Mage Data

Author: Alex Ramaiah

  • What Are the Consequences of Non-Compliance with Data Privacy Laws

    What Are the Consequences of Non-Compliance with Data Privacy Laws

    It seems like a new data privacy law is going into effect every day, so keeping track of the requirements these laws impose on businesses can be daunting. However, the sheer volume of new laws doesn’t excuse companies from complying with all that apply to them. The consequences can be severe when companies are non-compliant with data privacy laws.

    What Penalties Can Companies Face for Non-Compliance with Data Privacy Laws?

    Non-compliance with data privacy laws can be costly. Let’s look at some of the largest penalties ever levied to understand what companies may face when they fail in their compliance efforts.

    The Largest GDPR Fine

    On July 22, 2021, the National Commission for Data Protection in Luxembourg announced a €746,000,000 fine against Amazon. After receiving 10,000 complaints about the company’s practices, the Luxembourgian agency launched an investigation that revealed Amazon was using customer data for targeted advertising in ways that weren’t covered by its privacy policy. While Amazon has rightfully pointed out that there hadn’t been a breach of customer data, this fine highlights that laws about data have moved beyond security and into protecting customer privacy. Companies that don’t transition their policies to cover these new requirements have a good chance of ending up like Amazon here, with massive fines despite no external breach.

    The CCPA Means Business

    Since the CCPA  gives companies 30 days to cure their operations after being notified of a violation, fines are less likely to occur. So, when they do happen, it’s a strong sign of serious malfeasance by the company. On August 24, 2022, the Attorney General of California, responsible for enforcing the CCPA, announced that Sephora was being fined $1.2 million after failing to cure its issues during the 30-day window. According to the Attorney General, Sephora allowed third-party vendors to track customer activity on its website and app and failed to disclose that the activity was being tracked, that Sephora was being paid for the tracking, and that Sephora failed to provide an opt-out option, as required by law. This case emphasizes that consent in data processing is more important than ever, and providing legally required notification and opt-out procedures is vital.

    Why do Companies Fail in Compliance?

    Because the financial penalties can be so severe, companies must understand the common personal-data mistakes that businesses make that can result in regulatory action.. and how to avoid those mistakes.

    They Don’t Understand or Keep up With the Laws

    Compliance with data laws is like paying your taxes. Just as not understanding the complexities of tax law isn’t an excuse to not pay taxes owed, not having a complete understanding of data privacy. laws doesn’t excuse you from its provisions. Unlike tax law, which only has major changes every few years or so, data privacy is a rapidly evolving organism. Every year, more and more data privacy laws are passed. These range from international requirements, like the GDPR in the EU, to national laws, like those in China and Singapore, to state and provincial laws in countries with a federal system.

    The scary reality for most companies is that if the information you’re using to manage your data privacy policies is even six months out of date, your company could be at serious risk of regulatory action based on a brand-new law. For companies, it is critical to ensure that the people you have in charge of your data privacy policies are keeping up with the latest developments to ensure your company is always kept safe.

    They Don’t Manage Risk Well

    The reality is that if you make a minor mistake in handling personal data just once, it’s unlikely that you’ll be caught. Even if you are, regulatory agencies would have to decide if it’s worth their time to bring enforcement action, given that there’s much bigger fish to fry. That doesn’t mean they won’t penalize your company, but the odds are low. Now, take that same minor mistake and scale it up so that instead of just doing it once, you’ve done it on a hundred thousand or a million records. Now, your “little” mistake has grown so much that regulators can’t ignore it.

    That’s not to say that small companies can never get in legal trouble for this issue. But what companies sometimes realize is that the risk grows exponentially with size rather than linearly. For one, businesses tend to process exponentially more records as they grow and use them in more ways. But oversight also gets much more difficult. Larger companies have more departments and more teams, which can make oversight far more difficult. Any one of those can create a data processing nightmare, so companies that fail to empower their data privacy policymakers to enforce the rules and audit teams for compliance may take on far more risk than they realize.

    They Don’t Understand the Consequences

    Some companies would barely notice a fine if caught violating data privacy laws. But there’s more to regulatory action than just the fine that is levied. Reputational damage is real. When your customers or clients hear that you’re mishandling their data, you can suffer real losses. Your brand image, which can take years or even decades of performance to build, can be cut down in a moment. Companies that don’t take this threat seriously can trick themselves into believing they can easily survive any regulatory action over data privacy. Don’t fall into that trap!

    How Mage Data Helps Companies with Data Privacy

    From the examples above, it’s clear that companies need a solid plan for keeping up with changing data privacy laws and ensuring that they remain compliant. However, the plan is only half of the equation. Your data privacy teams need the tools to help them execute their vision. That’s where Mage Data comes in. Mage Data provides tools to help companies with data privacy and security from the database to the front end. They start working out of the box but can also be highly customized to meet an enterprise’s needs. Schedule a demo with Mage Data today to learn more.

  • Four Best Practices for Protecting Private Data

    Four Best Practices for Protecting Private Data

    If you’re approaching data security for the first time, or just need to revisit your approach to protecting private data, it can be hard to get started. Dealing with (sometimes very different) data privacy laws, ensuring that your company follows procedure, and tracking down the gaps in your security can all be challenging. Here are a few concrete things you can do to turbocharge your approach to protecting private data and ensure that you’re taking care of your customers, too.

    Best Practice #1: Create a Privacy Policy

    It may seem a little strange to start with the creation of your privacy policy when protecting private data. However, there are two powerful reasons that you should make this one of your priorities. The first is that your privacy policy is a required legal document in a growing number of countries around the world. Not having one could subject you to heavy fines. Second, creating a privacy policy forces your company to document the different ways you use customer data and think critically about those uses. For example, while compiling the ways in which your company uses data, you might discover that there are processes using data that are no longer necessary. By dropping these, you can free up resources.

