual property, market analysis or other related information. Data infrastructure is hardware, software and other tools which enable the storage and processing of data in order to achieve business objectives.
Data risk generally falls under one or more of the following three categories:
- Confidentiality is the protection of data against access by unauthorized parties. The most common loss of confidentiality is through data theft. Social Security numbers, credit card numbers and health care records may be used by attackers for financial gain, so the proper protection of sensitive data is critical.
- Integrity is the protection of the contents of data against unauthorized modifications. One common attack against integrity is when attackers modify server configuration files to achieve some sort of unauthorized goal.
- Availability is where data access by authorized parties is permitted without roadblocks. One common attack method that impacts this category is through what is known as a Denial of Service attack where an attacker floods a web site with a very high volume of Internet traffic so that the web site is overwhelmed and unavailable to legitimate customers. Attacks against availability are not always man-made; nature may be one of the biggest impacts for this category. For example, customers of a cloud provider would lose access to their critical data if the facility was destroyed by a tornado.
The impacts to these businesses vary from company to company so it is up to business leaders at startups to determine the importance of each category.
Where to start
Understand your risk environment. Risks come in many forms such as data theft, denial of company operations or even fines and disruption of business through regulatory violations. The more you understand the risks facing your company the better prepared you will be to implement good policies and procedures to protect your company and its assets. Your risk assessment should include the impact to your data in terms of Confidentiality, Integrity and/or Availability. Understanding data risk is critical and should be included in the business plan.
Create a sound Data Classification Policy. This will be perhaps one of your most important tasks because properly classifying data, especially for address risks associated with regulatory requirements, will help you to focus critical resources on more sensitive data. The type of classification is entirely up to you provided that clear guidelines are provided so that your employees and vendors are able to assign. For example, the Payment Card Industry Data Security Standards (PCI-DSS) establishes requirements to protect cardholder data while the Health Insurance Portability and Accountability Act (HIPAA) establishes requirements to protect patient healthcare records.
Sensitive data will undoubtedly require additional resources to protect - it would be wise to focus your critical resources to properly address it. For example, data encryption may be an excellent investment for sensitive data, but encryption would be wasteful to store your company's public information such as address, web site URL and phone number. A Data Classification Policy ensures that all employees and vendors understand company requirements regarding the proper handling of various types of data.
Proper data classification may also help protect you from any potential review by regulators. For example, suppose you define patient information as Sensitive and your intellectual property as Confidential and assume that your company properly separates both categories of data on your network. If a remote attacker manages to steal your intellectual property but not any health patient records, your company may suffer financial loss as a result but will not be subject to a law enforcement investigation because personally identifiable health information was not exposed.
Create other sound policies. Policies should extend beyond data classification into other business operations. There is no rule on how policies should be created or what they cover provided that: 1) they are approved by the CEO or a designate; and 2) that they are communicated to the entire organization and are accessible any time.
Vet all workers who may access sensitive data and limit access. Data theft is not limited to external malefactors; numerous reports have indicated that data theft by employees is on the rise. Employees and contractors who may have access to sensitive data should be vetted and access to data should also be restricted on a “need to know” basis. Workers should also acknowledge, in writing or email, that they understand company policies so that nobody can claim ignorance if they are caught mistreating sensitive data.
Security awareness. The actions of all who work for your company are your responsibility so you need to communicate your company’s policies and good security practices through security awareness training. Security awareness training should be continuous and can be a combination of annual formal classes plus regular emails of security issues and good practices.
The following four items are common issues facing new companies and recommendations on how to mitigate risk for each:
The Cloud. While "the cloud" is typically considered to be a catchy phrase, the reality is you are simply using someone else's computer at someone else's facility anywhere on the globe. If you decide to take advantage of the services offered by a cloud provider, remember that the responsibility of protecting data still falls on your shoulders, so learning as much as possible about that cloud provider is imperative. If you identified any regulatory requirements in your risk assessment that will impact your business, then you need to make absolutely sure that the provider is able to meet or exceed those requirements.
There are three basic types of cloud services to choose from:
- Software-as-a-Service (SaaS) provides full hardware and software services, including operating systems and applications that are fully managed by a third party. This is the fastest growing category; one reason being that this requires the fewest employees for your company.
- Platform-as-a-Service (PaaS) is where a third party manages the facilities, hardware and operating systems; thereby enabling full development and control of your applications to your employees.
- Infrastructure-as-a-Service (IaaS) is where a third party manages the physical facility only, while the hardware, operating systems and all applications are managed by your company. In this case you choose a "cage" of varying sizes that is locked and the contents within is accessible only by your company while the facility outside of that cage (physical, environment, electricity, etc.) is managed by the third party center.
