Data management is such a large and complicated practice area but there are a few fundamental protections that should be in place to help prevent emergencies.

DATA MANAGEMENT SUCCESS IN DIGITAL INITIATIVES

 A McKinsey and Company study that was published at the end of 2020 analyzed the speed of digital transformation created by the pandemic. The study found that in the six months between December 2019 and July 2020 the average share of customer interactions that were digital increased from 36% to 58%. That calculation represented an acceleration of three years in those six months. Similarly, the global share of fully digitized products or services increased from 35% to 55% in that six-month period, representing an acceleration of seven years of progress. While the casino industry dealt with different challenges during that time period, once business was back up, a similar rate of change was managed by IT Leaders in the second half of 2020. With the expansion of digital gaming and other products and the extension of land-based casino technology with everything from cashless transactions to virtual concierge, we can certainly understand that acceleration of digital capabilities because we have lived through it.

The need for touchless capabilities, technology that provides additional safety, digital wallets, and enhancing the guest experiences created huge demand on IT teams. Similarly, new capabilities to fully support digital interaction with employees and partners had to be put in place.

At the same time, as business rebounded and new digital technology is implemented, the amount of data collected, stored, processed, managed, and analyzed continues to grow.

The result in some cases is that the technology stack (on-premise and cloud) has grown horizontally and vertically. The application landscape has expanded for most IT Leaders. The network landscape has expanded to support the new digital touchpoints in land-based casinos in addition to supporting remote employees and remote players.

In summary, enabling all of these new IT and digital capabilities has been difficult, and it has been done in an amazingly short amount of time. Much of the new set of capabilities was accomplished through cloud adoption.

The Flexera 2022 State of the Cloud Survey was published in the first quarter of 2022. This was their 11th annual survey, and the 2022 edition was the result of detailed surveys of 753 IT leaders. This year’s survey found that the number-one challenge that IT Leaders are dealing with as a result of cloud adoption was security (85% of those surveyed said it was their top challenge to overcome).

One of the key areas of focus for any IT leader should be “their data.” In today’s world– where “their data” could be anything from proprietary or confidential information in their loyalty program to actual digital currency in a player’s wallet – it is even more critical for IT leaders in the Gaming and Leisure industry to have laser-like focus on their data.

With the volume of data increasing across our IT landscape, with the variety of data that we are collecting expanding, with the velocity of that data moving across our enterprise at ever-increasing speeds (think about AI/ML), and with the value of our data increasing (to us and to bad guys who want to steal it) – we may not see a problem today, but we do need to prevent a problem in the future. Author Arnold H. Glasow wrote: “One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.”

Data management is such a large and complicated practice area but there are a few fundamental protections that should be in place to help prevent emergencies.

In this article I want to cover four areas that IT Leaders should consider when managing and protecting their data. First let’s think about how “Data Gravity” may impact our enterprise data landscape as data growth increases. Then we can look at a couple of blocking and tackling exercises in “Network Architecture” and “Data Protection” that are necessary to effectively protect data. Finally let’s consider how identity and access may change as these new capabilities are added.

Data Gravity

When working with large and growing datasets and moving that data around to various applications (Data Warehouse, Data Analytics, Machine Learning, Artificial Intelligence), it becomes unwieldy, cumbersome, and expensive. The term “Data Gravity” was first coined by software engineer Dave McCrory. It represents the dynamic that a body of data has the ability to attract applications, services, and other data. This happens due to latency and scale. With the reality of physics there are limitations on how quickly data can traverse a network, and with the adoption of cloud computing (particularly AI/ML) it could become necessary to have that data as close to the cloud applications and services as possible.

In addition to this creating a potential cost issue, it creates new locations of data that you need to manage and protect. The first rule in protecting something is knowing what it is and where it is used. The second rule is knowing where the data lives (including any multiple versions).

The laws of physics may prevent you from carefully planning out the desired locations for your data; Data Gravity may decide that for you. Just be sure to follow the first and second rule in protecting your data. There are 97 other rules to follow but let’s be sure to get Rule 1 and Rule 2 accomplished to begin with.

