7 “Not Easy” Steps for Securely Using Data for Real-Time Decisions

A step-by-step roadmap for taking control of your data, securing it and making it meaningful to everyone at the same time, in the same way.

Originally published on LinkedIn on Oct. 22, 2019.

Companies have data in many places. And many companies do not know what data they have, where it is stored, who and what has access to it, the trustworthiness of the data or how to organize it in a timely manner into decision criteria for leadership teams.

The easiest way to know if what I’m saying is truth is to ask someone on your technical staff to provide you an asset and access inventory. Ask them the following:

Tell me:

- All software applications used in the company
- All places data is stored in the company
- All hardware used in the company to host, edit and manage both
- Who/what has access to these things and with what levels of power

And

- How the data is secured in transit and at rest

Give them one business day. Their reaction will reveal your truth.

Running a company minimally requires two things: knowing where you want to go and having access to timely, trustworthy data that will guide your journey. This article discusses the data aspect only.

And as you may already hope, suspect or know, addressing unsecured, unmanaged, disparate applications, data and permissions is a solvable problem. Accessing one view into your company is also solvable. Let’s look at the plan.

1. Find Your Data

Inventory all software applications and data repositories inside and outside your company, as well as, anything interacting with or exchanging data with your applications and repositories.

2. Determine The State of Your Data

What is the technology collecting, managing, editing your data? Where is it hosted? By whom? Is it good, questionable or corrupt data? Who and what has access to it? What are they doing to the data? Who is managing the security and sanctity of the data? How do you know you can trust the data? Is the data current and with what frequency?

3. Secure your data

Is the data managed via role-based permissions or is it wide-open for too many people and systems to manipulate, extract and exploit? Is it direct-connect? Copy-paste? Batch-uploads? API-accessible? Is it secured while at rest? Is it secured while in transit?

Think your company not likely to be attacked, corrupted, ransomed or otherwise exploited? Consider your brand value, consumers, privacy laws and bad company press. Do people trust your brand today? Will they after a breach?

4. Establish a Common Data Format

When data originates from multiple data sources, the structure of the data is usually non-uniform. The first step is to understand the current structure and state of all data at the origination point.

The second step is to determine to what Common Data Format (CDF) all data will be funneled and/or otherwise re-organized. In other words, if your company’s growth strategy has been through Mergers and Acquisitions, you likely have many data stores with similar types of data, but with different states of sanity. If you want one view across all of these data stores, words must have the same meaning for all instances of all data. Establishing the same meaning for all similar instances is “normalization” or “establishing a Common Data Format”.

Many to one.

Only after there exists a common data format are you able to see, understand and make decisions that confidently and consistently take into consideration all parts of the company.

No alt text provided for this image

5. Extract, Normalize and Put

When you understand all places from which data originates and have a CDF, your teams are then able to write predictable, repeatable and auditable methods of extracting, normalizing and putting data into your new, single source of truth.

To be clear, the methods of extracting data, normalizing data and putting data must be predictable, repeatable and auditable. And the structure into which all data is put is itself the CDF. Anything less and you will simply be creating a new mess that must be managed on top of your existing ecosystem — whatever the state.

6. Pull Data Predictably

Now that you’ve made the effort to ensure all data, from all locations, is secured and normalized, protect it. This means there must exist a predictable, repeatable and auditable manner by which applications, systems and companies access your data. Notice I didn’t say people.

To access data from the single source of truth, there must exist predictable, repeatable and auditable set of actors, permissions and activities. If there is variability in actors, permissions and activities, it will no longer be a single source of truth.

Require anyone or thing that wants access to your data to follow your rules. Non-negotiable. This includes people in Mensa, people with twenty years of tenure who have been there since the company started, the CEO’s nephew and your mom.

Your single source of truth is special. No one who wants access to the data is special. Despite what their mom told them when they were young.

7. Use Your Data to Inform Your Decisions Dynamically

Attach reporting solutions. Attach streaming solutions. Attach elastic search. Attach dashboards. Follow the rules. Enjoy peace.

Now you can trust that your data has integrity. You can trust it is secure. You can trust your data is predictable, repeatable and auditable. You can trust your company has one message.

And you can trust that you know all applications, repositories, data management and security behaviors, actors, hosting solutions and reports are something upon which you can bank your company’s reputation.

____________________

If you would like to take control of your data, secure it and make it dynamically meaningful to everyone in your company, the teams at Trility help companies solve these challenges with a focus on predictable, repeatable and auditable behaviors. Email us at forthejourney@trility.io.

Simplify Compliance Management with New Features in Cybersecurity Solution

Companies can leverage a centralized, easy-to-understand tool to align with compliance standards.