    It can also help uncover “shadow IT,” or processes put in place by your employees without the official sanction of the company. These processes can expose you to liability, even if you don’t intend for them to be happening. That’s not to say that your privacy policy should be set in stone. Instead, it should be a living document, able to evolve as your business needs change. At the same, you should ensure your employees understand that they cannot change how they handle customer data without the express approval of the company. There should be a documented and clear process for requests for updates to the privacy policy to ensure that your company can remain flexible while still meeting its regulatory requirements.

    Best Practice #2: Encrypt Your Data

    One of the most important things you can do to protect private data is to encrypt it. Encryption takes useful data and turns it into scrambled, unreadable data (ciphertext). The data can only be turned back into its useful form through the use of a private key. Without that key, it would take as long as 13,689 trillion trillion trillion trillion years to crack the encryption if you had access to all the computing power on Earth. By that point, the data would likely no longer have any use.

    The issues that stem from a lack of encryption quickly become apparent in the event of a breach. In 2019, a security researcher discovered a cache of more than 885 million sensitive documents on First American Financial’s website that were unencrypted. Consequently, anyone with the right URLs could access any of those records. Encrypting your data at rest, or when it’s not in use, prevents this kind of leak and helps keep your customers safe.

    Best Practice #3: Discover and Classify Sensitive Data

    While all data should have some level of security, applying your maximum efforts to every piece of data can be an inefficient approach that damages your company’s productivity. For example, suppose your company handles weather data. If that’s leaked, it’s no big deal. On the other hand, social security numbers should be handled with much more care. Treating both as if they were the same incurs the unnecessary use of computer resources for encryption and decryption, and might also cost your employees time.

    The solution is to classify all of your internally generated and incoming data to ensure that it is handled correctly. Of course, this isn’t something you can do by hand, especially if your company handles millions or even billions of data points in a year. Data discovery by Mage Data uses AI and advanced Natural Language Processing to uncover all your sensitive data. It works on the databases you already have and can work incrementally as new data comes in, ensuring that you always have a complete view of what data you have so that you can secure it correctly. Because it’s driven by AI, it can also identify sensitive data with an unorthodox presentation, such as an email address with a typo or stored within header data, so that nothing slips through the cracks.

    Best Practice #4: Control Data Access

    Once your data is identified, classified, and encrypted, the next step is to control access to ensure that your data is protected. In the past, a username and password would be enough to keep data safe. However, that’s no longer the case. One of the most common ways data is accessed improperly is through a compromised set of credentials. One way to counter that problem is through the use of two-factor authentication: When your employee enters their correct username and password, a code will be sent to them via phone call, text, email, or a piece of physical hardware like a dongle. They won’t be able to log in unless they also enter the correct code. This means that even if your employee’s credentials are compromised, no one will be able to use them to log into their account.

    It’s also important to restrict data access within your organization. Your accountant doesn’t need access to the same files your account manager does, and vice versa. Restricting their access to the files and resources they need to perform their jobs helps keep information safe in the event of a breach and limits the damage a single employee can do in an intentional leak.

    Controlling access at this level requires granular tools. Mage’s Data Dynamic Data Masking offers companies everything they need to manage a workforce ranging in size from very small to enterprise. Flexible rules, including role-, user-, program-, and location-based controls, allow for extremely sensitive fine-tuning of the permissions process and ensures your employees will have what they need to work without having unnecessary access to sensitive information.

    How Mage Data Can Help

    Over the years, Mage Data has helped companies of all sizes enhance their approach to data privacy. Having worked with so many different clients with different needs, we know how to help you create the right approach to security for your specific needs. Schedule a demo today to learn more about what Mage Data can do for you.

  • Can Tools Really Stop a Data Breach? Hear from our CEO

    Can Tools Really Stop a Data Breach? Hear from our CEO

    As data is the new oil, more threat actors are looking for ways to obtain sensitive information, eager to use it for a variety of sinister purposes.

    Following a data leak, home users might experience identity theft while companies risk damaging their brand reputation and suffering financial losses.

    To discuss the best data privacy and security practices, Cybernews talked to Rajesh Parthasarathy, the CEO of Mage Data, which provides data security and data privacy software for global enterprises.

    What has the journey been like for Mage Data? How did it all start?

    Looking back now, the journey of Mage Data has been transformational, to say the least. Early on, at a time when the use of data by organizations for business requirements was beginning to get widely adopted, I realized that the biggest threat to a full-scale digital transformation would be the security of sensitive data. Securing the data privacy and security of every organization and solving these data security challenges laid the foundation for the formation of Mage Data™ (then MENTIS) in 2004. Our data security platform was built based on 20+ years of experience and research on security vulnerabilities and solutions. It was received with resoundingly positive feedback by prospects and customers alike. With a vision of enabling a seamless solution offering and service to companies across the globe, we set up the operational base for Mage Data in India in 2014.

    Over the years, Mage Data has cemented its presence on the global map as one of the forerunners of data security and privacy solutions. A testament to this also comes in the form of industry awards, with Mage Data receiving the Customer’s Choice award consecutively for the last two years. Today, Mage Data stands out in the market with its differentiated products that provide an integrated end-to-end platform enterprise solution that is strongly positioned to reimagine data privacy and security for enterprises.

    Can you introduce us to your data privacy solutions? What are their key features?

    The Mage Data Platform provides data security solutions across the lifecycle of sensitive data right from the time of its creation till its retirement from the data store. Our solutions can discover data, anonymize it in production and non-production environments, monitor activity within the data store, and finally retire and tokenize inactive sensitive data. These capabilities can be used to solve a host of various use cases in the privacy and security space that include:

    • Test Data Management
    • Database security
    • Cloud migration
    • Achieving regulatory compliance
    • Enabling secure analytics on data
    • Implementing attribute-based access control mechanisms

    All these solution capabilities can be implemented within a single platform seamlessly with utmost ease.

