(ISC)²'s bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.
Norwich University is dedicated to preparing the next generation of global security agents.
Norwich University’s Applied Research Institutes (NUARI) studies and develops solutions to critical national and global issues. NUARI works to address cyber incident management challenges through research, training programs, and technology development. Additionally, NUARI has been a global leader for more than a decade in developing cyber war gaming, distributed learning technology, distributed simulation technology, critical infrastructure exercises, and cybersecurity curriculum.
NOVEMBER CLOUD SECURITY INSIGHTS
How National Gypsum Is Leveraging Its Digital Transformation to Improve Data Security
By Paul South
Sometimes, it takes some nudging to get a company to embrace new technology, especially when that technology involves moving secured on-premises data into the cloud. For century-old National Gypsum, that push came in part due to expenses generated by lawsuits.
Expensive, repeated, lengthy legal proceedings helped the Charlotte, N.C.-based company realize it was time to transition away from old, on-premises content and filing systems and find a secured virtual space for at least some of its digital content. As a best practice, the company’s IT leadership—with those legal proceedings still fresh—decided to conduct an inventory of all its data assets and review its data storage and retention policies.
At last month’s (ISC)2 Security Congress in New Orleans, Mike Brannon, director of infrastructure and security at National Gypsum, outlined how the company is leveraging its move to the cloud to improve its security posture.
“Every litigation that you choose to fight leads to a lengthy and often expensive ‘discovery process,’” Brannon said. “We realized that well-managed content — especially where the ROT [redundant, obsolete, trivial stuff] — is defensibly disposed of and a ‘delete by default’ approach could be deployed with our ongoing Microsoft cloud move. Since all employees are making the switch to a new way of working with their digital content — such as email, files, etc. — it has been the perfect time to make this big change.”
But the benefit extends beyond the legal department, to enterprise-wide cybersecurity.
“Less content kept has — or will — result in lower costs when litigation happens: there simply is far less ROT to process,” Brannon said. “Also, as your piles of content get smaller, you have less attack surface and the net result there is your content that has been labeled and kept is far better secured then before.”
The need for a strong (automatic) data retention and deletion policy
In an interview before his talk, Brannon outlined the liabilities that come with managing never-expiring content.
“First, we were a bit guilty in the past of simply never taking enough time to properly and defensibly delete content that, by our stated policy, we should have disposed of. That can cause issues when an opposing party tries to make assertions that since we are not following policy, we must be bad and guilty of something,” he explained.
“The other aspect of that mentioned before in a different way is, you have a lot of data to wade through and that can be very, very expensive during e-discovery and processing. Secondly, anything that is deemed a permanent record will be clearly labeled and categorized in our new setup. These ‘labels’ carry retention meaning, so something might be deemed a permanent record that must be preserved and not deleted — and the labels also carry some security meaning. This ensures we properly protect and secure a permanent record over its enduring lifetime.”
In his talk, Brannon outlined in some detail the steps his company has taken to move National Gypsum’s assets to the cloud. So far, the process of asset migration has been voluntary, and the company hopes that 30 to 40 percent of the company’s employees will become compliant this year. The company is hoping to complete its digital transformation by the end of this year or early 2019.
“It’s been a challenge educating people,” Brannon said. “We’ve been fortunate to have a partnership among people from legal, operations and security who help us with the training development and delivery effort; otherwise, we’d be out to sea. . . . It’s been a big effort.”
PAUL SOUTH is an editor at InfoSecurity Professional magazine.
A bimonthly email