Data Security

 View Only
Back to discussions
Expand all | Collapse all

Data Security Working Group Meeting - 1/30/25

  • 1.  Data Security Working Group Meeting - 1/30/25

    Posted Jan 30, 2025 09:05:00 PM

    Data Security Working Group Meeting - 1/30/25

    Publications in Development:

    Proposed (2025):

    Meeting Summary:

    The team discussed the upcoming Virtual AI Summit 2025 and future summits, as well as the progress of the Cybersecurity and the Data Lifecycle paper. They also discussed Data Security within an AI Environment. They also explored the concept of shared responsibility in cloud computing and the potential for a data-centric approach to prevent data breaches. Lastly, they shared insights on recent cybersecurity incidents, trends, and the importance of staying updated on current events.

    Virtual AI Summit and Security Updates:

    Expanding Data-Centric Security Approach:

    • Rocco and Alex discussed the potential for adding value to their data-centric security approach by expanding on categories such as cryptography, data security, privacy, and lifecycle management. They agreed to focus on data-related aspects, such as logging, monitoring, and encryption, and to pull out controls that mention data. They also discussed the importance of data loss prevention and database management. The conversation ended with the understanding that they would refine their approach to focus on the most important aspects.

    DLP and Shared Responsibility Model:

    • The team discussed the concept of Data Loss Prevention and its potential as a standalone topic. Prateek expressed interest in being part of the authoring process for this topic, given its relevance to his organization and customers. Rocco suggested merging the concepts of AI and DLP for a more comprehensive publication. The team also discussed the shared responsibility model in cloud computing, emphasizing the importance of understanding the lines of responsibility and ownership. They agreed that this model would be beneficial for their group and could be incorporated into their publication.

    Document Restructuring and Collaboration:

    • In the meeting, Alex initiated a discussion about restructuring and building out sections of a document, with Prateek and Onyeka expressing interest in contributing. Onyeka committed to delivering a product, with Alex suggesting it could be their Q2 paper. Rocco clarified that everyone in the group could edit the document, and Alex encouraged bouncing ideas off each other. Alex also mentioned the possibility of pushing the document to a peer review for further improvement. The team agreed to work on the document, with a tentative timeline of Q2. Alex also shared a link to a circle page for tracking discussions and meeting notes. The conversation ended with no further questions or comments.

    Data Security and Data-Centric Approach:

    • The team discussed the topic of data security, specifically focusing on the issue of data breaches and the need for a data-centric approach to security. Rocco highlighted the common practice of data breaches being easier to exploit than encryption, and the importance of data security in all industries. Prateek recommended reading a blog about a database leak, which was found to be unencrypted. Rocco further explained the concept of data loss prevention and the difference between a perimeter security approach and a data-centric one. Alex agreed with Rocco's points and suggested that a data-centric approach could be beneficial in preventing data breaches. The team also discussed the complexity of modern networks and the need for a cultural shift towards a more holistic approach to data security.

    Challenges in Zero Trust Movement:

    • Rocco and Alex discussed the challenges of the Zero trust movement in the financial industry. Rocco highlighted the issue of breaking existing trusts to re-establish them in a new environment, which is often met with resistance from businesses. They also discussed the increasing pressure on vendors to ensure compliance with encryption specifications and incident management processes. Rocco mentioned that large corporations are taking control of their vendors' incident management processes, including declaring a breach. Alex expressed surprise at this development, and Rocco confirmed that this is a recent trend. They also touched on the emergence of new companies offering vendor management consulting services.

    Cybersecurity, Breaches, and Compliance Pressure:

    • Alex, Rocco, and Vashti discussed the current state of cybersecurity and the impact of breaches. Rocco shared his daily experiences with vulnerability reports and the pressure from compliance departments. They also discussed the high cost of cyber insurance and the risk of mega breaches. The conversation then shifted to last years breach at Change Healthcare, which affected 190 million individuals. Rocco shared his personal experience with the breach, including the shutdown of operations and the loss of data. The team ended the conversation with a discussion on the size and structure of Change Healthcare, and the trend of acquiring companies without making significant changes.

    Cybersecurity Incidents and Recent Trends:

    • The group discusses recent cybersecurity incidents and trends. Rocco shares details about the Change Healthcare breach, explaining it was caused by an employee clicking on an old email during a migration to Office 365. They also talk about the widespread nature of data breaches, with Rocco mentioning reports suggesting that nearly all Americans' credentials have been compromised. Rocco shares a personal experience of a possible hacking attempt on his RingCentral account and discusses recent phishing attempts in Connecticut targeting the public. The conversation concludes with a brief mention of AI-related concerns and the importance of staying updated on current cybersecurity events.


    ------------------------------
    Alex Kaluza
    Research Analyst
    Cloud Security Alliance
    ------------------------------