    In your opinion, what data privacy issues should more people be concerned about?

    A primary concern for people should be the use of data for services that they have not opted for. For example, if an individual authorizes a bank to use their data for savings account services, the bank should not be using that data to sell additional products like loans, credit cards, etc.

    It’s an individual’s personal data that is being monetized. Whenever anything is free, the individual ends up being the product. It’s time we start treating our personal data as private information that should be shared only when required and which is deleted once the specific task is completed.

    From an organization’s point of view, we live in a world where data is key to supporting innovation and unlocking different products or services required by people across the globe. Today there are different ways how organizations can derive insights from data without compromising its security or privacy, which has gained utmost importance.

    Many organizations across the world are suffering because of the increasing frequency and potency of data breaches, both internally and externally. This not only leads to bad press but also attracts huge regulatory fines through the privacy laws and regulations being adopted by countries worldwide.

    How do you think the current global events are going to affect the way cybersecurity is perceived by the general public?

    There is a slow but steady increase in the awareness of data security in the minds of the general public. Privacy regulations like GDPR and CCPA have been at the forefront of the news when it comes to ensuring data privacy and security. However, there is still a long way to go, and companies need to inculcate a culture of securing data across their enterprise data landscape. Today, I can see people reading the check-box clauses twice before submitting any form. This shows that there is awareness amongst the public as to what it is that they are providing their consent for.

    In your opinion, why do certain companies still fail to keep up with compliance and other security standards?

    Complying with the standards set by the regulators requires consistent effort and periodic reviews. While there are outliers to this, most companies employ data security practices merely as a tick-in-the-box solution. Data security for one cannot be a one-time job. Security and compliance standards keep evolving, and regulators keep raising the bar for data security to ensure that data remains secure. Keeping up with such stringent standards requires inculcating them within the very DNA of the organization. Ensuring the security and privacy of data is not a good-to-have but a must-have practice. So, not having a robust data security approach within the company should ideally be ringing alarm bells for the management.

    What risks can customers be exposed to if a company they trust struggles to ensure compliance?

    Misuse of their personal data is the biggest risk that customers face when a company they trust fails to ensure compliance, thereby failing to secure their personal information. Breach of personal data has extraordinary ramifications depending on the classification of data that has been breached. It can range from simple prank calls to serious identity thefts that can result in financial losses to the customer.

    What security tools or practices should users adopt to protect themselves online?

    Research has found that phishing contributes to the greatest number of data breaches, and to prevent this, people should always be aware of their online activity and what links they click. An individual who is completely aware of what they are doing online can greatly reduce the risk of inadvertent data loss due to phishing and visiting other malicious links. Security tools are present only to aid individuals in this endeavor, and no tool can completely secure or mitigate the loss of data. Tools help in reducing the impact of a breach and can never guarantee immunity from a data breach.

    Talking about the future, what predictions do you have for the data security landscape for the upcoming years?

    The data security landscape is evolving at a fast pace, and there is a lot of research that states it’s just going to keep growing. Gartner, for example, predicts that data security solutions are now consolidating into data security platforms – a single solution that can ensure the security of data across its different states (at-rest, in-transit, in-use) and use cases. The increasing adoption of the Cloud is also fuelling the rise of data security. As a vendor in the data privacy and data security space, it is an exciting time for us, and the future looks to be full of new opportunities and challenges. Avenues such as cloud security, privacy-enhancing technologies, and dynamic data masking are abundant for us to develop innovative solutions and assist organizations in championing their data security initiatives.

    And finally, what’s next for Mage Data?

    Mage Data has just come out of a two-year transformation period, and the organization is primed and ready to address the evolving needs of the privacy and security market. By strengthening the product suite to cover more data stores and establishing strategic partnerships with vendors in adjacent areas and markets, Mage Data is looking to holistically develop its product portfolio to become the single preferred vendor for organizations looking to have robust data privacy and security solutions,

  • Cloud Migration and Data Security: Understanding What Needs to Be Done

    Cloud Migration and Data Security: Understanding What Needs to Be Done

    The cloud industry has been experiencing meteoric growth, thanks in no small part to the global pandemic. Companies that were already migrating to the cloud suddenly had to accelerate those plans to continue operating and remain competitive in the shift to a remote workforce. Companies that had resisted the change had to play catch-up, and too often rushed their cloud migration.

    Unfortunately, in that push to move to the cloud, data security can often be a casualty. Even migrating to one of the leading cloud platforms—platforms known for offering industry-leading security, like Azure or AWS—doesn’t automatically guarantee your data will be secure.

    For example, one area where organizations must be particularly careful is migrating medical data to the cloud and remaining compliant with the Health Insurance Portability and Accountability Act (HIPAA) requirements for patient privacy and security. Virtually all of the major cloud providers advertise being HIPAA-compliant, but the burden is still on individual clients to ensure they properly utilize the security tools provided by their chosen cloud provider.

    There are several steps organizations can take to ensure their cloud migration goes as smoothly as possible while providing the needed data security.

    Establish Strong Security Measures First

    One of the biggest steps organizations can take is establishing strong security measures before beginning a cloud migration.

    While data security should be part of any organization’s fundamental operations, migrating to the cloud opens a whole new realm of security threats, including multiple attack vectors, potential security issues with third-party APIs, denial-of-service attacks, account hijacking, and more. Unless an organization takes the time to secure their operations before migrating, they can quickly find themselves overwhelmed by the challenges of storing their data in the cloud.

