Six Pillars of Data Security
Key Points
- Data is the most valuable asset for modern IT systems, making robust security essential to protect everything from intellectual property to actual money.
- Effective data security governance starts with a clear policy that defines classification tiers, catalogs critical data locations, and outlines resilience plans for recovery.
- Accurate data discovery is required to reconcile assumed data inventories with reality, scanning both structured and unstructured sources and monitoring network traffic for hidden or exfiltrating information.
- Protection measures must include strong encryption paired with reliable key management, strict access controls such as multi‑factor authentication, and regular backups to ensure data remains usable even if compromised.
- The overall security framework is built on six pillars—governance, discovery, protection, compliance, detection, and response—each critical for a comprehensive defense strategy.
Sections
- Six Pillars of Data Security - The speaker outlines six key components—governance, discovery, protection, compliance, detection, and response—detailing how policies, classification, cataloging, and resilience form the foundation for safeguarding critical data.
- Comprehensive Data Protection Strategy - The speaker outlines the need for backup, compliance reporting, retention policies, and monitoring—including user‑behavior analytics—to safeguard data and reduce organizational risk.
- Building a Holistic Data Security Ecosystem - The speaker emphasizes a structured, organization‑wide strategy that integrates people, processes, technologies, and architecture to protect both structured and unstructured data while ensuring access only for authorized users.
Full Transcript
# Six Pillars of Data Security **Source:** [https://www.youtube.com/watch?v=N8xEgSe5RwE](https://www.youtube.com/watch?v=N8xEgSe5RwE) **Duration:** 00:07:15 ## Summary - Data is the most valuable asset for modern IT systems, making robust security essential to protect everything from intellectual property to actual money. - Effective data security governance starts with a clear policy that defines classification tiers, catalogs critical data locations, and outlines resilience plans for recovery. - Accurate data discovery is required to reconcile assumed data inventories with reality, scanning both structured and unstructured sources and monitoring network traffic for hidden or exfiltrating information. - Protection measures must include strong encryption paired with reliable key management, strict access controls such as multi‑factor authentication, and regular backups to ensure data remains usable even if compromised. - The overall security framework is built on six pillars—governance, discovery, protection, compliance, detection, and response—each critical for a comprehensive defense strategy. ## Sections - [00:00:00](https://www.youtube.com/watch?v=N8xEgSe5RwE&t=0s) **Six Pillars of Data Security** - The speaker outlines six key components—governance, discovery, protection, compliance, detection, and response—detailing how policies, classification, cataloging, and resilience form the foundation for safeguarding critical data. - [00:03:05](https://www.youtube.com/watch?v=N8xEgSe5RwE&t=185s) **Comprehensive Data Protection Strategy** - The speaker outlines the need for backup, compliance reporting, retention policies, and monitoring—including user‑behavior analytics—to safeguard data and reduce organizational risk. - [00:06:10](https://www.youtube.com/watch?v=N8xEgSe5RwE&t=370s) **Building a Holistic Data Security Ecosystem** - The speaker emphasizes a structured, organization‑wide strategy that integrates people, processes, technologies, and architecture to protect both structured and unstructured data while ensuring access only for authorized users. ## Full Transcript
Data is the lifeblood of a modern IT system.
It's the crown jewels.
It's the secret sauce.
Intellectual property.
It's sensitive customer information.
It's important business plans.
It's even money itself.
So the bad guys want to get it.
It means the good guys need to protect it.
How do you do that?
Well, I'm going to go through six points in data security and talk about what are the things that we have to do.
I'm going to discuss governance, discovery, protection, compliance, detection and response.
Those are the things that go into it.
So let's start off with this business of governance.
So what do I need to do in order to govern data security?
It starts with a policy.
A policy is basically our plan for how we want to protect information.
If I don't have that, it's like running a race and not telling anyone where the finish line is.
So we have to have a data security policy in place.
And in that policy we describe this kind of data needs this level of sensitivity
and this level of sensitivity needs this kind of protection protection.
Now, we're going to under that add classification and have a scheme for what those different layers would be.
Unclassified, internal use, confidential, things like that.
So we need to have those tiers defined.
Then a catalog that says, where's all the important data that I'm trying to protect?
