WHAT IF... YOUR DATA COULD SECURE ITSELF?

2 What If...Your Data Could Secure Itself

IT’S TIME TO DEMAND DATA CENTRICITYYour adversaries want two things—Data and Control. Regardless of whether the attack comes from inside your organization or from the outside, the objective is the same—steal, modify, or destroy data and/or implant a capability to take control of systems or networks at a time of the adversary’s choosing. In our Cyber Moonshot paper, we outlined five essential technology pillars for achieving cyber resilience. One of those pillars is a data-centric approach—hardening systems from the inside out by encrypting and anonymizing data to minimize the potential for loss when an adversary gets in.

The National Institute of Standards and Technology (NIST) Special Publication 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” affirms the importance of this approach for protecting PII. We believe that these same techniques should be extended to all sensitive and business critical data.

There are proven steps agencies can take to start protecting data in new and better ways. Tackle these steps in conjunction with larger modernization efforts to ensure that data-centric security is woven into every system you refresh, rearchitect or replace.

3 What If...Your Data Could Secure Itself

JOURNEY TO DATA-CENTRIC SECURITYTo apply the data centric security practices needed to hard data, minimize threats and shift the power away from our adversaries and back in our favor, start with the good—then keep working to what’s even better.

THE GOODKnow your data assets. Start by formally reviewing your data and systems and then prioritizing them in term of the data’s importance (mission critical, reputation critical or existential threat). Of course, budgets are not infinite, so focus first on hardening the high-value assets. Given the interconnected nature of systems and data, determine how to minimize the “weakest link” attack vector. To that end, lay out a roadmap for how you will ultimately harden all data in your IT environment.

Audit All Data Activity. A comprehensive audit of all data use is essential—not just for security reasons but also to drive IT and business enhancements and efficiencies. Patterns of user and system behaviors are critical inputs when working to enable proactive security, detect and stop malware, and apply user and entity behavior analytics (UEBA). This same information is also essential when identifying performance bottlenecks, gaining a better understanding of customer and citizen interests and needs, and uncovering information gaps through unsuccessful responses to queries.

Implement encryption. Make sure your data is encrypted both at rest and in transit. Use commercial encryption capabilities in your data centers and cloud-based encryption services, such as those that Amazon Web Services and Microsoft Azure provide as part of their cloud storage solutions. Make sure you have complete control, including the only copies of the keys stored in a hardware security module (HSM). If you permit exports to PCs and laptops, ensure they are also encrypted at rest and in transit. In other words: Do not allow unencrypted data to exit your boundaries.

Tag and mark data. Automated access control decision services require strong data tagging and marking. If your data is not already tagged and marked for that purpose, it is critical to establish a framework for doing so. Both people and software need to understand your framework, so keep it as simple as possible.

4 What If...Your Data Could Secure Itself

THE BETTERImplement across-the-board IDAM. Strong identity and access management (IDAM) services are essential—not just for people but also for data, applications, networks and devices. Separate data from applications, applications from security, security from rules and rules from data. This approach minimizes the impact of any change to data, security or applications and ensures the data is securely available to the business systems that need it. Just as important, ensure the access control decision processes and systems can be adapted to accommodate changing business needs.

Enable discovery. Once you have established who should have access to what data, you need to provide a mechanism for users to discover data they may not have explicit permissions to see—along with an automated mechanism to request access. Implement your access decision services so that they allow for shades of gray. One example is this “YES and four levels of NO” model:

In this dynamic world in which access decisions often lag legitimate business needs, discovery is a key mechanism to rapidly and efficiently accommodate change.

Assure data integrity. Use blockchain or blockchain-like processes to ensure data integrity and detect unauthorized alteration of data. Hash and sign all data objects, storing the hash out of band from the data itself. Recompute the hash as needed and validate against the original hash code. Because data is generally write-once, read-many, be sure to detect and track any changes. Always keep the original data with links to the change so you can clearly track provenance, pedigree and lineage.

Yes, a user has permission and can see a piece of data.

No, a user cannot see the data but can know of its existence, see appropriate metadata about the object and be provided a link to request access permission.

No, a user cannot see the data or any of its associated metadata but can know of its existence and be provided with a link to request permission.

No, the user cannot see or know of the existence of a piece of data.

No, the user does not have access, and looking for this data automatically triggers an alert and an investigation.

5 What If...Your Data Could Secure Itself

THE BESTAdopt tokenization. This capability enables you to substitute alternative values for sensitive data in both structured and unstructured formats. At a minimum, you should tokenize all data covered by PII, HIPAA, PCI or GDPR rules and regulations, or any other data considered sensitive for business, national security or other reasons. Importantly, make sure that data is tokenized consistently. For example, Social Security number 123-45-6789 should always tokenize to the same value, as should 123 Main Street, Anytown, USA. That consistency makes it possible for analytics and other advanced computations to calculate correctly. All day-to-day work with the data should exclusively use the tokenized representations. Allow reverse lookup only when the need is justified, and never allow untokenized data to be transferred to any device without explicit approval and full audit. Finally, tokenize as part of your data ingestion processes; that way, protections are implemented from the beginning.

Use multiple databases. Where possible, encrypt and store your real data and your tokenized representations in different systems. For example, you could use MySQL for token lookup, HDFS/Hadoop for tokenized data store and analytics, and Oracle for housing the extracted original content. With this approach, no single vulnerability can be exploited to give attackers unfettered access to everything needed to reconstitute to the original form. If necessary, store a copy of the original data out of band in a secure enclave with strict access controls and multi-party access permission requirements.

Micro-segment. With micro-segmentation, you combine strong IDAM capabilities with tokenization and redaction services to ensure individuals only see data that’s necessary to perform their jobs. Consider, for instance, that hospital billing services do not need to see a patient’s medical record to send out statements. Strictly limit the number of people with unfettered access and permissions to see data in its untokenized form. Invoke the two-person rule for the most sensitive data stores—requiring both administrator access and special permission to unmask tokenized data.

Throttle access. Where appropriate, throttle an individual’s access to data to help prevent wholesale data theft. For example, an adjudicator of security clearance applications can only process a limited queue of people. Limit her access to the applications of the individuals assigned to her.

6 What If...Your Data Could Secure Itself

Embrace the cloud for security

Require security by design

To find out more about each of these, and to learn more about Data-Centric Security, visit Accenture.com/cyber.

Engage in proactive defense

Build-in cyber resilience

REACHING THE DESTINATIONConsider the Good, Better, Best tools and techniques as your guideposts as you work to modernize systems and data. With each system that you update or replace, you have an opportunity to implement data-centric security. As you make progress over time, you will reach the critical point where you’re no longer securing data—the data is practically securing itself.

ONE STEP AT A TIME…Data-centric security is just one of five essential technology pillars needed to establish a strong cyber resilient foundation. Such a foundation shifts the balance of power away from our adversaries and tips the scale in our favor. In our Cyber Moonshot paper, we outline our thinking about each of these pillars:

ABOUT ACCENTURE FEDERAL SERVICESAccenture Federal Services, a wholly owned subsidiary of Accenture LLP, is a U.S. company with offices in Arlington, Virginia. Accenture’s federal business has served every cabinet-level department and 30 of the largest federal organizations. Accenture Federal Services transforms bold ideas into breakthrough outcomes for clients at defense, intelligence, public safety, civilian and military health organizations.

ABOUT ACCENTUREAccenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 442,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

FOR MORE INFORMATION PLEASE CONTACT:Gus Hunt Managing Director and Cyber Strategy Lead Accenture Federal Services

@GusHunt_

gus.hunt@accenturefederal.com

Copyright © 2018 Accenture All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.