Getting data security right by removing the ‘sensitive’ in sensitive data
Considering that on average a hacking attempt occurs every 39 seconds, the likelihood of suffering a cyberattack is no longer a remote threat but rather a distinct possibility. It’s not a question of “if” but rather “when” in the minds of security professionals. Most other people…
Considering that on average a hacking attempt occurs every 39 seconds, the likelihood of suffering a cyberattack is no longer a remote threat but rather a distinct possibility. It’s not a question of “if” but rather “when” in the minds of security professionals. Most other people have become aware of this fact too, and as the number of threats in the realm of cybersecurity increases, securing personally identifiable information (PII) has quickly become the top priority for enterprises, mostly because it’s a fundamental part of the customer relationship which is built on trust. A quick way to lose customers is to shake their trust in your organisation, especially where their most sensitive data is concerned.
On top of this, organisations are having to meet the growing number of data privacy regulations that are propagating in most national jurisdictions and across various industries, including CCPA, GDPR, PCI DSS, and HIPAA. With this list steadily growing, it’s quite clear that governments, industry authorities, and consumers all are taking a stand on how businesses use people’s personal data. Meeting these obligations has become a daily challenge for enterprises both small and large, primarily because it’s not optional. It’s not a small undertaking!
Understandably, the pandemic has accelerated the digital transformation journey for businesses in order to keep operations moving along with a largely remote and distributed workforce. Most companies have had to increase budgets to invest into their IT infrastructures generally and more specifically into data security, with the threefold aim to innovate, gather market analysis and intelligence, and meet or exceed regulatory compliance. Chief among these IT investments is the migration to cloud services (which certainly helps remote workers). However, for many companies, cloud migration can be a serious stumbling block – you can’t go about moving applications and interfaces if the PII within these workflows are not fully protected; otherwise, you run a serious risk of exposure. One misconfigured cloud service or concentrated attack on a cloud repository, and suddenly highly sensitive information could be exposed to the public. This data could be in the form of addresses, financial data, private medical information – all of which must be secured from unauthorised access by regulatory mandate. This type of situation is absolutely catastrophic—just ask any company involved in such a breach.
Given the number of breaches that make headline news—if you’re paying close attention, you can usually see a highly visible one every day of the week—traditional or legacy-based security solutions are clearly no longer effective as a complete data protection strategy. Organisations are spending more and more to reduce threat levels but are typically using yesterday’s technologies such as authentication management, SSL & TLS, firewalls, database encryption, and disk encryption. Sure, these mechanisms all provide some value for a specific area within the overall IT ecosystem, but these methods only protect against known attacks (meaning, they secure the known weak points of an infrastructure). Moreover, they often leave gaps as this resolves a partial issue without addressing the bigger security problems that often lie hidden. Like a rowboat, you can protect the known areas of potential leakage such as the joints and interconnection seams along the hull. But how do you protect against that hidden rock just below the surface? To achieve continuous protection for personal data and to effectively prevent your organisation from suffering a data breach from unexpected quarters, a better defensive strategy is in order.
First, you must know and understand all your enterprise data. Decide what elements you must prioritise (regulations clearly point you to these), and then clarify what needs to be protected to reach that regulatory compliance. You must discover how data is used within your operational processes and workflows, transferred between third parties, collected, and importantly, where it resides, and who has access to it. You can’t protect data properly without knowing that it exists, how it’s used, and who handles it. Keep in mind that data is a highly mobile asset that crosses the traditional boundaries of on-premise and off-premise because now workers can handle and process data both on-premise and in the cloud in a hybrid manner, moving back and forth between services. This data discovery exercise helps to mitigate evolving business risks such as hacking, fraud, and ransomware by attempting to know the unknowns. It’s like trying to see all the hidden rocks just under the surface of the water. Only then can you protect data effectively.
But does a better data protection strategy even exist? Yes, it most certainly does, in the form of data-centric security which protects the data itself and not the systems that process or store it or the boundaries around it. One of the most widely applied methods of data-centric security is a reversible protection mechanism called tokenisation. Tokenisation works by substituting a sensitive data element with a so-called representational token. The token itself maps back to the original data element but doesn’t expose any sensitive data in cleartext. This level of protection can be achieved when the information is in motion or at rest, across all platforms, applications, and systems including cloud applications. So, whether PII is collected via a payment system, customer service dashboard, website, or mobile application – once it is captured it can be tokenized and protected while it flows across the organization throughout its lifecycle.
Data-centric security enables enterprises to meet regulatory requirements while also providing comprehensive ROI due to a reduction in security audit time and costs. For instance, financial service providers must comply with the PCI DSS requirement of protecting cardholder data, and this will also extend to cover the protection of additional data elements in order to comply with GDPR. Tokenization not only reduces overall risk but also fulfills the PCI DSS and GDPR requirements for non-sensitive data on core enterprise components. In addition to this, tokenized data protects against accidental exposure to unauthorized insiders and third-party vendors, as the data in a clear state can only be accessed with proper authorizations. This helps reduce dependency on compensating controls as a temporary measure to pass security audits and fulfills the PCI DSS and GDPR requirements that sensitive data can only be accessible on a need-to-know basis. Best of all, the benefits of tokenisation can be extended to help organizations comply with the majority of data privacy and protection legislation as more countries and industries adopt stricter stances.
As digital transformation takes hold and remote working becomes even more commonplace, sharing sensitive data across multiple platforms and services has become a necessity in today’s IT environment. Therefore, having a security solution that meets the demands of data privacy and regulatory compliance, while also facilitating full use of the data elements for activities such as data analytics, is vital in securing your organisation’s overall digital growth.
Trevor J. Morgan is responsible for product management at comforte AG where he is dedicated to developing enterprise data protection solutions that meet ever increasing risk and compliance requirements. He has spent the majority of his career in technology organizations bringing to market software, hardware, and services for enterprise and government customers. Trevor has held senior-level, lead positions in sales engineering, product management, software architecture, and product marketing in companies like Cisco, Capital One, and Ciena. He holds a Ph.D. from Texas Tech University and a Bachelor’s and Master’s from Baylor University.