The Security Challenge: Mapping & Securing Your Distributed Data

Uploaded on 2023-07-24 in TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Here's a quick-fire question: do you know where all your sensitive data is? As businesses of all sizes generate, accumulate, store, and process more data records in more places than ever, it’s increasingly challenging to classify and track all that data - not to mention make use of it. 
 
On the one hand, enterprises rush into digital transformation with their isolated data silos and outdated legacy code. On the other hand, 86% of developers admit they do not consider application security a top priority when coding.

Somewhere in between are CISOs facing burnout as they attempt to enforce code security best practices, privacy regulations, and compliance standards into the chaotic process that is the software development lifecycle.  

Why Is Data Scattered In The First Place?

Whether you like it or not, most data produced, stored, and processed by business applications is distributed by nature. Both logical and physical data distribution is necessary for any application to scale in functionality and performance. Organizations store different data types across different files and databases for various purposes.
 
The classic example of data distribution within a company is buyer and client data. One SME can have data on leads, warehouse orders, CRM, and social media monitoring spread over dozens of internally developed and third-party SaaS applications. These applications read and write data at different intervals and formats to owned and shared repositories. In many cases, each also has various schemas and field names to store the exact same data.
 
Application development processes distribute a significant portion of data within the application architecture, especially regarding serverless, microservice-based architectures, APIs, and third-party (open source) code integration. So, the critical question isn’t why we distribute data in our applications. Instead, it's how we can manage it effectively and securely throughout its lifecycle in our application.  

Mapping Distributed Data: Is The Effort Worth The Reward?

Shift left application security, big data security, code security, and privacy engineering are not new concepts. However, software engineers and developers are only beginning to adopt tools and methodologies that ensure their code and data are safe from malefactors. Mainly because, until recently, security tools were designed and built for use by information security teams rather than developers.
 
Privacy by design is nothing new either, but in today’s hectic velocity and delivery-driven developer culture, data privacy still tends to be neglected. It often remains ignored until regulatory standards (like GDPR, PCI, and HIPAA) become business priorities. Alternatively, in the aftermath of a data breach, the C-suite may demand that all relevant departments take responsibility and introduce preventative measures.
 
It would be great if all software services and algorithms were developed with privacy by design principles. We’d have systems planned and built in a way that makes data management a breeze, which would streamline access control throughout the application architecture and bake compliance and code security into the product from day one. In short, it'd be absolutely fantastic. But that’s not the case in most development teams today. Where do you even start if you want to be proactive about data privacy?
 
The first step in protecting data is knowing where it resides, who accesses it, and where it goes. This seemingly simple process is called data mapping. It involves discovering, assessing, and classifying your application's data flows.
 
Data mapping entails using manual, semi-automated, and fully automated tools to survey and list every service, database, storage, and third-party resource that makes up your data processes and touches data records. 
 
Mapping your application data flows will give you a holistic view of your app's moving parts and help you understand the relationships between different data components, regardless of storage format, owner, or location (physical or logical).

Don’t Expect An Easy Ride:   Mapping your data for compliance, security, interoperability, or integration purposes is easier said than done. Here are the hurdles you can expect to face. 

Depiction Of A Moving Target:   Depending on your application's overall size and complexity, a manual data mapping process can take weeks or even months. Since most applications that require data mapping are thriving and growing projects, you’ll often find yourself chasing the velocity of codebase expansion and deploying additional data stores throughout micro-services and distributed data processing tasks. However you spin it, your data map is obsolete as soon as it’s complete.

The Ease Of Data Distribution:   Why do new data stores pop up faster than you can map them? Because it’s so easy to deploy new data-based features, microservices, and workflows using cloud-based tools and services. As your application grows, so does the number of data-touching services. Furthermore, since developers love to experiment with new technologies and frameworks, you may find yourself dealing with a complex containerized infrastructure (with Docker and Kubernetes clusters) that may have been a breeze to deploy, but is a nightmare to map.

