Blogs & Resources

Parsing the Whitehouse Factsheet: Data Security

Supreeth Rao

Nations around the world are ramping up defenses against cybersecurity threats, especially to protect critical infrastructure. The U.S. government has launched public-private action plans to shore up the cybersecurity of the electricity, pipeline, and water sectors. In a recently published Whitehouse factsheet on cybersecurity, the U.S. government is urging companies to take proactive measures - some urgently.

The most important recommendations are about securing sensitive data -

  • Back up your data and ensure you have offline backups beyond the reach of malicious actors;
  • Encrypt your data so it cannot be used if it is stolen;
  • Identify and mitigate threats, a need for modern security tools to enable continuous protection.
  • Look beyond just the config-based controls, and look into unusual behaviors.

Focusing on long-term protective measures, enterprises are urged to-

  • Addressing over-provisioning head-on to reduce the attack surface is essential for long-term resilience. 
  • From the Factsheet - “Develop software only on a system that is highly secure and accessible only to those actually working on a particular project.” 
  • Identifying abnormal accesses and having the ability to assess the impact of such actions is a necessary weapon in any modern security stack.
  • Security practices that bring in pro-active data protection are not only being mandated in government software purchases but it's also highly recommended for all enterprises.

In order to achieve the data-centric outcomes of these Whitehouse recommendations, enterprises need to know where their sensitive data resides, who is accessing it, and whether it is vulnerable to internal misuse or external threats from ransomware. Recommendations are tailored to prevent data breaches or exfiltrations, driving home the point of the criticality of protecting data and data infrastructure.

To address the recommendations, requires a modern cloud data protection tool like Theom that uses machine learning to classify cloud data, build context around its relationship to users and 3rd party vendors and pinpoint risks from over-provisioning, atypical queries, and insecure access. A data-centric approach to protecting data.