    Adopt Zero-Trust Security

    On-premise security often focuses on keeping intruders out, with little to no secondary security, should a breach be successful.

    By contrast, proper cloud security focuses on a zero-trust approach, emphasizing security and containment throughout the entire platform (and not just “at the gates”). For example, with a traditional on-premise network, security plans often emphasize strong firewalls designed to keep bad actors out. Because the majority of employees access the company’s network from trusted onsite computers, there’s much less concern about those devices.

    With cloud computing, however, there is no one, single point of entry. Because of its decentralized nature, there are any number of ways a person could gain access to an organization’s resources, making it imperative to establish strong security at every layer of an organization’s cloud presence, trusting no one and no device.

    Data Privacy and HIPAA Compliance

    Data privacy adds another layer of complexity when it comes to cloud migration. A great example of this is the handling of personal data in compliance with HIPAA laws in the U.S. HIPAA encourages the use of electronic data storage but also includes strict requirements for how that data is managed and secured.

    As a result, a number of factors must be considered in order to remain compliant.

    1) Platform vs. Data. One of the most important things to keep in mind when moving HIPAA-sensitive data to the cloud is the distinction between platform and data. While AWS, Azure, and others market their platforms as HIPAA-compliant, each client company is still responsible for making sure they properly secure the data they upload to those platforms. This is why AWS uses terms like “shared responsibility” when describing its HIPAA compliance.

    2) Access Control. Just as an organization must control who has access to data locally, proper access control must be maintained in the cloud, ensuring only authorized parties are able to access sensitive information.

    3) Firewalls. Firewalls are a vital part of a cybersecurity plan, especially one involving cloud-based HIPAA data—a requirement for remaining compliant. In addition, the firewall should provide robust log-in, which can be used to identify attackers and assist any law enforcement efforts.

    4) Encryption. Another requirement for properly secured data is end-to-end encryption (E2EE). E2EE ensures that no third parties can snoop on data in transit, or when it is being stored.

    5) Data De-Identification. Data de-identification is another important step that can and should be taken to protect sensitive data. De-identification removes identifiable information so the data can be accessed and analyzed without risking patient privacy. Hybrid data masking, in particular, can be a powerful tool in this regard. Setting up data masking in the new cloud environment should be a priority for safeguarding personal data.

    6) File Integrity Monitoring. File integrity monitoring is designed to monitor files and flag them if they have been altered or deleted. This can be an invaluable step in catching errors or intrusions as early as possible, and thus mitigating potential damage.

    7) Notification Protocols. Modern data laws require organizations to notify customers of HIPAA-related data breaches. In order to do so in a timely fashion, and prevent further fines, organizations must ensure they have a system in place to quickly and efficiently notify individuals in the event of a breach.

    Prepare for the Data Security of Your Cloud Migration

    Given the sheer number of security risks and privacy issues involved in cloud migration (and the stakes involved in remaining compliant), many organizations are choosing to outsource some or all of their migration to experienced experts.

    Mage Data has a long history of helping companies achieve the data security they need, even during transitional periods like cloud migration. Learn more about our cloud security offerings, or request a demo for our industry-leading Data Security Solutions.

    Related Blogs

    What is HIPAA Compliance?
    What is a Zero-Trust Security Model?

  • What is Homomorphic Encryption and How It’s Used

    What is Homomorphic Encryption and How It’s Used

    Most data encryption is for data that is either at rest or in transit. Most security experts do not consider encryption a viable option for data in use because it’s hard to process and analyze encrypted data. As the need for privacy and security increases, however, there is a perceived need to encrypt data even when it is in use. To encrypt data and use it at the same time is not an easy task. Enter homomorphic encryption.

    What Is Homomorphic Encryption?

    Homomorphic encryption is an emerging type of encryption that allows users or systems to perform operations using encrypted data (without decrypting it first). The result of the operation is also encrypted. Once the result is decrypted, however, it will be exactly the same as it would have been were it computed with the unencrypted data.

    When Should Homomorphic Encryption Be Used?

    Thanks to homomorphic encryption, organizations are able to use cloud computing in external environments while keeping the data there encrypted the entire time. That is, third parties can handle sensitive data without compromising the security or privacy of that data. If the third party becomes compromised in any way, the data will still be secure, because it is never decrypted while it is with the third party.

    Before, it was impossible to outsource certain data processing tasks because of privacy concerns. Because it was necessary to decrypt data to perform computations, the data would be exposed while in use. Homomorphic encryption addresses those concerns. This is a game changer for organizations in a wide variety of industries.

    For example, homomorphic encryption allows healthcare providers to outsource private medical data for computation and analysis. The benefits of homomorphic encryption are not limited to healthcare. As regulations like GDPR become more common and more strict, it becomes crucial to protect personal data at all times, even while performing data analysis on it.

    Is Homomorphic Encryption Practical?

    Homomorphic encryption has been theoretically possible for a long time. The first fully homomorphic encryption schemes are already more than 10 years old. The problem is that the process requires an immense amount of computing power. The herculean effort that goes into this particular type of encryption has prevented it from becoming a viable option for most organizations.

    Now, though, an immense amount of computing power is not as hard to come by as it used to be. We are still not seeing much homomorphic encryption adoption just yet, but more organizations are taking interest.

    Expect to see it become a hot new opportunity in cybersecurity circles as homomorphic encryption becomes more necessary and more attainable at the same time. (The increased necessity is because of strict new rules for data privacy, while the increased attainability is from the exponential growth of computing power).

    Partially Homomorphic vs. Fully Homomorphic Encryption

    There are multiple types of homomorphic encryption schemes. At two ends of the spectrum, cybersecurity experts classify these schemes as partially homomorphic or fully homomorphic. As this type of encryption becomes more viable, people are finding new ways to classify it, introducing new categories between partially and fully homomorphic.

