Data mapping is more than just a passing thought in the day-to-day duties of Continental Airlines Chief Information Security Officer Tim Stanley. In fact, it's a mission. Stanley believes since we've become a digital society, we've gotten ourselves into a pretty deep hole when it comes to data: There's so much of it and no logical system for organizing it.
Stanley regularly makes a presentation to security professionals where he lays out this dilemma. As it stands now, no one product or system really addresses the issue of how to classify, manage and organize data. And that needs to be remedied soon before the wild rabbits (his term) multiply out of control to the point of no return.
Here Stanley spells out the need for data mapping and how to tackle the task.
CSO: You have a presentation you give where you refer to the process of data mapping as 'Domesticating the Wild Rabbit.' What do you mean by that?
Tim Stanley, CISO, Continental: Data is created or you receive from somebody as a nice gift. You pray that at some point it dies, but in between it multiplies like wild rabbits. I am never going to stop that. No one in this world can. However, if I can domesticate that wild rabbit, I will be in a much better position. The way I domesticate it is I manage it, which is what we [collectively] are not doing right now.
I have a series of pictures I use in the presentation that are from the '40's and '50's. IT didn't exist then. So we look at how they managed what they thought was massive amounts of data. I have a picture of a VA file room from the '50's. The room has row after row of file cabinets. I tell people: "Look at this picture and tell me what you can about the data." They usually look confused, so ask them to look a single file cabinet and tell me what they can about it." They will say often "There is a big number on it." I say: "Exactly."
There is a number on the cabinet and every drawer has labels on it, which tells you that the contents of the file cabinet are indexed. There is somebody that doesn't necessarily know the particular contents of those files, but they know enough about those files to tell you what drawer they need to be in, which cabinet they need to be in, and where that file cabinet is located.
There is another sign in this picture and it says "Positively No Admittance, See Information Clerk" which tells you two more things: That there were access controls on the files and someone was responsible for managing that data. This was back when there was no IT, but yet we indexed data, were responsible for its care and feeding and you could find out who the owner of the data was and could implement whatever access restrictions the owner of the data wanted. And they complied with all of the various federal regulations at the time. We can't even do that today.
So we haven't made progress. Instead we've lost what we used to know about managing data. What I propose is we start to implement what we used to know about managing data.
Is that the main message? That we need a system like we had fifty years ago? Are you calling for more products, more attention to the issue to accomplish this?
The answer is yes to all. There needs to be products to help us do this. Now we are in such a quandary because we have so much data. When you think about it, the concept of a home user having terabytes of data: That in itself is mind boggling. There is no way for them to properly manage that much data. How do you determine ownership, sort it by classification, sort what's confidential, set rules on that? The tools to do that simply don't exist. The process is there. All we need to do is go back and look at what we used to do and find an IT solution to implement those procedures and processes.
Where do we start?
Figuring out who owns the data is the single most important thing we need to do with the mountains of data we have. The second is let them know they are going to be responsible for their data. Third, make sure they have the tools to manage their data.
By the way, before you try to answer the first question with "the company owns the data," let me say that the company may be responsible for the data, but it can't be the owner because the company is not capable of making authorization decisions.
Give me an example how the current state of data management causes problems in your line of work?
My favorite is to look at what I call privacy related data; especially since the new Massachusetts law came out, or the new HIPPAA and HITECH rules came out. For all I know, there may be something in the new healthcare bill that affects us as well. Let's look at something as simple as the Social Security number, because that is going to be on both home systems and corporate systems. First of all, who should be the owner of that? Is it the individual to who it is assigned? Or is it the owner of the file that it's in? That is a decision that needs to be made.
Let's just say it's the file. A file may contain hundreds or thousands of Social Security numbers. That person needs to say "OK, that's your file, you're going to be responsible for it." But if they don't have a tool that says they know what the rules are; if it has to be encrypted if it goes outside, or if its only allowed to be accessed by certain people. Those tools don't exist to manage that piece of data.
How would this affect security?
Let's say we achieve this point, where the data is now owned, the owner has the ability to control who can see it; who can copy, delete, modify it. My job as a security professional is no longer putting out fires. I simply go to the owners of the data and say "What rules do you want applied to this data?" Then I implement those rules and verify the rules are followed. If they aren't followed, I have actions I can take.
But my job as a security person when it comes to data management should be to implement and monitor the rules. I would much rather become a trusted partner of the business units than a "cyber cop" that keeps saying NO. Beyond the regulatory requirements, it's not my decision on how data should be managed; it's the data owner. But it gets thrown on the security guy because we are the ones that end up implementing the compliance rules and we are the ones who have to chase down the forensic details.
I would much rather let the data owner set the rules on how the data should be handled, implement the tools needed to monitor the rules, and provide reporting on compliance with the rules. It's the data owners responsibility that is one of the critical missing pieces of data security.
This story, "Data Mapping: Domesticating the Wild Rabbit" was originally published by CSO.