Your (Growing) Network

The new virtual concierge and other new digital touchpoints for guests and players have increased the number of Internet of Things (IoT) devices connected to casino networks. Many have heard the story reported by Darktrace about the fish tank that was the entry point in a North American casino for cyber thieves. Sit down with your network team and familiarize yourself with how your organization is handling these best practices:

• Segmentation Segment IoT devices into their own network(s) to restrict access. Segmentation is not foolproof but it is the first layer.

• Standard Security IoT networks have a wide range of communication protocols and device capabilities but you need to implement standard security features such as antivirus, firewalls, and intrusion prevention systems.

• Authentication IoT devices will need authentication methods such as multi-factor, static passwords, and digital certificates.

• Encryption Device data will need to be encrypted at rest and in transit. For IoT this will likely be lightweight encryption tools due to device constraints (such as lack of memory).

• Monitoring The full network must be monitored for anomalous traffic.

Backup and Recovery

I am going to resist citing the scary litany of cyber attacks that have occurred and will continue to occur. We can simply agree that a ransomware attack is one of our most pressing risks today.

We all know that we need to have good data backup capabilities combined with rigid discipline. We need to test the recoveries in order to fully understand the recovery time and any potential data loss risks. But, in today’s world we need to make sure that our backups will be effective for restoring data in the event of a ransomware attack. In some cases the backup can be encrypted or deleted as a result of the attack.

The answer to this potential emergency is to make sure your backup data is immutable. An immutable backup is a backup file that cannot be altered in any way. An immutable backup should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss. At present, there are backup vendors who meet the criteria of immutable backups and immediate restore.

The final point on backup and recovery is to go back and remind your team of the first two rules of data protection. You need to know where your data is and what your data is and verify that you are backing up the data that you need to be backing up regardless of location.

Identity

One of the biggest risks that your data management program needs to protect against is that your safeguards allow access to someone who is only interested in stealing or corrupting your data. So we have identity and access systems in place with which we only allow access to individuals who are known to us. The other important component is that since we know who they are we only allow them access to the data that they need to access.

However, with a credit card you or I could go on the Dark Web and buy a list of username/password credentials that were harvested off of any number of digital portals that our employees and partners and guests use. It is still likely that someone’s Linked In login (or bank login or insurance company login, etc.) is either the same or very close to someone’s work credentials.

That was a short commercial for putting in place a good multi-factor authentication protocol. But that alone is not foolproof (sorry if you heard that before about one of your security measures).

Consider that the 2021 Verizon Data Breach Report found that 85% of breaches involved a human element and 61% of breaches included credentials.

A new approach that is growing in popularity is Zero Trust. Zero Trust is a security framework requiring all users, whether inside or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes there is no traditional network edge. Networks can be local, in the cloud, or hybrid with resources anywhere and workers in any location. Think about the movie Oceans 11 and how some of the bad guys success came from only initial identify verification by the casino. If Ocean’s gang had to continuously prove identity and access rights they might have been stopped along the way.

Zero Trust is a concept that is easily understood by casino management. A casino is mostly happy to have anyone enter, but they are trusted only as far as they need to be. Standards and Controls in place protect assets that have varying levels of public exposure. Here are the four principles:

• Verify Explicitly Authenticate and authorize based on all attributes available.

• Least Privileged Access Grant only the minimum access necessary.

• The Perimeter has Collapsed The castle-and-moat security paradigm no longer exists. Isolate and restrict movements inside your network.

• Continuous Diagnostics Monitor and analyze as much as you possibly can for anomalies.

 New digital demands in Gaming and Leisure have resulted in data growth and expansion of where the data is managed. This is stressing incumbent data management and protection capabilities. IT leaders need to examine their practices and adjust accordingly.

Source: G&L Magazine Summer Edition 2022

John Wondolowski is the Chief Technology Officer for Solutions II. Solutions II is an Information Technology Services and Solutions Provider with an industry focus in Casino Gaming and Hospitality. John has been an Enterprise IT Executive for many years after earning degrees from the University of California at Berkeley, Haas School of Business, and California State University at Fullerton.