Data Residency and Risk Management
Data residency analysis is the process of determining the physical or geographic location of the data and digital artifacts that reside in your information system. Luckily data residency for US public sector agencies is well defined. The data and information resources of US government systems it needs to reside within the United States.
On-premises systems naturally reside within the US. Cloud service providers’ public sector cloud products address the need to protect and store the data created during the process of running the US government by storing it within the US. FedRAMP dictates where cloud service providers store government data in transit and at rest within the borders of the US.
Define What’s Inside the Box
When you begin the process of analyzing your information resource assets, and defining your system boundary under the risk management framework (RMF) consider the physical and geographic location of data inside the individual physical hardware and applications that make up your systems. Think inside the box.
Here are some data residency considerations to look at when categorizing your system using the risk management framework.
Data In the Wild
An important aspect of data residency to consider is all the places your data can reside outside of the usual data storage components of the system. What are the data residency risks to your data? How can it move from your secure risk-managed environment into the digital wild.
Many potential data leaks are fairly straightforward to find and fix. Have a policy on how to handle data migration onto removable media. Protect sensitive documents so they can’t be printed or saved locally. Insure that all of your important digital artifacts have appropriate security protection.
Have policies that manage creation and storage of documents and their movement in, out, and around your environment. Moving documents in and out of organizations is a fundamental business process. A lot of the control of that information flow depends on your employees and constituents understanding cybersecurity risk and the need to protect intellectual property. Keep track of your most important documents. Have an audit trail of who read accessed your most important assets, mark the documents so the user can easily tell that they ned to be protected. Keep track of who printed them, and who shared them.
There are the more challenging data in the wild considerations. A lot of thought goes into granting permission to read and write data in the database itself but how do you handle exports and custom queries? How do you handle permissions for power users who want to create their own queries and inadvertently save sensitive data locally? Do you permissions prevent the export their queries to csv files and download to a local device where the user can then email themselves the spreadsheet with the proprietary data in a useable format? How do you ensure that the downloaded file doesn’t contain personally identifiable information? Have you disabled features that allow users take screenshots?
Agencies where users are routinely processing confidential or personally identifiable information should consider how they manage the buffers and local storage used by work processes and what can move in and out of the clipboard. It’s harder to exfiltrate this data from the buffer or the clipboard but for a skilled and motivated attacker it’s a nice target.
There is another data set that resides on your systems that should be considered when doing your Step 1 RMF analysis. Where does your dark data reside?
Dark data has a number of definitions. Gartner defines dark data as “the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes.” Others define dark data as the machine data that hangs around in your system — log files; customer info used in business processes and workflows; account information generated for transactions; ex-employee data left on desktops, laptops, and devices of the departed; and, attachments in your email box. Then there is the host of machine data produced by nearly every software application and electronic device in an organization and contains a definitive, time-stamped record of various activities, such as transactions, customer and user activities, and security threats. Beyond an organization’s information systems and security infrastructure, every processor-based system, including HVAC controllers, smart electrical meters, GPS devices and radio-frequency identification tags, and many consumer-oriented systems, such as wearables, mobile devices, automobiles and medical devices that contain embedded processor chips. They all continuously generate machine data.
Dark data can provide deep insight into the tempo and activity of your operation. Data from new transactions, shipments, creation of new customer or constituent, swipes of access cards at entry doors, generation of a new case record, the names and times when transactions occur, the success or failure of a lab experiment. Consider what a smart adversary might learn if they can piece together all of the dark data your system creates even if they can’t get to your databases and digital artifacts. Then consider what you need to protect and what you need to routinely remove as part of your cyber hygiene program.
When analyzing the digital assets in your information system under RMF, consider these in the box data residency considerations.
Want to learn more about cFocus Software’s Authority to Operate as a Service program and how to analyze your data? Contact us.