SentryOne Document and Your Data Protection Roadmap
Disclaimer: I am not a lawyer and none of the content in this blog post constitutes legal advice. Consult a lawyer to identify what regulations/standards apply to your organization and how you should meet your business requirements.
An implicit requirement for the General Data Protection Regulation (GDPR) and of any proper information security program is a data inventory and mapping exercise. The goal is to identify data processed by your organization—special categories of personal data, business to business (B2B) data, or other types of data—and how they flow across systems. Before you can protect your assets, you must know what assets you have.
A data inventory and mapping exercise should happen on a regular basis, as infrastructures are dynamic. However, they can be tedious if done manually, requiring numerous interviews with technical owners or management, digging through systems to identify data types, and tracking data as it integrates with other services. SentryOne Document can automate this process, allowing your team to focus on governing your data estate.
An Overview of SentryOne Document
SentryOne Document, our database documentation and data lineage analysis solution, enables you to:
- Produce complete documentation for a monitored environment
- Include historical and current documentation
- Search for metadata in your environment
- Compare documentation against previous snapshot versions
- Track object lineage
- Visualize data genesis and use
- View different dependency levels: inbound, outbound, and bidirectional
- Expand objects to display children and easily jump to documentation
- Build a single, informative source of truth with a data dictionary
- Annotate objects with information such as ownership
- Specify global entries: default values that can be applied to objects
- Assign categories: a field housing information about objects, such as an emergency contact
- Integrate with technologies such as Excel, Power BI, SQL Server, SSAS, SSIS, Salesforce, and more
Salesforce flow data lineage
Check out this tour to see SentryOne Document in action. You can also learn more about SentryOne Document in our documentation and on our support site. SentryOne Document can help you complete the initial steps of your information security program. Here’s how.
Setting the Stage
The Information Commissioner’s Office (ICO) provides a checklist for data controllers and data processors under the GDPR. The first step involves conducting an information audit and documenting your findings, which in part satisfies the accountability principle: “a principle which requires that organizations put in place appropriate technical and organizational measures and be able to demonstrate what they did and its effectiveness when requested.”
This discovery phase is a key step for other standards and compliance frameworks, too, such as the California Consumer Privacy Act (CCPA) and the NIST Cybersecurity Framework (the latter pictured below).
Image Credit: Identity Maestro
SentryOne Document can provide you with puzzle pieces—data collection and storage information, how data is used and linked across environments, as well as data lineage—to form a complete picture of your monitored environment. Knowing what data your organization holds and where it is stored is important from a regulatory perspective. For example, if your organization processes special category data under the GDPR, there are several obligations that come with that. Moreover, if that information is compromised in a breach, you are almost certainly required to notify the affected parties and your respective data protection authority.
On a related note, Jason Hall writes about data lineage and the chain of custody in the context of HIPAA in this article. Information gleaned from SentryOne Document can be combined with a list of other assets (such as hardware), business processes, and other documentation for greater visibility into your infrastructure.
Lights, Camera, Action!
Once your database environment has been documented, you can use this information in some of the following ways:
- Conduct threat risk assessments. This involves identifying your assets, the crown jewels among them, and anticipating threats within the confidentiality, integrity, and availability (CIA) triad. Risk assessments are paramount according to Jill Girardeau, Chief Regulatory Counsel at Change Healthcare. Auditors bring down the hammer on companies that have not performed these exercises because it indicates negligence.
- Housekeep to satisfy the data minimization principle. Data minimization requires you keep only data that is necessary for particular purposes. If your documentation reveals unneeded data, you can tidy up your estate.
- Cleanse your data. This means ensuring your data are accurate and stored in appropriate places.
- Craft your privacy policies and update your contracts. Your policies and contracts might be required to specify what data you collect, the purpose(s) for collecting that data, and how you use said data.
- Honor data subject rights requests. Data subjects are granted rights under some regulations, including the right of access, right of erasure, right to be informed, right to object, and the do not sell rule.
- Enroll your team in the appropriate training. Your team might be required to undergo specific types of data privacy and protection (and general security) training under certain regulations. Additionally, in business relationships involving sensitive data, there are often contractual clauses stating that employees should be enrolled in various types of security training.
- Build an incident response plan. PCI, HIPAA, and special category data under GDPR are all highly sensitive categories, and your incident response protocol will branch off into separate action items depending on which of these categories has been compromised. Visibility into your data estate means you can prepare for an incident.
Now that you have an idea of what your critical assets are, you can develop a data protection strategy. The security mechanisms you select to protect your assets and detect suspicious behavior should match the sensitivity of your assets to save time and money. For example, elevated privileges should be required to access server rooms, but it would be wasteful to place the same protections around coffee mugs. A threat risk assessment, in part informed by the work done by SentryOne Document, can help your organization make these decisions for assets that fall into foggier areas.
The Show Must Go On
Data privacy and protection regulations and standards should not be thought of as checkboxes, but as living, breathing projects that evolve over time and integrate with an overall security governance program.
This is, in part, because the relationship between cyber attackers and defenders is an escalatory spiral by nature. Defenders implement tools and processes to safeguard their systems, while attackers try to bypass or break their protections. Defenders attempt to patch these attack vectors, and once again attackers try to circumvent the new controls. This relationship guarantees that an information security program is never complete. What’s more, data privacy and protection regulations are relatively new and ever evolving.
SentryOne Document—a tool that can automate and provide penetrating insight into your data estate and help strengthen your security program—liberates your team to tackle other challenging problems.
Paul (@paulmargiotis) is the Security Engineer at SentryOne, where he writes and implements security policy, directs compliance with data privacy and protection regulations, and strengthens the organization's network and perimeter defense. In his articles, he shares insight into hardening systems and infrastructure, risk management, cryptography, and building robust processes and protocols to enhance security governance. Paul holds a master's degree in Cybersecurity, with a concentration in Network Security, from the University of North Carolina at Charlotte.