We create massive amounts of data daily, from the exercise stats compiled by our wearable devices to smart meters used at our homes to reduce expense consumption to maintenance statistics of critical systems in industrial settings. If data creation continues at its present rate, more than a yottabyte (a million trillion megabytes) will likely be generated annually by 2030.
Even though big data is moving power behind modern, digital-first organizations, an average company uses only a fraction of the data they collect. According to a recent survey by VMware, 83% of business leaders believe that their companies store more data than they need.
The challenge of data complexity
As a recession looms, business leaders worry about getting "lost in translation." They are afraid that their inability to unlock the full potential of their data may harm their innovation and reduce their ability to spot new growth opportunities. Let alone that more data sources create more complexity and more potential security risks.
Every connectivity trend contributes to the growth of complexity, from widespread IoT deployments and IT/OT integrations to hybrid work models that make security conformance challenging and cloud deployments fraught with vulnerability-inducing compliance and misconfiguration issues. All of these are amplified when businesses participate in highly interdependent supply chains.
For IT and network security teams already overwhelmed by alert volumes and ever-evolving threats, dealing with so much complexity can seem like a bridge too far. They need to augment their efforts with automation to get some relief. The catch is that automation tools must be implicitly trustable. That hinges on the quality of the data the systems must work with—which makes good data hygiene fundamental.
What is data hygiene?
Data hygiene is the collective process conducted to ensure the cleanliness of data. In this instance, “clean” refers to error-free data. Dirty data contains outdated, incomplete, duplicated, or simply erroneous details. These errors can be introduced at any point while that data is in your system, whether it was incorrectly entered initially or made an accidental change when updating your records.
How zero trust can make for hygienic data
Hygienic data is accurate, complete, reliable, and up-to-date. Zero-trust principles contribute to data quality by strictly controlling who creates, accesses, modifies, and shares it.
The root assumption of zero trust is that no resource interacting with enterprise systems is inherently trustworthy. A “resource” may be an individual, a data set, a corporate or personal user device, and even a cloud service or software-as-a-service (SaaS) solution. Its security posture must be assessed whenever a resource requests access to corporate data. "Never trust, always verify" is the core principle of zero trust security.
At the same time, the approach recognizes that trust is not a fixed state. That means it must be monitored and re-verified continuously throughout a transaction. Any increase in risk profile can cause the termination of data exchange, the rest of the involved accounts, or initiating other actions to contain potential issues.
Steps toward data hygiene
Industrial businesses can take several steps toward data hygiene, but it all begins with a good understanding of your data ecosystem and comprehensive data governance.
1. Understand your data
Before you invest in tools and processes to improve your data hygiene, it’s essential to establish a baseline. According to Forbes, “About 27% of business leaders aren’t sure how much of their data is accurate.”
Determine the quality of your data to set achievable, quantifiable data hygiene KPIs. Your audit should examine all the systems your company uses to collect, use and store data. Within each system, determine which data fields are necessary; for both compliance and efficiency, your business should only collect the data it needs.
2. Practice data governance
Data governance is the principled approach to managing data during its life cycle — from the moment you generate or collect data to its disposal. By mapping out how data is used throughout your business processes, you can identify points where entry errors or communications mistakes may occur.
Assess how data moves through the organization: Where is it collected? Where is it being stored? Who is accessing it, and on what device? Not only can this show you where there is room for error, but it can also reveal where security vulnerabilities may exist.
3. Exercise robust access management
Access policies should be dynamic, not fixed. This approach allows trust to be contextual and adaptable to changing conditions based on business needs, risk tolerance, monitoring data, usage patterns, network locations, times of day, active attacks, and other variables.
In addition, access should always be session specific. Trust must be established before access is granted, with only the most restricted privileges assigned to complete the given task.
4. Evolve your security beyond perimeter control
Classic security approaches provide a “single door” for resources to access corporate assets and systems based on their initial network location and identity. But once inside, malicious actors can exploit that access, moving laterally through the network. The location should be continuously tracked, and privileges should be based not only on identity but also specifically on what a user or resource is there to accomplish.
5. Establish strong authentication
Businesses must strictly enforce authentication and authorization. These should be based on a formal identity and access management (IAM) system that includes multifactor authentication. Similar to access, authentication and authorization should be dynamic—with consistent scanning for and assessment of threats and with policies re-evaluated according to context and real-time conditions.
6. Leverage data analytics
Analytics help makes security stronger. By collecting information on resource and asset security postures, traffic patterns, access requests, and more over time—and analyzing them for patterns—organizations can strengthen cyber security and data quality on an ongoing basis.
The benefits of data hygiene
With high-quality data, security teams can automate confidently, relying less on human judgment to check, approve, or fix automated decisions. Reliable automation enables real-time security at scale, reinforcing the zero-trust security context even when thousands of users, devices, and assets are involved.
The higher the quality of an organization’s data, the less data is needed to inform accurate, trustworthy business decisions. That can translate into faster decision-making with less (or no) human oversight and lower IT and cloud costs because fewer resources are required to process the data, and there's less to store.
Separate from providing transactional security assurance, data hygiene based on zero trust has a higher-order role in enabling and protecting the business. According to Gartner, 64% of board directors recognize digital infrastructure as strategically crucial to business goals, and 88% see cybersecurity as a business risk. In another report, Gartner predicted that by 2023 nearly a third of CISOs will be evaluated on their ability to “create value for the business.”
High-quality data based on the zero-trust approach makes it easier to create that value for the energy sector by ensuring safeguards without constraining productivity, opening the door for innovation and the provision of better services.
About the Author:
Michael Sanchez, CEO (CISA), has over 35 years of experience in information technology, cybersecurity, physical security, risk, compliance, and audit. He is the former head of Commercial Cybersecurity and Compliance for a large global management consulting firm and is experienced in successfully scoping and advising on projects of all sizes and complexity. In other past roles, Michael managed IT and OT for a $12-billion energy corporation, assisted in the IT rebuild and redesign for a large power generation company, and served for 12 years as a board member for FBI InfraGard Houston, helping to facilitate the sharing of information related to domestic physical and cyber threats. He currently serves on two ASIS International steering committees (Utilities Security and Critical Infrastructure) and is a member of the Forbes Technology Council.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Achieving Resilience with NERC CIP
Explore the critical role of cybersecurity in protecting national Bulk Electric Systems. Tripwire's NERC CIP Solution Suite offers advanced tools for continuous monitoring and automation solutions, ensuring compliance with evolving standards and enhancing overall security resilience.