    Currently, we talk about homomorphic encryption in the following ways:

    • Partially Homomorphic Encryption – The lowest level, only supports one type of evaluation (such as multiplication, division, subtraction, addition, etc.)
    • Somewhat Homomorphic Encryption – Supports any type of evaluation, but only for a specific number of ciphertexts
    • Fully Homomorphic Encryption – Supports an infinite amount of computations on any amount of ciphertexts

    As applications of homomorphic encryption become more plausible, expect to see greater nuance emerge. We will see pros and cons of homomorphic encryption that may not be apparent until there are more case studies.

    Potential Vulnerabilities of Homomorphic Encryption

    In March 2022, academics from North Carolina State University and Dokuz Eylul University collaborated to identify a vulnerability in homomorphic encryption. Specifically, researchers showed they could steal data during homomorphic encryption by using a side-channel attack.

    “We were not able to crack homomorphic encryption using mathematical tools,” said Aydin Aysu, an assistant professor of computer engineering at North Carolina State University. “Instead, we used side-channel attacks. Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted. This demonstrates that even next generation encryption technologies need protection against side-channel attacks.”

    Is Homomorphic Encryption Safe?

    Before this study scares you away from the potential of homomorphic encryption, it is worth noting a few things:

    1. The vulnerability discovered was only in Microsoft SEAL, an open-source implementation of homomorphic encryption technology.
    2. The researchers were studying versions of Microsoft SEAL released before December 3, 2020. Later versions of the product have replaced the algorithm that created the vulnerability.
    3. The academics did not conclude that this type of homomorphic encryption was entirely unsafe, only that it needed protection from side-channel attacks. And there are established ways to protect against side-channel attacks.

    Does this mean modern homomorphic encryption is necessarily impermeable? No. However, the results of this study are not cause for excessive concern. One big takeaway is that the vulnerability in software from 2020 was not discovered until 2022, when newer versions had already corrected the problem. With commitment to an evolving cybersecurity plan, companies can stay a step ahead of hackers (and academic researchers).

    Assistant Professor Aysu seems confident about the future of homomorphic encryption, as long as organizations also take additional precautions. “As homomorphic encryption moves forward, we need to ensure that we are also incorporating tools and techniques to protect against side-channel attacks,” he says.

    How to Use Homomorphic Encryption

    There are multiple open source homomorphic encryption libraries, and Microsoft SEAL is the most common. It was developed by the Microsoft Research Cryptography Research Group. More cybersecurity experts are becoming interested in homomorphic encryption, and it is getting faster.

    For now, though, it still is not the best option for most organizations. Upon comparing the differences between encryption, tokenization, and masking, most find that masking is currently the best option for data in use.

    Related Blogs

    The Comparative Advantages of Encryption vs. Tokenization vs. Masking

  • Your Data Protection Journey Should Start with True Data Discovery

    Your Data Protection Journey Should Start with True Data Discovery

    One of the key services we offer here at Mage Data is robust data discovery, and for a good reason. We have found that too many organizations try to unearth sensitive data simply through using regular expressions in their database—and they inevitably come to us when those efforts fail.

    So, for those organizations out there starting their data protection journeys, please learn from the lessons of others. You can save a lot of time and expense by using a robust data discovery tool. While it might be tempting to try a DIY solution, those likely will be inadequate for some well-known reasons.

    Regular Expressions: The Basics

    Regex, or regular expressions, are simply sequences of characters that specify a search pattern. With them, a user can specify rules that determine which search strings the system should return. For example, they could be used to search a database to find:

    • All records with a last name
    • All records with a last name of “Smith”
    • All records with a last name beginning with “S”
    • All records with a last name beginning with “S” except those that are “Smith”
    • …and so on.

    Naturally, these are not limited to names. Regular expressions can be used to query phone numbers, Social Security numbers, email addresses, credit card numbers…any data that is stored in a database.

    This is why they sometimes get used in data discovery. Take Social Security numbers. Knowing the format of Social Security numbers, one could use a regular expression to find all such numbers in a data set and flag them for data masking. That will hide sensitive information, but only if you can catch all (and only) Social Security numbers.

    So regular expressions can be thought of as their own kind of programming language, albeit a very specialized language with a very limited number of operators. That simplicity makes them powerful, but also limited in many ways.

    Using Regular Expressions (Regex) to Find Sensitive Data Patterns

    If regex can be used to find any arbitrary string of data, how could it possibly be limited? There are two ways.

    First, the user that created the regex query has to know what they are doing in order to capture all the relevant data. Take U.S. Social Security numbers (SSNs). One might be tempted to simply create a regular expression to capture any nine-digit number. But what if some of the SSNs have dashes, and others do not? And what if some are invalid as SSNs—for example, there are no legitimate SSNs that begin with the digits 666 or 989. The person who creates the regular expression will need to take into account all the different formats and combinations possible in the data.

    That leads to the second problem: False positives. It is possible that other forms of data can have a format similar to an SSN, once one takes into account all the different variations. For example, a telephone number that is missing a digit, or national I.D. numbers, can also fit the pattern of an SSN. This will lead to many pieces of data being flagged as sensitive, when they really are not.

    But why are false positives a bad thing? If the organization is finding all of the sensitive data, what does it matter if some non-sensitive data is flagged as sensitive, too?

    False Positives, Human Intervention, and the Investment of Time

    In data discovery, one wants to decrease the number of false positives as much as possible. Too many false positives will overwhelm the search as your team loses the ability to discern actual sensitive data from false positives that live in your data set.

    In fact, most organizations require additional human intervention to sift through data and identify false positives from actual hits. This additional human effort takes time.