If I don't know where it is, I can't really protect it.
Then resilience. That is, I need the ability to recover this data once it's gone away.
And what are my plans in place for that?
Then from governance, I'm going to move over to discovery.
I need to be able to see where all of that information is.
This is the plan--before I apply it, I need to know where it all is.
The catalog is the preconceived notion of where it all is, then there's reality.
I have to go out and discover where all this stuff is.
I need to look in my databases.
I need to look in my files.
That's structured sources and unstructured sources of data.
Also, I want to look across my network.
Sometimes information is flying around and I'm not aware that that might be sensitive stuff that's leaving my network.
That becomes particularly important.
Then what's next?
Well, then I need to do some protection.
How am I going to protect the information that I've just talked about here?
I need to be able to encrypt the information so that if it leaks out of my organization, the bad guys can't read it.
I need to also have key management.
If I encrypt the data and lose the keys, then I lose the data.
So I have to have a key management system that generates keys securely and randomly,
that stores them and keeps them secure, that tells me when I need to rotate keys and put new keys in place.
So that key management system is particularly important.
I also need access controls-- the ability to say who gets access to this and who doesn't.
We could use things like multi-factor authentication, which I've talked about in other videos.
And then backup-- the ability to take a copy of all the data
and keep it in some secure place and then be able to recover from that.
Those are the protections that I need to put in place.
Then after I've done all of that, I need to ensure that I comply.
We may have internal regulations that we put in place, there may be governmental regulations,
there may be industry regulations that I have to follow.
In some cases, I need to report on those things, I need to say,
so the auditors will see this, that in fact, I have done what I said I was going to do.
That means logging a lot of information and then being able to to do reporting from that.
It also means retention.
It turns out that we like to keep all the information that we ever get, but that increases our risk as an organization.
It's best once the information is no longer needed to get rid of it.
So we need a policy and an enforcement that says this is how long I'm going to retain records,
and this is when I get rid of them, so that they're no longer a risk to me and the organization.
Then I need an ability to detect.
Do I have a problem?
Is someone using the data or misusing the data in a way that I didn't expect,
in a way that is unapproved? So I need a monitoring capability that lets me know that that's the case.
I did a previous video on User Behavior Analytics, which is an example of one of those technologies
that will go in and look and see when users are using data in anomalous ways and they deviate from the norm.
That would be a good trigger point.
Using analytics is another way of doing this kind of analysis and then ultimately alerts
that go up and tell someone we need to take action, someone has violated, or we think there's been a violation.
And then once we have that, well, ultimately, I need to be able to get up to a point where I can respond.
When I respond, then, I need an ability to create cases.
So with those cases, I can assign those to individuals to go do investigations,
I can attach information to those, I can track them through to completion.
Dynamic playbooks allow us to guide the analyst through what the steps should be
and tell them based upon this step [and] what the outcome was, then you will do certain things to follow up against that.
And it's dynamic in the sense that what you do in the second step depends on what happened as the result in the first step.
We do orchestration.
We'd love to automate everything, but we can't.
So we have to orchestrate the things that we've never seen before: the first-of-a-kind situations.
And then we automate as much as we can of the other responses.
Ultimately, all of this leads back to a kind of ecosystem.
Think of this as a virtuous cycle.
I take the information that I've learned in each of these stages and feed it into the other stages.
My response tells me, here's where we failed, maybe we need to change the way we govern,
maybe we need to change our policies.
Maybe this changes the way we discover information, protect it, and so forth.
So ultimately, what we're trying to do is create this ecosystem that allows us to protect the information,
that is, as I said before, the lifeblood of the organization.
The good news is there is a way to do this.
It requires a structured approach.
It requires a holistic view, not just looking at individual pieces, only the databases,
but not the files, only the structured data and ignoring the unstructured data.
A holistic view is going to be critical here.
Also, the right architecture.
Building the data security components in place, using the right technologies, having them all integrate is going to be critical.
And ultimately, the good people, process and technologies.
Those are the things that will ultimately implement a data security policy
that makes that information available only to the people that need it, and the unauthorized users don't have access.
Thanks for watching.
If you found this video interesting and would like to learn more about cybersecurity,
please remember to hit like and subscribe to this channel.