July 12, 2019, DES MOINES, IA – Trility® Consulting has launched two new features to the IronBench Compliance Navigator™ product built to enable centralized management and reporting of your organization’s alignment to standards. The Trility team originally set out to simplify how their own teams understand, implement, manage and audit today’s information security/regulatory compliance requirements while building solutions for their clients. The result of this effort rendered a number of new software products including IronBench Compliance Navigator. 

IronBench Compliance Navigator

“Our IronBench Compliance Navigator product targets organizations that want a simple, light-weight and centralized method of managing their organization’s compliance efforts without the complexity and cost many folks experience today. People want the flexibility to handle multiple standards, audits, projects and teams at the same time, understand at a glance where risk exposures exist and to know that as people come and go, data and history will not be lost because a spreadsheet left with the last exiting team member,” says Matthew Edwards, CEO of Trility.

…data and history will not be lost because a spreadsheet left with the last exiting team member.

“We’ve seen the plight of the information security folks who get left behind learning about projects, risks and issues in arrears. We’ve seen amazing people doing amazing things to keep up and ensure their organization is prepared for the next audit or attack. We think it should be easier. That’s why we built IronBench Compliance Navigator.” 

What’s does IronBench Compliance Navigator offer?

  • The California Consumer Privacy Act (CCPA) module shows companies what is required of them to meet California’s new consumer protection law and provides an intuitive, centralized method of managing and reporting your company’s status against this law today and into the future. Take a 1-minute, free assessment to determine if this law impacts your company. If it does, the CCPA module within IronBench Compliance Navigator helps you manage your ongoing compliance requirements in a simple, easy-to-understand manner today and into the future.
  • The Payment Card Industry Data Security Standard (PCI DSS) module shows companies what is required of them to meet today’s payment card industry requirements in an intuitive, centralized method of management and reporting. If your company accepts credit cards as a form of payment, you are expected to evidence compliance regularly. This module helps companies understand what is required, as well as helps manage your organization’s on-going compliance status in a low-friction, easy-to-use experience year after year.
  • The NIST Cybersecurity Framework (NIST CSF) module shows, in everyday language and concepts, private sector companies what is recommended in order to prevent, detect and respond to cyber incidents in today’s critical technology infrastructure. If you are looking for a centralized, easy-to-understand and use method of aligning your organization to the NIST-CSF, this module will guide you through the material and enables you to manage your organization’s alignment as your company, your industry and as the standard itself changes through the years.

    To get started, you can also take a free Maturity Assessment to understand where your organization is along the path to alignment with the NIST CSF. 

IronBench Compliance Navigator guides you through the process of identifying which standards apply to you, where your organization is strong and where it needs work, as well as helps you identify possible solutions to increase your preparedness along the way. Customer benefits include:

  • Track all compliance requirements, risks and responses in one secure location that’s accessible to all of your teams anytime, anywhere
  • Track your organization against multiple standards at the same time, in the same tool, year after year – change history included
  • Stay on top of new regulatory compliance standards in the marketplace, as well as changes to existing standards against which you currently manage your organization
    Delegate responsibility to others to acquire answers instead of having to personally perform each and every step manually

Create a free account to view the available tools in the IronBench Cybersecurity Suite and purchase only the ones relevant to your organization. If you’re interested in a white-label solution or an enterprise version of this tool that meets your specific needs, contact us

The IronBench Cybersecurity Suite of tools, as well as all associated patents and trademarks, are wholly-owned by IronBench LLC. IronBench and Trility Consulting, as well as all associated patents and trademarks, are wholly-owned subsidiaries of Trility Group Holdings, Inc. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward-thinking global businesses.

Pack Line Cloud Security

Basketball season is in full swing. I have been lucky for the last seven years to coach different levels of basketball ranging from Youth teams through the local High School team. Coaching continues to be a rewarding experience and many of the lessons I have learned working with athletes and other coaches apply directly to my work with product teams. It doesn’t matter how much you work to perfect your craft, be it system architecture or coaching a team of 5th grade athletes, there are always new challenges to tackle. A core tenant of sports is continuous improvement which should be applied to everything we do with technology. No one starts playing basketball ready to play in the pros, but everyone has it in them to be successful. It takes a tremendous amount of practice, a dedication to learning new things from others, and celebrating the little victories along the journey.

It is not surprising there are so many different Cloud Security analogies available on the Internet. Cloud Security is a difficult concept to describe given the wide range or tools, services, and seemingly infinite combinations organizations can utilize to solve business problems. If you are a fan of basketball, using different defensive schemes is a great way to describe different views on Cloud Security processes. In all cases, the goal is to prevent the offense, or in this case bad actors, from scoring while providing dynamic responses to a constantly changing product architecture and threat landscape. Typical Cloud Security frameworks today can be compared to two classic defenses: man-to-man and zone.