    For example, suppose that a search using regex takes a full day to find the appropriate data. That might seem pretty speedy, but the human effort to weed out false positives might take 10 days thereafter. The data is ready, then, in 11 days.

    Compare this to our more robust data discovery that uses artificial intelligence and natural language processing that can understand the context surrounding a piece of data, as well as discover sensitive data in unstructured fields. The process sounds like it will take longer—five days instead of one day with regex! But when the data discovery process is done, the human team will need only a single day to sort out the data and find the few remaining false positives. A process that, overall, used to take 11 days now takes only six.

    MethodInitial scan (hypothetical)Human review (hypothetical)Total time
    Regular expressions (regex)1 day10 days11 days
    Mage Data Discovery5 days1 day6 days
    Difference4 days (4X increase)9 days (9X decrease)5 days saved

    In short, there is a direct correlation between the quality of the data discovery process and the time spent refining the data and weeding out false positives.

    Other Issues with Regex

    While time is certainly a factor, there are other issues with homebrew regex as well:

    Lost distinctions. Regex cannot make distinctions that are not already spelled out. For example, it might be able to return possible credit card numbers, but it won’t specify whether they are Visa or Mastercard numbers. Yet there are plenty of reasons why one might want to know this—for example, appropriately masking data for further analytics.

    Bad with unstructured data. Similarly, regex does not do well with unstructured data or data that does not have appropriate context. For example, there might be a mountain of sensitive data sitting within your email system, but regex would do a poor job at uncovering it, as there is not appropriate context.

    Where, not how. Regex can find sensitive data and show a user where that data “lives,” but it cannot uncover where the sensitive data came from, nor how it is flowing through the organization, unless that information is contained within the data, too (which it probably isn’t). More robust discovery tools can uncover this flow of data to anticipate future sources of sensitive data.

    Skip the Homegrown Scripts

    When sensitive data and compliance become an issue for an organization, it is all too common to bring more people onto a team to write scripts using regex for data discovery. The more complex and multi-dimensional the data, the more likely those homegrown scripts will fail.

    Whether this has happened to your organization, or you are still considering the possibility, know that there is another alternative.

    While contextual data discovery might sound costly and time-consuming at first, it will, in the end, save the entire organization time and money.

    If you want to find out more, contact us today.

  • The 7 data security habits of highly effective CISOs

    The 7 data security habits of highly effective CISOs

    The CISO plays a critical role in identifying the security risks in an organization and creating a comprehensive security plan to mitigate those risks. But most of the time the focus is on mitigating external threats at the cost of ignoring the internal threats from employees or contractors who are dealing with the data day-in and day-out. In addition to breaches of an internal bad actor stealing some customer data or viewing some confidential information that they are not supposed to view, there is also the penalty of non-compliance that the organization may face by knowingly or unknowingly providing access to sensitive data to external suppliers or contractors. The myriad of regulations around data security like PCI-DSS, HIPAA, GDPR, CCPA and Cross-border data security regulations make this an ever-growing challenge.

    Highly effective CISOs have a balanced view of both the external as well as internal threats and undertake initiatives that take a holistic approach of viewing the entire lifecycle of the data within the organization. Here are the seven most effective practices that the CISO can employ to take control of the data within the organization.

    These effective CISOs:

    1. Have intimate knowledge of their data

    In most organizations, getting to know the data stops with creating a data discovery platform which stores the source and lineage of all the data within the enterprise. While this is a critical first step, this alone is not sufficient. An effective data security program also takes the effort of identifying sensitive data and marking those data sources as secure. The context of sensitive data could be different for different groups within the organization, and each group could be spread out across the globe, which also brings in the need to comply with different regulations that are specific to that part of the world.

    2. Don’t rely on business groups to tell them where the sensitive data is located

    The various business groups within the organization use the systems that are commissioned for their use in a wide variety of ways. The end users using the system are seldom aware of the classification of different kinds of sensitive data, and sometime populate the system with such sensitive information in unintended fields or files. It is not unusual for the IT team to discover customer names and social security numbers populated in a “Description” column or critical patient information stored in word documents in their local drives. Relying on the end users of the systems to identify fields or locations where critical information is stored results in an incomplete discovery process, leaving the door open for data security related risks to materialize. An effective CISO would deploy tools to periodically sample the data in these critical systems to identify sensitive data sources rather than relying on the tribal knowledge of end users.

    3. Know that data is a liability and how it can be converted into an asset

    The simplest way to protect data within an organization is to restrict access to that data to only the specific set of eyes that need to view it. But this creates a silo-effect within the organization where data is hoarded within specific groups. Operations or Analytics teams that would want to collate data from different parts of the organization for reporting or apply Machine Learning models to predict future trends are at a disadvantage, since getting access to this data becomes embroiled in the red tape of getting multiple approvals, manual cleansing of sensitive data from the data feeds etc. A testing team that would have benefitted from getting a masked copy of the production data with all the sensitive fields masked, now must rely on creating synthetic data that might not mirror real-life scenarios. Deploying an effective set of data masking tools that would use different techniques of data encryption, data anonymization or data masking depending on the use case of how the data would be used would be the key to making effective to use of the data, while not compromising on the security aspects.

    4. Are aware that privacy of data is applicable not just to the end users of the system but the maintainers of the system too

    In many instances, while the end users have a strict authentication and authorization mechanism to view or not view the data, these kinds of security mechanisms are missing for the administrators of such systems. A DBA querying data directly from the production database would have a complete view into the credit card numbers of the customers, or a L1 support representative sitting in India office would be able to view the logs with sensitive information which are tagged as US-eyes-only. Although there might be strict non-disclosure agreements with these parties, there could be significant risks associated with this last mile oversight. Deploying security options like database proxy level encryption and dynamic data masking mitigates these last-mile risks, at the same time ensuring that the level of service is not affected.

