Secrets of Data Privacy and Security: The Gandalf Method
This cyber security awareness month, I’d wager a guess you’d tell me you understand security, your role, and you feel all the training you get from your information security team is overkill. But I’d wager there are quite a few people out there who think that because data is secure, that means the data is also private.
Whenever I’m asked about privacy versus security of data, my response back 99% of the time is a two-fold question:
“Is it secret? Is it safe?”
—Gandalf
If you ask AI tools for help on this one, you’ll likely get responses that overcomplicate the topic. Gandalf really was on to something here. For me, “secret” and “safe” are the two easiest words to relate back to these concepts. And, asking others this question allows me to find out if the person to whom I’m speaking is also a Lord of the Rings fan.
Secure Data vs. Private Data
When we think about thoroughly protecting data, we know that protection requires that data be both secure (safe) and private (secret).
So, how can we apply the “Gandalf Method” to our data protection efforts? Let’s walk through a few case studies, shall we?
Let’s start with a straightforward example. You’ve just purchased a home that’s a new build. You’ve signed all the paperwork and have headed over to begin unpacking your things. You arrive and find two things: None of the windows have curtains or blinds (lack of privacy) and the backdoor has no lock (lack of security). For a period of time, your home was neither secure nor safe. You purchase a lock, and now your home is secure. However, until you install blinds and/or curtains, what you do in your home isn’t private. The inverse could also happen. You could decide to purchase blinds and curtains, but not a lock. Then, what happens in your home would be private, but not secure because your neighbor could easily walk in to see you jamming out to your Britney Spears playlist.
Let’s talk through a business example. You’re an auditor at a healthcare organization working on a claims audit. You have your data up on your screen when someone from the marketing group walks by, sees your screen, and asks you what you’re working on. Here, your security measures were in place, and no one outside your organization saw the data. However, you didn’t keep the data private as marketing doesn’t need to see claim data.
So, now that we’ve established these principles, what does that mean for you and your organization? The bottom line is knowing what types of data you have and who needs to have access to it. (Notice I didn’t say who has access to the data; we’ll come back to this.)
Initial Data Classification
The first step is knowing what data types you have and classifying that data. This is the key step for applying security measures. Let’s walk through a few examples.
Nearly all of us collect names—names of our customers, employees, consultants, vendors, etc. Names identify people and therefore need to be protected. Regardless of how your database stores this data (First Name, Last Name, Full Name, Nickname, Preferred Name) it needs to be protected, and we’d apply a stricter classification to this data, such as Confidential. This means you’ll want to apply greater security measures to it, such as multi-factor authentication, to log into the applications that maintain this data and apply encryption.
Next, you need to consider who needs access to this data. Don’t start with pulling reports from the applications to see who has access today; you’ve likely granted access to people within your organization who don’t need access to this data. This is the key when reviewing your data types for privacy. Start with who needs the access first and then go pull the reports. You will find those people who shouldn’t need access and be able to remove that access. This step will be the most challenging; you’ll get those who won’t understand why their access was terminated. However, you will also have users who won’t know the difference.
Parting Thoughts
Truly protecting data and keeping it private and secure takes day-to-day monitoring and a solid knowledge of the data you have. Looking at what you have and who has access lets you make the determination on how to protect it.
So, you may be wondering, did I ever think the One Ring was ever protected (secret AND safe)?
My opinion? No.
The One Ring was never private. Those that lived through the First Age all knew it still existed. “Access” to the ring never followed the concept of “least privilege.”
Was it safe? Yes. It was safe from the time it was lost until it was found by Gollum again. Once it was found again, Sauron and his minions started to track the ring again.
However, if the ring would’ve been protected, or even better, destroyed when it should’ve been (data destruction: another topic for another blog), we wouldn’t have one of the greatest fantasy sagas now would we?