Once a specific cloud service is selected, the next task is to find the best cloud provider for your business - especially one if your business is subject to various regulations. The question is how to select the right provider among a growing list. One reliable source to help make a proper determination is through independent attestation audits such as the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) which reports on standard physical and logical controls. It’s important to understand that an SSAE 16 is not a regulation so there are no passes or failures; the SSAE 16 is an independent audit of the existence of logical controls and is far more reliable than the cloud provider’s marketing brochure. Cloud providers are not required to conduct SSAE 16 audits but it is highly recommended to carefully review the document if one is available.
If your startup will be subject to other regulations such as PCI and HIPAA, you need to confirm if your cloud provider needs to be compliant as well. You should also inquire about the service provider’s policies, terms and conditions especially regarding data security and privacy as well as any third parties that may access your data.
The selection of a good cloud provider will also depend upon the identified risk, especially with the three aforementioned data risk categories. For example, if Availability is critical for business operations, then a cloud provider with multiple backup generators and redundant power supplies are important in case there is a loss of primary power, while Confidentiality and Integrity would require strong physical and logical access controls. Therefore, the contract with the cloud provider is critical to ensure that your business’ critical needs are properly provided.
It is important to quantify critical requirements so that you may nullify the contract if your current cloud provider is unable to meet your minimum requirements. For example, if your contract prohibits power loss exceeding 48 consecutive hours and the cloud provider fails to meet that requirement because their backup generators failed to start upon primary power loss, then your company would be impacted and you need to find a better provider.
A question often asked is if you should hire a cloud provider in another country. Storing your data in a facility located in another country may seem enticing from a cost perspective, but you will need to consider the potential impact from applicable laws governing that country. The legal impact of a U.S. company with data stored or processed abroad is still up in the air, as illustrated by the current case of Microsoft Corporation v. United States of America (also called the Microsoft Ireland case) where the issue facing the court is if the Department of Justice may compel Microsoft to turn over company-owned email that is stored in a data facility in Ireland.
Social Media. Many view this as "free advertising" and, in a sense, it is true. Social media is one of the hottest mechanisms for companies to promote their products or services, but it is also a great environment for attackers to learn more about their potential victims. Be careful what you publish on social media because it may hurt your company in the long run.
Mobile applications for your customers. The average customer accesses online content from their phones, and app downloads are growing exponentially. However, mobile devices are easy to steal, many users disable device passwords and some passwords are easily guessable, so if your company plans to run on mobile devices a good contingency plan is recommended for customers who lose their phones.
Customers also routinely access the Internet on their devices through public wireless (wi-fi) connections such as coffee shops. Public wi-fi, as the name suggests, is openly available so connections are accessible to anyone in the area. If your service processes sensitive data for customers then you should consider secure transmissions and good access controls.
If your company plans to write mobile software, one common trap is to store the source code in a remote location such as Dropbox. While that is a convenient option there is risk of theft of the source code which is your company’s intellectual property. Remote storage providers like Dropbox do not guarantee the security of your files.
Big Data. These are large data sets which, through analysis, reveal specific patterns which may help you make strategic company decisions. These data sets may be obtained through various means, but care should be exercised, because customers are increasingly concerned about their privacy. For example, web sites often include tracking devices, and while some are benign others are invasive, and this may tend to drive customers away. In addition, a growing number of states have either passed or are considering stronger privacy laws. In addition, the type of data you collect may be subject to various laws or regulations, so it’s important to know what you’re collecting and how you’re using and storing that data.
Data risk management may appear to be daunting but, like any other forms of risk, may be manageable through knowledge, communication, empowerment and proper separation of duties. Knowing your startup’s risks, trusting in your employee’s knowledge and skills and communicating sound policies, standards and guidelines will go a long way in reducing the risk to your company’s data and data infrastructure. Remember, the data you protect may not be yours but your customers’, so if you want to earn your customers’ respect, then treating their property with proper diligence goes much further than simply claiming that they’re important.
Many resources exist that provide guidance to help you establish a good information risk management program, such as the Computer Security Resource Center (CSRC) at the National Institute for Standards and Technology. The CSRC contains a broad variety of guidelines that address information risk management in areas such as cryptography, governance and technical controls. The web site is csrc.nist.gov.
About the Author
Larry Moore is a guest blogger with over eighteen years of Information Security experience as part of his thirty year IT career. Larry has worded on diverse areas of Information Security including architecture, secure software development, penetration testing, server administration, project manager and executive manager. Larry has served at the State of Texas in their critical infrastructure protection and in the technical and financial sector.