    5. Understand that security is not just about creating restrictions it is also about monitoring how effective those constraints are

    Data security is not a one-time set of actions. As the threat landscape widens and the regulations evolve, it is a constant balance between going overboard in some of the aspects or under-investing in a few other areas. A simple approach would be to deploy monitoring mechanisms in the areas of under-investment so that it serves as a good early warning mechanism to identify potential security risks. For example, are users accessing the production system beyond the usual work hours? Is any user querying unusual amounts of data from a table marked as “sensitive”? If there can be a simple tool that can monitor these kinds of “unusual” usage and report it, it will serve as a quick deterrent against these malicious actors. In addition, conducting a periodic audit of the controls that are deployed across the different systems to ensure their effectiveness and currentness is key to an effectively run security program.

    6. Reduce the level of data that needs to be secured thereby reducing the level of effort involved in securing the data

    This might sound counterintuitive, but this is the most overlooked aspect of data security in any organization. As the level of data in an organization grows, so does the efforts involved in tracking, tagging and securing that data. There are multiple robust mechanisms to extract and archive this data into a reliable storage mechanism, at the same time ensuring the business users that they would have access to this data when they need it in the future. Such mechanisms reduce the attack surface of the amount of data that needs to be secured, at the same time improving performance because of the reduced data load.

    7. Must maintain a delicate balance between Compliance to regulations and Usability of data

    Regulations with respect to personal data protection and individual’s rights over the data that organizations maintain are on the rise and will get stricter and more granular in the coming years. This presents an ever-growing challenge to the teams that are building and maintaining the internal systems within the organization to comply with the multiple data subject access requests that could arise because of such regulations. Knowing where such personal data resides within the lakes of data within the enterprise is the first challenge. This data might be intermingled with other business data that is critical for the operation of the system and cannot be easily deleted or forgotten. Techniques like masking or redaction of personal data are key to ensure that the regulation is adhered to without compromising on the usability of the system.

    Related blogs:

    The Comparative Advantages of Encryption vs. Tokenization vs. Masking

  • What’s the Best Method for Generating Test Data?

    What’s the Best Method for Generating Test Data?

    All data contains secret advantages for your business. You can unlock them through analysis, and they can lead to cost savings, increased sales, a better understanding of your customers and their needs, and myriad other benefits.

    Unfortunately, sometimes bad test data can lead companies astray. For example, IBM estimates that problems resolved during the scoping phase are 15 times less costly to fix than those that make it to production. Getting your test data right is essential to keeping costs low and avoiding unforced mistakes. Here’s what you need to know about creating test data to ensure your business is on the right path.

    What Makes a Test Data Generation Method Good?

    While all data-driven business decisions require good analysis to be effective, good analysis of bad data provides bad results. So, the best test data generation method will be the one that consistently and efficiently produces good data on which you can run your analysis within the context of your business. To ensure that analysis is based on good data, companies should consider the speed, compliance, safety, accuracy, and representation of the various methods to ensure they’re using the best method for their needs.

    Safety

    Companies often hold more personal data than many customers realize and keeping that data safe is an important moral duty. However, test data generation methods are rarely neutral when it comes to safety. They generally either make personal data less safe, or they make it safer.

    Compliance

    Each year, governments pass new data protection laws. If the moral duty to keep data secure wasn’t enough of an incentive, there are fines, lawsuits, and in some countries, prison time, awaiting companies that don’t protect user data and comply with all relevant legislation.

    Speed

    If you or your analysts are waiting on the test data to generate, you’re losing time that could be spent on the analysis itself. Slow data generation can also result in a general unwilling to work with either the most recent or representative historical data, which lowers the potential and quality of your analysis.

    Accuracy and representation

    While one might expect that all test data generation methods would result in accurate and representative data, that’s not the case. Methods vary in accuracy, and some can ultimately produce data that bears little resemblance to the truth. In those situations, your analysis can be done faithfully, but the underlying errors in your data can lead you astray.

    Test Data Generation Methods

    By comparing different methods of test data through the lens of these four categories, we can get a feel for the scenarios in which each technique would succeed or struggle and determine which approaches would be best for most companies.

    Database Cloning

    The oldest method of generating test data on our list is database cloning. The name pretty much gives away how it works: You take a database and copy it. Once you’ve made a copy, you run your analysis on the copy, knowing that any changes you make won’t affect the original data.

    Unfortunately, this method has several shortcomings. For one, it does nothing to secure personal data in the original database. Running analysis can create risks for your users and sometimes get your company into legal trouble.

    It also tends to suffer from speed issues. The bigger your database, the longer it takes to create a copy. Plus, edge cases may be under- or over-represented or even absent from your data, obscuring your results. While this was once the way companies generated test data, given its shortcomings, it’s a good thing that there are better alternatives.

    Database Virtualization

    Database virtualization isn’t a technique solely for creating test data, but it makes the process far easier than using database cloning alone. Virtualized databases are unshackled from their physical hardware, making working with the underlying data extremely fast. Unfortunately, outside of its faster speed, it has all the same shortcomings as database cloning: It does nothing on its own to secure user data, and your tests can only be run on your data, whether it’s representative or not.

    Data Subsetting

    Data subsetting fixes some of the issues found in the previous approaches by taking a limited sample or “subset” of the original database. Because you’re working with a smaller sample, it will tend to be faster, and sometimes using a selection instead of the full dataset can help reduce errors related to edge cases. Still, when using this method, you’re trading speed for representativeness, and there’s still nothing being done to ensure that personal data is protected, which is just asking for trouble.