Man-to-Man

Man-to-Man Cloud Security involves security controls developed around individual services of products. Each control is focused on denying the service from sending or receiving information to other services in the system and aggressively focusing on protecting a single service. Firewalls, both web application and network, focus on denying traffic to block bad actors from easily accessing services. Logging and application specific analytics can be used to build a profile of a service and alert when the service profile is not followed. The disadvantage with man-to-man Cloud Security is in its aggressive focus on the individual service and a lack of real understanding of the big picture. There is a general lack of information on what other services are doing and because of this, any weakness in the focus on a single service can lead to breakdown of the security in general and, in basketball terms, an easy lay-up.

2-3 Zone

Zone Cloud Security primarily revolves around the frameworks in place for infrastructure deployed to support a wide variety of services. We still see organizations bringing the rigid security frameworks utilized for years in brick and mortar data centers and trying to apply them to Cloud Security. Deployed like a 2-3 zone in basketball, the defensive posture is to watch a specific area of the infrastructure and report back to a central service for monitoring and support. As information travels through the zone, communication is critical to ensure nothing gets lost in the shuffle. Each position in the zone is devoted to a specific task supporting a number of different services including both perimeter and core defense. The disadvantage with any zone defense is the gaps and in the public cloud space, gaps are appearing every day.

Server-less architectures are an exciting approach to utilizing the true power of elastic capacity while providing developers easier and easier ways to deploy features to production environments. However, in reducing the amount of infrastructure under direct monitoring the threat surface area is increasing at an equal rate. As any basketball coach will tell you, the easiest way to defeat a zone defense is by moving the ball and attacking the gaps in the zone. Another easy lay-up.

Trility takes a different approach to Cloud Security: the pack line.

Pack-Line

Pack Line Defense, created by Dick Bennett of Wisconsin-Stevens Point, is commonly used in some form by many coaches including Tom Izzo at Michigan State and Tony Bennett at Virginia. It is a variation of man-to-man defense with the biggest difference being off-ball defenders play in the gap instead of pressuring their player and denying the pass. Everyone except the player guarding the ball plays inside an imaginary line 16 feet from the rim also known as the pack line. As the ball moves around the perimeter, it is the responsibility of each defender to close out on the ball and aggressively pressure while the remaining defenders adjust their position accordingly to see both man and ball and prepare to help their teammates – 5 against the ball.

Cloud Security is everyone’s responsibility and while we are aggressively providing man-to-man defense on the active products, the rest of the team is continuously adjusting to find and fill gaps in the defensive strategy. We react to changing conditions and close out on threats while keeping business goals front of mind. 

The ephemeral and elastic nature of the public cloud along with software defined infrastructure and platforms provide an opportunity for service specific architectures. Trility utilizes two patent pending tools to help provide high quality customized security for cloud services: IronBench Compliance Navigator  and IronBench Cloud Config.

IronBench Compliance Navigator empowers organizations to develop highly customized compliance guidelines for products and services. Throughout the product lifecycle, IronBench Compliance Navigator uses standards and regulatory information updated as regulatory compliance laws and standards change to provide a solid foundation for product development teams.

IronBench Cloud Config is an enterprise framework and provides the source code for the entire implementation. Product teams can utilize a customizable secure framework based on industry standards and practices on which to build secure supporting infrastructure. Compliance Navigator helps you aggressively challenge the ball handler while Cloud Config supports the team by helping them adjust to changing product needs efficiently and securely working from a library of standards based templates.

No easy lay-ups.

Don’t Forget the “V” in MVP

Security, operational readiness, reproducibility, and scalability are all important parts of any product, which helps validate the viability of a product. Unfortunately, in the race to production these items fall by the wayside and show up on the backlog.

Securely develop products

Minimum Viable Product, or MVP, is a common term used by business leaders and product owners to help drive quick, iterative, product development to get products released to market faster. The goal is to release just those core features necessary to put the product in front of customers to learn about customer needs and validate assumptions prior to larger investments in a new product. Release quickly, release often, and adjust the product based on feedback from customers.

Product teams today do a great job of focusing on the M, Minimal. Constantly asking the team and business stakeholders when new feature requests are made, “Is this a requirement for MVP?”, helps prioritize development efforts and keep the team focused on making a timely and relevant release. Business stakeholders on a regular basis can see the features being developed during frequent demos and can provide direct feedback which goes back through the same intake process grounded by the same question focused on releasing the MVP. When the cycle is managed by a proactive Product Owner, it can be an extremely efficient way to get ideas from a napkin at lunch to a product in front of customers.

