Data Security Through the Lens of Data Governance

Cybersecurity and the Data Governance Landscape  

The press is replete with stories involving various cyber incidents, which affect enterprises and governments of all sizes.  Allianz’s annual survey identified cyber incidents as the top risk for business in 2024¹. These incidents also ranked in the World Economic Forum’s Top 10 risk globally, with damages reaching $10.5 trillion annually (about $32,000 per person in the US) by 2025². At the same time, organizations are working with ever-increasing volumes of data across highly dynamic environments, which is unlikely to slow anytime soon.

The risks and costs associated with incidents are surprising at some level, given many organizations have developed sophisticated cybersecurity programs, designed to protect infrastructure, networks, and devices from all types of attacks. However, threats continue to evolve and arise from high-level state actors all the way to negligent employees and contractors. 

Across most of the cyber threats that arise, data is ultimately at the core of the attacks, the risks, and defines the full cost of an incident.   Effective data governance practices and technologies, which incorporate data security as a critical element, help organizations mitigate risk while also allowing proper use and access. 

Cyber Attack Vectors and Surfaces 

Attack vectors are the means used to gain access to networks, systems, and data.  Attack surfaces are the pathways, points, and vulnerabilities that can be exploited to gain unauthorized access.   Modern data governance practices and platforms like Archive360 help limit the number and effectiveness of common attack vectors, while also decreasing and hardening attack surfaces.   

The most common cyber attack vectors include³:

• Phishing and social engineering 
• Malware 
• Brute Force 
• Denial of Service 
• SQL Injection 
• Cross-site scripting 

In many ways, the most common cyber attack surfaces reflect the effectiveness of attack vectors (or vice versa).  These include: 

• Human factor 
• Network shares and shared storage 
• Web and application servers 
• RDP and remote services 
• Email 
• Endpoints and mobile devices 

Ultimately, the intent of an attack is not just to gain access to a system or device but to do something with the data therein. Ransomware is still a common threat, where attackers encrypt data making it unavailable to an organization until some fee is paid.  However, and perhaps more disconcerting, a recent survey found that an increasing share of incidents (32%) involve data theft or leakage, rather than encryption for extortion⁴. High-profile attacks against UnitedHealth⁵ and Northwestern’s Lurie Children’s Hospital⁶ involved the exfiltration and sale of highly sensitive data, not just encryption for ransom.  

Archive360’s Data Governance Platform Improves Data Security 

Most large enterprises and government agencies have extensive infrastructure and applications, which comprise different generations of technologies.  Mergers and acquisitions add to this complexity, introducing new data sources and environments, which themselves may include aging systems.  The role of a dedicated data governance platform is to reduce the attack surface and decrease the effectiveness of different attack vectors.   

8 Ways Archive360's Data Governance Platform Improves Your Organization's Data Security: 

1. Mitigating the Human Factor: 

We often think of “insider risk” as comprising intentional, overt acts that compromise security or steal corporate assets.  In reality, inadvertent and negligent conduct is often a more significant risk.  Phishing and social engineering represent the most prevalent attack vectors, and humans represent the largest attack surface.  The risk arises from too many people having access over time to data and systems, and many operational systems lack the security and resiliency available in a platform like Archive360.   

By moving critical and sensitive data into a dedicated governance platform, a more discrete set of users with entitled access is created, reducing the attack surface.  In addition, users credentialed in such an environment are generally more experienced in working with and protecting sensitive data. 

2. Addressing Legacy Systems and Data: 

The WSJ recently noted the $1.52T legacy debt facing enterprises, with increased risk and security concerns significant derivatives⁷. Legacy systems are a more significant risk than modern platforms, with less sophisticated security architectures, difficulty in maintenance and patching, and more known vulnerabilities.  In addition, leaving data subject to compliance and retention obligations in operational systems longer than necessary elevates risk on a different dimension.   

By decommissioning legacy applications and retiring aging operational data into a data governance platform such as Archive360, large volumes of information are removed from higher-risk environments.  This reduces attack surfaces, and common vectors for attacks against known vulnerabilities in legacy systems. 

