Ravi Ithal is Co-Founder and Chief Technology Officer at Normalizea cloud security provider for the digital business.
“He’s bringing a knife to a gunfight,” quips Sean Connery as he aims a sawed-off shotgun at the knife-wielding attacker. From that line in the 1987 movie the untouchableswe have heard the same advice-Don’t bring a knife into a fight—in more than 20 films. You’d think everyone would know this by now. Unfortunately, it’s a lesson yet to be learned by some organizations trying to combat attacks on sensitive data with tools meant to secure their IT infrastructure.
Data security is different from infrastructure security
Differentiating data security versus infrastructure is important for two reasons. Data poses unique risks and tools for InfraSec are not prepared for InfoSec. The term InfoSec refers to the protection of information (data) residing in an organization’s IT infrastructure. InfraSec refers to the protection of the underlying infrastructure.
To claim that InfraSec tools are not prepared for InfoSec is not to impugn the “goodness” of InfraSec tools, which play critical roles in the security ecosystem. Teams should have vulnerability scans of the network, servers, endpoints, and applications. They must check device and application configurations to ensure authorized connectivity is taking place. InfraSec tools tell you what the enterprise environment includes in terms of devices and software, as well as identities with associated access rights. Recovery teams need to know which systems have received versions of a patch. And so on. Without InfraSec tools, security teams would be completely in the dark about critical vulnerabilities appearing…in the infrastructure.
Please note: Security data exposed to groups by InfraSec point tools may provide vague indications about the security posture of some sensitive data, but InfoSec is not their focus. We’ve previously described specific risks to sensitive data, such as its rapid spread in modern environments and how easy it is to lose track of sensitive data storage. Let’s examine the reasons why InfraSec tools fall short in data security.
How InfraSec tools fall short for data security
There are many tools for doing InfraSec, and it’s easy to get lost in a variety of their important purposes. InfoSec teams should start asking tough questions about how well InfraSec tools meet their immediate needs for protecting sensitive data. Here are some examples:
• System Management Database (CMDB): This tool is a database of information about an organization’s hardware and software components. With the CMDB’s relevant population, it can also help teams understand the business importance of specific assets, which helps determine risk posture and accelerate remediation processes. CMDBs, however, completely ignore the existence of sensitive data within data warehouses. This information is missing about data is vital to InfoSec.
• Vulnerability scan: Every business uses one or more vulnerability scanners. This tool examines an organization’s network, communications equipment, connected devices, applications, and APIs to identify and classify weaknesses that an attacker could exploit. Vulnerability scans can also run within a cloud environment and determine if workloads have potential weaknesses. To do InfoSec, however, a vulnerability scanner alone will not inform teams of how threats are affecting sensitive data hidden within a myriad of cloud data stores one or more hops away from where the the vulnerabilities themselves.
• Identity and Access Management (IAM): IAM analytics tools provide information about who has access rights and to which corresponding resources. IAM tools fall short of InfoSec because the potential permutations of access and data types are too numerous to analyze, compare, and prioritize. Additionally, if the IAM tool doesn’t know the location of sensitive data, it can’t directly help InfoSec teams do their jobs.
• Cloud Security Posture Management (CSPM): This InfraSec tool detects misconfiguration and compliance issues in cloud environments. Misconfigurations are a leading cause of breaches, and CSPM is an excellent way to identify potential risks caused by non-compliance with best practices. CSPM, however, has disadvantages for the InfoSec professional. You may have already guessed it—CSPMs have no idea where your most valuable sensitive data is. Additionally, they have little to no understanding of platform-as-a-service (PaaS) databases, block storage, and file storage. Indeed, InfoSec needs are rarely integrated into CSPM, and so for this purpose, you will mostly get background noise and zero signal for Infosec.
Explore tools designed for data security
If a tool overwhelms you with useless or unapplicable data, the tool isn’t a tool at all! It just makes your team work harder than necessary to discover, sort and protect sensitive data at risk. The last thing an InfoSec team needs is more alerts and noise. Your InfoSec tools should be purpose-built to find and protect sensitive data. Useful features will include:
• Discover where sensitive data resides in your organization’s cloud environment.
• Classify all data to inform teams of which data is at risk or needs to meet compliance mandates.
• Manage access for sensitive data wherever it resides in the cloud.
• Risk and vulnerability management for all paths leading to sensitive data.
• Compliance support in all cases of sensitive or protected data.
As Sean Connery said: Don’t bring a knife to a fight! The practical lesson here for InfoSec is to never give up on protecting the organization’s sensitive data. Your team can I think so has the best tools or maybe hopes Its InfraSec tools will keep InfoSec in good shape, but when attackers come knocking for your sensitive data, you better be sure your organization has the right tool designed specifically for InfoSec.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?