As technology continues to evolve at an accelerating pace, unprecedented situations like the COVID-19 pandemic have further cemented our digital way of living and doing business. With digitization, there has been massive data proliferation and growth of data repositories.
As ISACA’s professional community is well aware, much of this data is sensitive and valuable. It can represent customers’ financial information and, even more importantly, their personal information.
Recently, ransomware attacks have been on the rise, resulting in data extortion threats and IT system compromises. It’s the organization’s responsibility to protect the data entrusted by customers from both cyberthreats and insider abuse.
So today, organizations’ No. 1 prerogative is implementing consistent data security measures and ensuring that it does not cause undue complexity in IT operations and business application changes. Complexity hides attacks by insiders and increases the chance of human error: Thales Data Threat reports 2021 states that respondents consider malicious insiders as the top threat at 35 percent, with human error at 31 percent.
This blog post explores the approach and technology that is useful to reduce complexity in data security measures across the organization.
The complexity conundrum
Data-centric security is not a one-size-fits-all proposition. Within a single organization, there can be dozens of security policies, hundreds of data types, and thousands of use cases. So, how do we decide on a uniform solution to address the above broad issues across the organization?
Historically, organizations have rolled out too many single-purpose technology products that can only secure specific types of data, systems or environments.
This kind of piecemeal approach to applying data-level protection creates data silos, security gaps, and complexity in operations leading to inefficiencies, security blind spots and escalating costs, as represented in the diagram below:
Another issue is that today, as organizations adopt multi-cloud strategies, it becomes very important to have a uniform way of protecting the data across the cloud provider and also for the aspects that remain on-premise. Lots of organizations are going for this kind of hybrid set-up and looking for a single technology solution to address data security and privacy concerns for both their on-premise infrastructure and cloud environment.
Another important direction that organizations today are considering is to adopt a platform-based technology solution without having to rebuild their data security solution each time, which adds to higher complexity.
The way forward
The immediate priority is to control the access and secure the sensitive data at rest/in transit, on-premise and in the cloud infrastructure.
The best solution to secure data at rest/in transit is to use data encryption technology. Encryption is the critical last line of defense in the event of a breach. Here the protection is applied to the data itself, independent of the data’s location. It ensures your data remains secure wherever it goes and renders it useless to attackers.
To be effective, this must happen automatically—sensitive information should get identified as soon as it enters an organization’s IT ecosystem and should be secured with policy-based protection that lasts throughout the data lifecycle.
Organizations today have been conducting cyber risk assessments often to understand their perimeter-level security gaps and threats on their infrastructure and applications. Now, organizations need to conduct data risk assessments within their cyber risk assessment program.
This is the first step to simplify data security measures. The data risk assessment phase helps to discover where your sensitive data is, and then classify it accordingly, such as public, restricted, confidential or top secret, if four-level sensitivity classes are used.
Based on the organization’s data security and privacy compliance obligations, organizations can decide on the appropriate data risk remediation controls: some data might require encryption, while other data may need tokenization or masking, or be deleted, quarantined or left untouched.
Once the data is encrypted, the risks are passed on to the encryption keys, and this is where encryption key lifecycle management becomes critical in the success of the encryption technology being implemented.
A uniform data protection strategy will be tailored to address the broad range of security objectives, enabling the data to be secured across your environment, including physical, virtual, cloud and big data. It should support all the server platforms like Windows, Linux and Unix, and most important, it should give you centralized controls to keep your distributed data safe.
The solution – a unified data security platform
Recently, one of the largest private banks in India has implemented a unified data security platform, enabling itself to solve the data security problems across its complex ecosystem. This next-generation platform helps to adopt a scalable security framework that addresses data security throughout its lifecycle and across applications, files and databases.
This helps address the below respective use cases as mentioned:
- Data at rest Encryption:
- Encryption of configuration files on the application servers
- Encryption of file servers holding customer PII data and credit card data
- Encrypting data at volume level for MSSQL/MySQL/POSGRES/Oracle databases without any application changes. This also had an advantage over native TDE functionality offered
- Key management
- Bring your own key (BYOK) for sensitive workload in the cloud – data protection measures required that the keys be created, stored and managed by the bank user. Cloud service providers fulfilled this requirement by enabling customer key control features (BYOK).
This platform-based approach helps organizations to decide where they want to start in their journey of digital transformation, and it offers a single point of control for all data security activity across organizations.
Readers interested in exploring the design and implementation of data security platforms and use cases can reach out to me at ved-v.prakash@thalesgroup.com.