3. Dedicated Cloud Tenant:

Each Archive360 customer is deployed in their own dedicated SaaS environment.  Customers also have the choice to deploy the Archive360 platform into their cloud tenant if they choose.  Implementing a solution like Archiv360 which uses a dedicated tenant means segregated data, administrative access, entitlements, and the ability to integrate into customer security protocols.   

4. Data Encryption: 

Encrypting data is particularly important to limit risk, even if attackers can gain access.  Encryption makes the data unusable and limits the exposure of sensitive information.  Archive360 provides multiple levels of encryption, and unique capabilities in managing the encryption process and keys. 

• Security Gateway: Customers can manage encryption keys separate from their dedicated tenant, including managing keys on-premises.  This also allows customers to encrypt data prior to archiving, providing further protection. 

• Field-Level Encryption: Metadata and structured data can also be encrypted at a field level.  This protects sensitive information, while also allowing for access to this data for appropriately entitled users. 
  
  

5. Entitlements:

Archive360 is deployed with a zero-trust security model, which requires specific entitlement grants to access any data.  The platform incorporates an entitlement engine, which allows for highly granular access controls, including restrictions based on role, class of data, schema fields, and functionality. 

• In addition, Archive360 can integrate with an organization’s entitlement platform, confirming each access request in real time.  This means that the customer keeps full control over entitlements, and administrative users within Archive360 do not have the authority to alter access restrictions. 
  
  

6. Multi-Factor Authentication (MFA) and Single Sign-On (SSO):

The recent UnitedHealth cyberattack apparently occurred through a system where MFA was not enabled.  Although not foolproof, MFA provides a significant improvement over standard user/password authentication. 

• Archive360 supports multi-factor authentication and integration with common SSO solutions.  This allows customers to manage access to the platform, consistent with their preferred authentication protocol. 
  
  

7. Resiliency:

Ransomware attacks show the importance of multiple levels of resiliency, to limit the impact of an attack, while also allowing for recovery.

Archive360’s platform offers several key capabilities that improve resiliency, including: 

• Data Redundancy: Data is automatically replicated across three data centers in our cloud-native environment.  In addition, tenants can be configured for cross-geography replication, providing further redundancy. 
• Platform Redundancy: In addition to data replication, application and platform components can be deployed across multiple regions, with separate administrative and access controls.  This mitigates the impact if privileged access was compromised in one region since the redundant region has separate administrative credentials. 
• Data Immutability:  Writing data to immutable/WORM storage, prevents its alteration, such as secondary encryption during a ransomware attack.  Additionally, it prevents internal (or external) threats or negligent actors from deleting data, even with privileged credentials 
• Data and System Backups: Data and key components, such as indexes and databases can be backed up to a different region, and into segregated storage accounts.  These backups can also be stored on immutable storage, and air-gapped for higher levels of resiliency.  
  
  

8. Audit Controls:

Throughout the platform, Archive360 maintains an extensive event audit history.  This includes data processing, access, all changes to configurations and controls, search, disposition, or export, all at an object level.  This provides rapid traceability for audit and response purposes, and defensibility to authorized activities.   

Conclusion 

Data is the lifeblood of modern organizations, and threat and negligent actors create significant risks.  Given the volume and importance of data is ever increasing, data security will remain critical for enterprises and government agencies.  Implementing effective data governance is an important part of managing data security.  Deploying a solution like Archive360 can decrease attack surfaces, while also implementing capabilities that mitigate the impact of common attack vectors.  Contact us today to speak to an expert about your data governance strategy. 

WHITEPAPER

Data GRC Management by Design

The complexities of business demands a new paradigm in data governance strategies. To stay relevant and compliant, your organization will need to focus on governing and managing your data effectively now more than ever. 

Read this whitepaper to learn: 

• Data GRC Management by Design
• The Role of Data & Data Processes is Changing
• A Framework of Data GRC Processes
• The Data GRC Information & Technology Architecture

Download Now