Organizations of all sizes treat data security and regulatory compliance like a roadblock instead of a design consideration. Over the last ten years, I have worked with scores of organizations to modernize and improve their software and data practices. In that time I have found that Information security is a challenging position, as it is the job of security professionals to prevent companies from making changes that could seriously damage reputation and revenue or breach compliance and incur significant penalties. There are two general archetypes of security teams that I have interfaced with:
1. The Static—we skate to one song and one song only
This organization knows what has worked in the past and generally has inherited its security posture. They're hesitant to make any changes to that and make sweeping statements like, "Everything needs to be air-gapped" or, "Data can't leave the state of New Jersey." This team doesn't look for paths forward—nor are they incentivized to do so. When team success is measured on whether security events occur, there is no real motivation to introduce change. This leads teams to ensure that whatever comes across their desk fits into a prefab mold or is summarily dismissed.
2. The Dynamic—we ask 'how,' not 'if.'
This team supports their organization as a conduit towards secure solutions. A deeper understanding of compliance regulations, as well as internal security posture combined with a strong grasp of modern software engineering patterns, provides a flexible framework to provide new solutions to the organizations that these teams support. Generally, I've seen this in smaller companies, less adherent to heirloom security docs. These teams help their organizations use the tools they want while ensuring that security standards are met.
Be dynamic.
Aside from the stagnation that occurs in organizations at the mercy of prohibitive security practices. The hidden cost is the "desire paths" of engineers trying to be effective. A desire-path is an unplanned small trail created as the consequence of humans walking where they want to. In IT security, this looks like circumventing the security team. Over the years, I have seen this take a hundred forms: Using a different version control system because creating new repositories takes weeks, adding in contractors to cloud platforms directly vs onboarding them officially, hosting open source tools without the support of Ops, and scores of others. Each one is a consequence of a suppressive security culture.
So, how does my organization get more solution-oriented, then? Let's look at a few examples of ways to create solutions with security in mind.
There are three specific patterns that I have seen repeatedly succeed when a highly regulated entity wants to use a new service or tool. These are metadata orchestration, separation of concerns, and encryption.
Metadata orchestration refers to managing and organizing metadata, which is data about data. It includes information such as the name, size, and location of a file and any tags or labels that have been applied to it. Proper metadata orchestration is essential for effective data security, as it allows organizations to track and control access to sensitive information, and to ensure that it is being used and stored appropriately. As it applies to our problem statement, this can be a way to separate sensitive data from the systems that assist in the transformation, aggregation, storage, or extraction of said data. We see this in tools like DBT, Prefect, Monte Carlo, and many other tools in the data cataloging or data lineage space.
Separation of concerns, on the other hand, is the practice of separating different aspects of a system or process to make it easier to manage and maintain. In the context of data security, this might involve separating different types of data, or different groups of users, to reduce the risk of unauthorized access or misuse. This is specifically applicable to SaaS products in regulated environments. In conjunction with metadata orchestration, an organization can leverage SaaS tools' benefits without exposing private network space or sensitive data.
One way to implement the separation of data security concerns is through access control lists (ACLs) and the Principle of Least Privilege (PLP). These lists specify which users or groups of users have access to certain data or resources, and can be used to enforce the segregation of duties and prevent unauthorized access. PLP serves as the North Star when creating ACLs or IAM roles. When the question is "How much power should a user/service account have?" the answer should always be "Only as much as they absolutely need." Appropriately scoped accounts create increased velocity for software teams without sacrificing security. We can give engineers the keys to the car, but we block the roads we don't want to travel.
Encryption, applied intelligently, is essential to protect sensitive information. Encryption is the process of encoding data in such a way that it can only be accessed by those with the proper decryption key. This is especially important when transmitting data over the internet or storing it in the cloud, as these environments are vulnerable to interception and tampering. Incorporating encryption with separated systems would look like end-to-end encryption with customer-managed keys. In controlling the keys only encrypted information hits cloud platforms without fully relying on any service other than internal key management to provide that insurance.
Overall, the effective management of metadata and the separation of concerns are key components of modern data security. By first orienting ourselves towards solution versus prevention, security teams can act as conduits towards change. By properly organizing and controlling access to sensitive data, while implementing encryption and other security measures, organizations can protect themselves and their clients from the risks of data breaches and other security threats without sacrificing progress.
The change must first and foremost be cultural, involve security early, and work with security, not against it. Security teams take a breath. It's going to be ok. We need to see what solutions we can provide to arm our teams with their chosen tools. As the risks to any organization are manifold, so too are the options for securing sensitive data and the reputation of our teams.