Avatar

With stricter privacy regulations, evolving customer expectations, and growing work-from-home demands, organizations need a simple way to know, see, and manage their data. Luckily, we’ve got a few ideas. 

Security is all about the data. Protecting data is the reason companies invest in security infrastructure and services like threat detection, data loss prevention, strong multi-factor authentication, etc. But where there should be a data visibility and management layer, instead there’s a gaping hole.

As a distinguished engineer working in the Security Business Group’s Office of the CTO, I’m part of a team responsible for planning the future of Cisco’s security offerings. One of our initiatives is imagining a data security and privacy platform to give organizations visibility and control of sensitive data like personally identifiable information (PII). After 32 years of working in the cybersecurity industry, this is very exciting for me.

Business and society demand trust and privacy

Privacy is very much front and center for decision makers. In the 2019 Cisco Data Privacy Benchmark Study, 87% of respondents (up from 65% in 2018) said that customer questions about data privacy delay sales. Companies face hefty fines if they don’t comply with regulations, like the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Continuing work from home means more data lives on endpoints outside an organization’s control. And increased data variety (think virtual meeting information, contact tracing, smartphone videos, etc.), volume, and velocity make it harder for chief information security officers (CISOs) to be certain of what data is stored and where it is flowing.

Business aside, privacy and trust are essential for a functioning society. A digital economy can succeed only if it’s trusted. At Cisco we think of privacy as a fundamental human right. It’s part of our mission statement: “To inspire new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams.”

Narrowing in on the problem

My team works with customers and our own IT organization to better understand data security and privacy challenges and imagine what a solution might look like. Our customers’ wish list can be distilled down to three requirements: awareness (know your data), visibility (see your data), and management (control your data). With that in mind, we’ve put some ideas together to help address the most critical requirements.

1. Comprehensive data map

Many CISOs say they struggle with two questions:  1. Where are the data stores? 2. What information needs to be protected? These are tough questions to answer when more than half of the data is unseen—the so-called “databerg.” If you don’t know what data you have, you don’t have a sense of the risk if data is leaked or compromised.

The data security platform we’re imagining might produce a real-time data map based on query n-tuples showing where data is stored, the sensitivities, where it’s shared, how long it’s retained, and how it’s used.  For example, a CISO might want a visual of the data centers and geographies where employee PII is stored.

2. The power of combined context

We are exploring the concept of creating multiple, rich contextual stores that include applications, users/identities, and services along with datastores and data files. Some of this rich context is already available through existing Cisco technologies such as Advanced Malware Protection, Tetration, Umbrella, and Identity Services Engine. We’re also considering plug-and-play integration with common business platforms, such as Salesforce, Microsoft Office 365, and Workday.

Going further, we are investigating the possibilities of combining rich infrastructure telemetry, applications telemetry, and file metadata to build a comprehensive visibility and control fabric. In addition to helping customers make the journey from databerg to data map, we want to give them the power to visualize risk, control access, and assure compliance. 

3. Simple user experience

The people who need to know, see, and manage data security and privacy include data stewards, data owners, and privacy ops specialist. Some are technical, some aren’t. To keep the user experience simple, we envision a single user interface, like Cisco SecureX, with different dashboards tailored to the user’s role. In our current thinking, if you’re a data steward you’d be able see a data map of where all the sensitive data is stored by region. If you’re a data owner, you’d be able to create policies on who can see data and where they can move it. If you’re in privacy operations, you’d be able to fulfill data subject access requests (DSARs) as required by GDPR and CCPA.

Bringing all privacy activities onto one platform

As I write this, we’re working to provide more visibility into metrics from our own solutions, plan new initiatives, and explore partnerships with other companies. Our end goal is bringing everything you need to know, see, and manage sensitive data onto one platform. It’s good for business, good for individuals, and good for society.

That’s a glimpse into our thinking. We’re interested in yours. What would you like to see in a privacy platform? Please let us know in the comments below.



Authors

Michele D. Guel

Distinguished Engineer & Data Security and Privacy Strategist

Office of the CTO, Security Business Group