The Horrors Of Legacy Code:   As enterprises undertake digital transformation of their legacy systems, they must address the data used and created by those systems. In many cases, especially with established enterprises, whoever originally wrote and maintained the legacy code is no longer with the company. So it’s up to you to explore the intricacies of service interconnectivity and data standardization in an outdated environment with limited visibility or documentation.

 Integrating Security & Privacy Engineering In Your Applications

It's no secret that data is stolen every day. So much so that you can pretty much guarantee that your email address is included in one or more datasets for sale on the dark web. What can you do to protect your application and data from the greed of cyber criminals and the scrutiny of regulators?

Scan Your Code To Map Your Data:   Modern CI/CD pipelines and processes employ Static Application Security Testing (SAST) tools to identify code issues, security vulnerabilities, and code secrets accidentally pushed to public-facing repositories. You can employ a similar static code analysis technique to discover and map out data flows in your application. 
 
This approach maps out the code components that can access, process, and store the data, thus mapping out the data flows without fully crawling the content of any database or data store.

Enforce Clear Boundaries For Microservices:   In a microservice architecture, each microservice should (ideally) be autonomous (for better or worse). But where does each microservice end and another begin regarding sensitive data? 
 
You can identify the boundaries for each microservice and its related domain model and data by focusing on the application's logical domain models and related data. Then, attempt to minimize the coupling between those microservices.
 
Secure Your Sensitive Data:   Your organization's data is its most precious asset, and Data Security Posture Management (DSPM) solutions are the key to safeguarding it. These solutions are able to pinpoint sensitive data stored in the cloud, determine who is allowed to access it, and analyze the overall security posture of the data.

Shift Left For Privacy In A Distributed World

 Data security and privacy are rarely a priority for application developers. So it’s no surprise that application data can float around your cloud assets and on-premises devices uncatalogued and unmanaged. However, in 2023 you can’t afford to neglect data privacy laws and potential data security threats lurking in your code.

Mapping the data flows in and out of your application is the first step to shifting privacy left and integrating privacy engineering, compliance, and code security in your CI/CD pipeline.   

Dotan Nahum is Founder and CEO of Spectralops.io part of CheckPoint                        Image: Pixabay / Geralt

You Might Also Read:

Data Sovereignty:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« The Impact of Artificial Intelligence On Knowledge Workers
Cyber Crime Claims Repeat Victims »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CloudLayar

CloudLayar

CloudLayar is a cloud-based website firewall for protecting your website against online threats.

Cymulate

Cymulate

Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to know and optimize your security posture any time, all the time.

Lepide

Lepide

LepideAuditor is a powerful Data Security Platform that enables you to reduce risk, prevent data breaches and prove regulatory compliance.

Tecnalia Research & Innovation

Tecnalia Research & Innovation

Tecnalia is the largest center of applied research and technological development in Spain, a benchmark in Europe and a member of the Basque Research and Technology Alliance.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Authomize

Authomize

Authomize aggregates identities and authorization mechanisms from any applications around your hybrid environment into one unified platform so you can easily and rapidly manage and secure all users.

Gigit

Gigit

Gigit’s Service portfolio focuses on your business’ needs and the integration of comprehensive cybersecurity policies, plans, procedures, and practices into your business culture and operations.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Digital Security Authority (DSA)

Digital Security Authority (DSA)

The establishment of the Digital Security Authority, which incorporates the National CSIRT, is crucial to significantly raising the cybersecurity posture and capabilities of Cyprus.

appNovi

appNovi

appNovi inventories everything to map the attack surface, identify missing security agents, and prioritize vulnerabilities based on exposure.

Lenze

Lenze

Lenze are an experienced partner for automation systems, digitalization and cyber security.

Apex iQ (ApexiQ)

Apex iQ (ApexiQ)

ApexiQ is a continuous asset assurance platform that empowers you with the confidence to make better data-driven decisions and take automated action to reduce your risk.

Orchid Security

Orchid Security

Orchid Security provides unprecedented insight and action to your identity security with the help of advanced technologies like Large Language Models (LLM).

Unosecur

Unosecur

Unosecur is a comprehensive identity security platform that addresses identity-related threats in multi-cloud and on-premise environments.