May 12, 2021
3 things you might be doing wrong in your data protection program
The interest in the protection of sensitive information has seen an exponential increase in recent times. Now with consumers more aware of their rights and the importance of their personal information, organizations are quickly understanding that securing this data is of paramount importance to their business continuation and sustenance plans. With the advent of GDPR in May 2018 and various other privacy regulations in the subsequent months and years, organizations are also being held accountable for protecting the sensitive data they have in their possession. This has seen a huge uptick in organizations turning to data protection solutions to achieve some semblance of data security within their list of executive priorities. However, akin to a panic buying scenario which we are very familiar with today, in times of Covid-19, rapid approvals and implementation of data protection solutions are just proving to be a temporary patchwork on a leaking dam.
This blog post talks about some of the most common mistakes that security officials make when choosing a data protection solution for their data security initiatives.
“Sensitive Data Discovery? – That is a wasted effort! I know where sensitive data is present within my datastores!”
The assumption that one could possibly know all the locations of sensitive data is probably the BIGGEST mistake anyone could make when they embark on a data protection policy. With the number of stakeholders involved in data entry and data processing, it is just not possible to maintain control over where your sensitive data is being entered. With applications evolving over time, and more and more data being entered, sensitive data could be present anywhere in your data store – this is called pervasiveness of data. It would be foolhardy to assume that sensitive data locations are known without employing the services of a robust, and automated sensitive data discovery solution.
Deploying a Sensitive data discovery solution is just one part of the puzzle. The effectiveness of the discovery solution plays a vital role in having a truly successful data protection program in place. A data discovery solution that does not identify and locate all sensitive data will prove to be even more dangerous since it will instill a false sense of security of having found all sensitive data – which in reality couldn’t be further away from the truth. In all data discovery initiatives, one should always realize that – 99% of discovered sensitive data is equivalent to 0% data discovered – since the unknown 1% could still derail the effectiveness of your program if left unprotected.
Thus, choosing a robust data discovery solution – one that employs the best of breed discovery mechanisms like pattern matching, artificial intelligence-based scanning methods and other advanced scanning mechanisms is what should be considered by your security team. Once sensitive data is effectively identified and located, you have won half the battle!
“Mask, Encrypt, or Tokenize? Let me take the most performance-friendly method.”
Now that data has been discovered, the next question security professionals face is to which anonymization method to choose from in order to protect the sensitive data – encryption, tokenization, or masking? (Read our blog “Difference between Encryption, Tokenization, and Masking” to know more about the pros and cons of each methodology). When it comes to data protection, security officers are faced with a dilemma to choose between performance and data value retention.
The simplest method of protecting your data would be to redact it (replace the data with XXXXX). However, this would render the data useless; it will protect it – no doubt, but will you be able to use it for any meaningful purpose? I don’t think so. This is the conundrum that security officers face when choosing the appropriate masking option – performance over usability, which to choose?
The answer however is very obvious – a middle ground wherein you get the best of both worlds. To explain this further, one should be aware of the degree of sensitivity of the data. All data are not equally sensitive – some are very important, and such data cannot fall into the wrong hands at any cost, while some are sensitive, though not as much. The anonymization method used to protect data should depend on this factor – the sensitivity of the data. Data that have a higher degree of importance, or are critical to the business or individual involved, can be protected using robust, performance-intensive mechanisms like encryption. Other data classifications can be anonymized by less process-intensive mechanisms like masking or tokenization.
Another aspect to take into consideration would be the data classification, and the usability of the masked data. Data that are required for downstream analytical or testing purposes need to be anonymized using mechanisms that retain the nature of the data while also ensuring its security. Nationality could be one example – a data store that needs to be anonymized in a way that the proportion of nationality is maintained.
“Data Subject Requests? We have a dedicated team to collect and collate the requested information to send to the data subject.”
Almost all of the global privacy regulations empower the citizens under its jurisdiction with a list of rights related to the collection, and processing of their personal data by organizations. And the most popular of these is the Right to Access and Right to Erasure – through which they can request organizations to provide them with information regarding all the data that the organization has in their possession of the requestor (Right to Access) and delete this data if the requestor demands (Right to Erasure).
As mentioned previously, with data being so pervasive, a manual solution of responding to these data subject rights requests would not be scalable, and it would only be a matter of time when the influx would be so large that organizations would be overwhelmed, and ultimately fail to meet the stipulated response timeline to these requests. Therefore, investing in a solution that can automate the entire workflow starting from registration of the request to the collation and disbursal of the information back to the requestor would be of immense value to the organization in the long run. It is estimated to bring in savings to the tune of millions per year (as per a Gartner research).
You would be hard-pressed to select a single vendor who can offer you all the capabilities that are mentioned above. However, there are a select few who possess a comprehensive and robust solution that can do just this, and even more when it comes to securing your sensitive data across its lifecycle/ Mage Data (then MENTIS Inc.) was founded in 2004, with the aim of providing a truly integrated platform with solutions catering to the needs of data security professionals looking to secure their data. With products that offer solutions in the Data Governance, Data Privacy, and Data Security space, Mage offerings can be trusted to meet most, if not all of your needs with regards to sensitive data and its lifecycle. Mage’ Sensitive Data Discovery is built on a patented approach and has been garnering praises all around from analysts and customers alike. Its data anonymization modules offer static and dynamic data masking capabilities that provide complete protection to your sensitive data in both production and non-production environments. With products catering to data monitoring requirements as well as data privacy-related requirements (data subject rights requests), Mage offers a truly holistic experience for organizations looking to secure their sensitive data.