Cyber Cub Scouts, Boy Scouts, and Eagle Scouts–The Data Protection Maturity Life Cycle
When it comes to data protection, are you a Cub Scout, a Boy Scout–or an Eagle Scout?
Your place in the IT and data security maturity life cycle is a lot like the scouts. As your organization becomes more mature, your view of protection becomes more sophisticated.
The Cub Scouts’ motto is: “Do your best.” Cub Scouting is about participation and affirmation. There are requirements, but the effort is measurable. On the other hand, the Boy Scout motto is: “Be prepared.” Boy Scouts focus on achievement and growth. Progress means meeting requirements. Self-reliance is the driving discipline.
Cub Scouts are at the earliest phase of an IT security maturity life cycle. Eventually Cub Scouts need to mature into Boy Scouts. And if they work hard enough, they can move to the elite ranks of Eagle Scouts, where they serve as role models for the best and brightest.
From an IT/cybersecurity standpoint, the current state of many organizations is at the “Do Your Best” phase. Do this, do that–try to stop the bad guys from getting your stuff. Your efforts will inevitably fall short, but you will have tried your best.
A more mature approach is the “Be Prepared” approach. Yes, these efforts at stopping the bad guys are important, and striving to stop them is good, but knowing that at some point security will fail, these security teams prepare for these failures by securing the data–or “securing the breach”–by encrypting and managing the keys.
Here’s how an organization relates to the three phases of a “scouting” security maturity life cycle.
Cub Scouts–Do Your Best
This part of the maturity life cycle focuses on basic security–that is, relying on perimeter protection, rather than protecting data. At this point, perimeter protection is itself fairly basic, relying on firewalls as the way to permit or reject traffic, based on its source. Routers, load balancers, and VPNs are all behind the firewall, allowing for the minimum level of network security.
Once your organization has accepted the fact that perimeter protection will eventually fail and a breach will occur, you are at the point of actually protecting your data, as opposed to just putting locks on your door.
Boy Scouts–Be Prepared
For this part of the cybersecurity maturity cycle, perimeter protection is still in place, but you start to apply additional security measures on your most valuable assets–the data itself. By embedding protection on data, even after the perimeter is breached, the information can remain secure.
Unfortunately, organizations often take an incomplete approach to data encryption, which can create gaps in security. For example:
- Encrypting data in storage, but not data in motion;
- Encrypting external communications, but not data inside the firewall;
- Total reliance on cloud solution providers to protect data in the cloud;
- Lack of multifactor password and user authentication; and
- Storing cryptographic keys in software.
This last element (software storage of crypto keys) is particularly problematic for real data security. While storing keys for encrypting and decrypting data in software offers some measure of protection, it is simply more vulnerable than hardware-based storage.
The organizations that have moved beyond simple perimeter protection and employ robust encryption to protect their data encryption are the Eagle Scouts in security.
Eagle Scouts–Demonstrated Leadership
Even more forward thinking than rank-and-file Boy Scouts, these demonstrated leaders complete every task they strive to reach. In IT security, they are the group that hits all defense requirements thoroughly, and in depth. This group not only demands perimeter protection and data encryption, but the strongest authentication over users and passwords.
Strong authentication blocks unauthorized access and holds authorized individuals accountable for their usage of digital resources. Applying different authentication methods to different user groups, particularly privileged users with administrator access, ensures these organizations prevent the misuse of data and systems by insiders.
Aspects of this part of the security maturity life cycle include:
- Encrypting all sensitive data, both structured and unstructured (on-premise, virtually, or in the cloud), across multiple locations;
- Securing cryptographic keys in a hardware security module, as opposed to the partial security of software-based key management;
- Employing a crypto management platform, which centralizes management of the entire key life cycle across the extended organization.
Of course, threat vectors are always changing, so you can never really finish the path to complete IT and data security. But in today’s cybersecurity environment, “Do your best” isn’t good enough anymore. It is time to “Be prepared”–and then some.
Tom Callahan is VP of sales for SafeNet Assured Technologies, LLC. He can be reached at thomas.callahan@SafenetAT.com.