With the enforcement of the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and more laws likely to emerge, it’s more important than ever for organizations to think seriously about data privacy and data security together. As part of this, they need to think whether their current practices, technologies and solutions are equipped to protect their sensitive data for the challenges to come. Many forward-looking organizations are recognizing the need for a holistic approach to data protection. In this context, “holistic” means an approach that enables the organization to address the following three objectives in a unified way, rather than as three separate issues:
- IT security has limited visibility into where data is stored and who has access to it. To “know your data,” means to have a good understanding of where sensitive data is located through data discovery and classification. Without this important foundation, organizations cannot know what to protect, where it is, who can access it, when it was created and so on;
- Organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. While this is still important, businesses need to apply a data-centric security strategy that protects data wherever it is. Data-centric security protects the data itself–rather than just the endpoints, networks, and applications it moves between. Consequently, the data itself is secure, so it can move as much as the organization needs it to without increased risk. Instead of slowing down progress and inhibiting the proliferation of data, data-centric security empowers the organization to make the most of its data wherever it’s stored and used; and,
- With more cryptographic keys to protect, more value in the data being protected by those keys, and proliferating compliance requirements nearly every organization urgently needs to address key management. Key management is time consuming, costly and complex, especially when implemented and administered for specific siloed systems and business units rather than across the enterprise on a single platform. The simplest path through this maze is to transition to a centralized key management model.
Adoption of a holistic approach to data protection requires cooperation among departments as well as business groups. In short, this applies to any group with a stake in collecting, processing, using and managing personally identifiable information (PII), intellectual property, trade secrets and other types of confidential information.
Three Core Pillars of Holistic Data Protection
A data-centric security approach must be woven into the DNA of the organization. This approach is based on Thales’s experience working with hundreds of enterprise CISOs, CDOs, CIOs and architects on the frontline of data protection as well as best practices required by numerous regulations and industry standards. To adopt this approach to data security, organizations need to do the following:
1. Discover and classify your sensitive data
Discovering, identifying, and classifying your sensitive data is the critical first step in this process, but it also needs to be repeatable and agnostic of technology or geography. When data is discovered, it can then be classified (identified and grouped), based on specific patterns and algorithms. This provides IT professionals with the ability to make more informed decisions about security, data sharing, data access, digital transformation, cloud migration, and remediation prioritization. When data discovery and classification are followed by risk analysis, the most comprehensive and holistic security foundation is built on reality. Risk analysis helps IT teams understand the sensitivity of data and then rank its level of risk. These capabilities also help organizations enforce data sovereignty and meet data privacy and security regulations like GDPR, CCPA, Payment Credit Industry Data Security Standard (PCI DSS) and HIPAA.
2. Protect your sensitive data
With your data discovered and classified, you can determine the risk each data set adds to your business and prioritize how and where to implement access controls and obfuscation security mechanisms, such as file-level encryption with granular access controls and tokenization with dynamic data masking. This means protecting the data by making it more difficult for unauthorized users to access, and making it unreadable and useless if it’s stolen or leaked. When determining which data encryption solution type will best meet your requirements, there are several considerations. At a high level, data encryption types can be broken out by where they are employed in the technology stack: disk, file system, database, and application. In general, the lower in the stack encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. On the other hand, by employing encryption higher in the stack, organizations can typically realize higher levels of security and mitigate more threats.
3. Centralized Encryption Key Management
The security of cryptographic processes is dependent on the security of the cryptographic keys used to encrypt the data. If the keys used to encrypt or tokenize data are stolen with the encrypted or tokenized data, the data is not secure because it can be deciphered and read in plain text. For encryption and tokenization to successfully secure sensitive data, the cryptographic keys themselves must be secured, managed and controlled by your organization and not a third-party or cloud provider. As organizations deploy ever-increasing numbers of siloed encryption solutions, they find themselves managing inconsistent policies, different levels of protection, and escalating costs. Encryption key management involves administering the full lifecycle of cryptographic keys and protecting them from loss or misuse.
Implementing a holistic data protection strategy
Thales has pushed the innovation envelope with its next-generation data protection solutions to remove complexity from deploying data security, accelerating time to compliance, and securing cloud migrations. Thales’s CipherTrust Data Discovery and Classification provides a single pane of glass that enables organizations to get a crystal clear understanding of what sensitive data they have, where it’s located and its risks of exposure. To achieve this clear view, organizations need to:
- Set policies to search for sensitive data in different data stores;
- Discover structured and unstructured data across an enterprise with efficient scans;
- Classify data based on built-in templates or custom needs;
- Understand the risks with rich visualizations and risk scores;
- Encrypt or tokenize sensitive data;
- Maintain control of keys using centralized key management; and,
- Leverage charts and reports to support compliance programs and facilitate executive communication.
To learn how CipherTrust Data Discovery and Classification can help your organization protect its sensitive data, please download our “Build a strong foundation for data privacy and security” product brief.