Enterprise data is like air: Here’s how you can secure it

Today, enterprise data is like air. On the positive side, data is the most important resource that every organization relies on in order to survive. On the other side, like air, data can be hard to control. If unchecked, data will spread to every corner of the enterprise, and any potential leak can be deadly.

This creates some fundamental challenges for organizations today as they think about their data security risk. How can they ensure users and applications have access to the critical data they need, yet retain control over assets that are seemingly ephemeral, constantly on the move, and being consumed and spread in countless ways?

Massive trends such as the rise of cloud-based services, mobile and remote users, and collaborative work have only served to exacerbate these challenges. However, hope is far from lost. Air may be impossible to grab with your bare hands, but with the right tools and equipment, it can be harnessed and controlled safely. So let’s take a closer look at some key ways data is like air and how we can rethink our approach to securing it.

Its flow is essential for life

Data is the most critical asset for every organization – like air, businesses depend on it in order to live and thrive. This could include spreadsheets of company sales projections, design files for new products, source code of a company application, a PowerPoint of the company roadmap or internal email communications from the CEO. Like air, all this data typically needs to flow and be used in order to be valuable.

This directly impacts how we must approach data security. We can’t lock all our sensitive data away into silos, or the organization wouldn’t be able to function. Instead, we need to approach data security in the context of workflows. Where does sensitive data originally come from? Who needs to interact with it? How much sharing is needed in order to be effective, and how much is unnecessary sprawl?

It fills the volume of its container

One of the defining traits of gasses is that they will expand to fit the volume of their container. If we think of the enterprise as the container for data, the size of that container has mushroomed in recent years. The rise of collaborative work and sharing, by default, has made it all the more likely that sensitive data will spread to every corner of the enterprise. 

To be clear, this is a feature, not a bug. Twenty years ago, data was restricted to a need-to-know basis. Today, organizations want employees to have broad access because it drives creativity, enhances collaboration, accelerates product development and speeds time to market.

Most organizations attempt to foster collaboration in order to leverage all their available talent. Modern applications Slack, Zoom, Sharepoint, Google Workspace, and countless others are built for collaboration and sharing. Content that not too long ago only moved through email or physical media like USB drives can now be shared in hundreds of ways and the majority of these channels have not been secured properly. 

To address this reality, organizations must be able to see and control the flow of data across the enterprise, and protections must extend to all the myriad ways that data can be shared. Business workflows will commonly span multiple cloud services, endpoints and applications – our security team’s visibility, risk context and policies must be able to follow the data across all these steps and locations. Otherwise, it will be virtually impossible to control the natural spread.

It can lead to uncontrolled spreading

One of the painful lessons of the past two years is that even the most basic act of breathing can be contagious. This introduces one of the most important and potentially troublesome similarities between air and data. Every time a user or application interacts with data, it can become a carrier or vector for that data. A user can make copies of a file, copy/paste content from one source to another, take a screenshot, convert to a new file format, and so on. All of these copies or derivatives of data are relevant to security, yet for most organizations, they remain invisible.

Interestingly enough, some of the lessons learned from the pandemic can also be relevant to our data protection strategies. New technologies are making it possible for organizations to implement something very similar to contact tracing for their data. Technologies such as dynamic data tracing can maintain a complete genealogy for every piece of data in an enterprise. Every piece of content can be traced back to the app or user that originally created it. A data trace can likewise maintain the complete narrative of the data, seeing every user or application that interacted with the data, while tracking all of its copies or “descendants.”

This perspective gives organizations near-omnipotent visibility and control over their data risk. A security leader could pick any piece of data and instantly know where all the copies are, and likewise enforce policy on them. If sensitive data is found in unexpected places, staff can pull the thread to see where reality deviated from expectations. If a user or device is affected by a threat, staff can immediately know what data is involved and might be at risk.

Ultimately, an organization’s information is its most critical asset and determines its chances of success in the digital economy. It’s the air that keeps the entity alive and thriving. As organizations and work itself continue to evolve, it’s all the more important that our security models adapt so that data remains protected.

While controlling and protecting air can sound like a tricky task, that is exactly where information security is heading today, and where things are getting the most interesting. The organizations that are the best at using their data while keeping it safe will ultimately be the most successful. 

Howard Ting is CEO at Cyberhaven.