Where Product teams struggle is with making sure the V, Viable, is taken into consideration as a team. Security, operational readiness, reproducibility, and scalability are all important parts of any product which helps validate the viability of a product. Unfortunately, in the race to production these items fall by the wayside and show up on the backlog. When the team does release the product and receive customer feedback, they’re often stuck in a challenging position of either picking up the items in the backlog tagged as After MVP or continuing to refine the product to keep customers engaged. As it should, the focus remains on the customer and meeting the business objectives for the product. The weight of the backlog eventually causes cracks in the team, cracks in the product, and a new round of questions for business stakeholders to consider regarding whether to refactor, rewrite, or sometimes, a new MVP to fix the problems from the previous MVP.

Continuous Integration, Continuous Deployment, Security by Design, Test Driven Development, Performance Testing, Infrastructure as Code – these are all terms many development teams are familiar with and actively promote inside organizations today. However, many of these items are the first things added to the backlog during MVP development when teams are racing against the clock. We need to do a better job as Engineers communicating to business stakeholders that each of these items are individually, and collectively, an important part of making a product viable.

We can still meet the needs of a minimal product by constraining the conversation in each case to the product being developed. The product may not have a need to support a thousand requests a second for the MVP, but we should ensure performance testing frameworks are in place and exercise the product on a regular basis so issues can be discovered early and often during the development process. The product may only require a small amount of simple infrastructure to be deployed to support the MVP, but the infrastructure should be built and deployed in code alongside the rest of the product so as needs change the foundation is already in place to support rapid growth. The product may not have a requirement to support a security standard for the MVP, but the application should be built following a set of standard security practices and validated regularly with automated testing to support a growing customer base. 

Viable – the ability to work successfully and securely.

Product teams need to ensure when MVP is defined, the product’s ability to work successfully after release is front and center during the development process. Minimal helps you get to the first release; Viable ensures you make it to the second.

Iowa start-up launches new product!

ShowPal, a Des Moines, Iowa based start-up founded by Chad Torstenson, recently launched its first product named ShowPal ID!

ShowPal ID, the first of multiple products and services planned by ShowPal’s CEO, is designed to enable increased safety for Realtors as they meet and interact with clients who often are not personally known to them.  ShowPal ID performs on-the-go identity verification of homebuyers on behalf of real estate agents in advance of engaging with a client so that all parties know who is involved before they meet for the first time.

“Every year real estate professionals are placed in harms way by individuals fraudulently posing as a prospective client.  The statistics of crimes committed against Realtor’s such as robbery, physical assault, sexual assault and homicide are staggering. We intend to change that,” says Torstenson. 

In order to accomplish the goal of building software solutions for the Realty industry, ShowPal engaged Trility Consulting, also of Des Moines, Iowa, to help design, build and deliver a cloud-based software solution that seeks to address a very important problem in today’s real estate marketplace — the safety of Realtors and Buyers.

Trility Consulting focuses on helping companies adopt, build and operate in secure enterprise cloud frameworks so companies can focus on serving customers.

Visit ShowPal’s site! Or stay in touch with them on Twitter  and Facebook!

Update: In the true spirit of a start-up’s need to test, learn and refactor, ShowPal published and tested ShowPal ID and determined that while an important problem to solve, this product doesn’t meet ShowPal’s own requirements for viability. Resultantly, this product has been put to sleep with the potential of re-launching in the future if and when it makes sense. It is hard to build and deliver product.

 

 

We are Trility Consulting!

Hello and welcome to Trility Consulting!

We are a people-first, full-spectrum solutions company focused on helping our customers and partners enjoy success with today’s digital transformation needs. From cloud adoption, migration, implementation and evolution to multi-level continuous cyber-security solutions and full-spectrum application and systems development, our focus is understanding your needs, providing you multiple options and implementing solutions that constantly enable the ability to change as your needs change.

Our team is comprised of people who value relationships, have a history of delivering on commitment, are life-long learners and enjoy being involved anywhere and everywhere in the product solution life-cycle — from the initial “here’s my idea” conversations at a coffee shop on a napkin to production implementation, support and evolution.

And we’ve been around. Collectively we’ve worked in cellular telecommunications infrastructure, financial, health, agriculture, cable, insurance, real estate, residential and commercial security, embedded, non-governmental organization, federal, state, internet of/connected things, lots of cloud, continuous flow-based delivery mechanisms and so on.

We’re available to help you define and refine opportunities, discover solution options and directions, coach, collaborate, lead, develop and deliver on your needs now.  If you’re considering cloud adoption or migration, wondering how cloud changes cyber-security needs or wanting to build software for the cloud, get in touch with us. We’re ready.