    Anonymization

    Anonymization fixes the issue with privacy that pervades the previous approaches. And while it’s not a solution for test data generation on its own, it pairs nicely with other approaches. When data is anonymized, individual data points are replaced to protect data that could be used to identify the user who originated the data. This approach makes the data safer to use, especially if you’re sending it outside the company or the country for analysis.

    Unfortunately, anonymization has a fatal flaw: The more anonymized the dataset is, the weaker the connection between data points. Too much anonymization will create a dataset that is useless for analysis. Of course, you could opt for less anonymization within a dataset, but then you risk reidentification if the data ever gets out. What’s a company to do?

    Synthetic Data

    Synthetic data is a surprisingly good solution to most issues with other test data approaches. Like anonymization, it replaces data to secure the underlying personally identifiable information. However, instead of doing it point by point, it works holistically, preserving the individual connections between data while changing the data itself in a way that can’t be reversed.

    That approach gives a lot of advantages. User privacy is protected. Synthetic datasets can be far smaller than the original ones they were generated from, but still represent the whole, giving speed advantages. And, it works well when there’s not a ton of data to be used, either, helping companies run analysis at earlier stages in the process.

    Of course, it’s far more complex than other methods and can be challenging to implement. The good news is that companies don’t have to implement synthetic data on their own.

    Which Test Generation Data Method is Best?

    The best method for a company will vary based on its needs, but based on the relative performance of each approach, most companies will benefit from using synthetic data as their primary test data generation method. Mage’s Data approach to synthetic data can be implemented in an agent or agentless manner, meeting your data where it lives instead of shoehorning a solution that slows everything down. And while it maintains the statistical relationships you need for meaningful analysis, you can also add noise to its synthetic datasets, allowing you to discover new edge cases and opportunities, even if they’ve never appeared in your data before.

    But that’s not all Mage Data can do. Between its static and dynamic masking, it can protect user data when it’s in production use and at rest. Plus, its role-based access controls and automation make tracking use simple. Mage Data is more than just a tool for solving your test data generation problems—it’s a one-platform approach to all your data privacy and security needs. Contact us today to see what Mage Data can do for your organization.

    Related blogs:

    Why Does Test Data Management Matter for Your Business?
    Test Data Management Best Practices

  • What is HIPAA Compliance?

    What is HIPAA Compliance?

    HIPAA, or the Health Insurance Portability and Accountability Act, is one of the first data privacy laws passed anywhere in the world. It has transformed how companies handle personal health information in the United States and made it one of the most protected data types. It has also resulted in healthcare providers and companies struggling with innovation and the high cost of HIPAA compliance. The question in modern health care is, “can companies and medical practices comply with HIPAA while remaining flexible and controlling their costs?”

    HIPAA Regulations

    This article isn’t a replacement for the advice of a qualified legal professional with detailed knowledge of your practices. Instead, it’s meant as a primer to help decision makers understand what HIPAA is generally asking for, and what compliance options they may have. With that in mind, let’s dive into HIPAA.

    The Security Rule

    While HIPAA is the law that mandated certain regulations, it doesn’t contain them—it essentially ordered the Secretary of Health and Human Services to formulate the regulations. The result of that process is the Security Rule, which outlines who is covered by HIPAA, and what protections they must be provided.

    The Department of Health and Human Services states that the rule “applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.” Given the broadness of that definition, it’s good that the agency includes a tool to help organizations determine if they are required to comply with the rule. It’s important to note that even though your company may not be originating the information, you may still be required to comply with the law as a business associate.

    Protected Health Information

    The next critical concept in HIPAA is “protect health information.” HIPPA defines this as “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” This includes information about the following:

    The individual’s past, present, or future physical or mental health or condition,
    The provision of health care to the individual, or
    The past, present, or future payment for the provision of health care to the individual.
    For the data to be protected, it must identify the individual or create a reasonable basis to believe that the individual could be identified from the data. Consequently, “deidentified” data, or “anonymized” data, isn’t required to have the same level of protection. It’s also important to recognize that while what most people would consider “health records” is covered by HIPAA, so are records related to payments for healthcare by an individual.

    General Rules

    Covered entities are required to do the following under HIPAA:

    Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
    Identify and protect against reasonably anticipated threats to the security or integrity of the information;
    Protect against reasonably anticipated, impermissible uses or disclosures; and
    Ensure compliance by their workforce.
    These requirements are where HIPAA compliance becomes very tricky relative to other data privacy laws. While ensuring confidentiality is a common requirement, reasonably anticipating threats to security or unauthorized disclosure is an uncommon and potentially difficult-to-satisfy requirement. What constitutes a threat that you should have “reasonably” anticipated? The flexibility in the language here allows for post-hoc analysis of your approach to security.

    If there ever is a leak or breach of your systems, then it’s hard to imagine a scenario in which a government agency ruled that you “reasonably” anticipated what occurred. Instead, the law’s vagueness means that companies can easily be held responsible when things go wrong, even if they took reasonable steps and the events that occurred were truly outside of their control.

    HIPAA Compliance Challenges


    The solution to HIPAA’s open-ended nature is for companies to focus on prevention and regular compliance actions. HIPAA requires risk analysis, or regular audits of your policies and procedures, and physical and digital security actions. The second largest fine ever imposed on a company under this law was for failure to conduct a thorough risk analysis that directly led to a massive breach. Consequently, covered entities must perform regular risk audits and analyses.

    However, the issue with this approach is that, no matter how many audits you run, you won’t find the things you aren’t looking for. Is one of your doctors snooping in patients’ files? It may sound farfetched, but UCLA Hospitals were fined for just that when one of their doctors accessed the files of celebrities and other patients whom he had never treated.

    Even innocuous-seeming actions can result in HIPAA violations. Imagine one of your front-office workers asks another to forward them a document because the system won’t give them access. Maybe they should have access to it, in which case the system is either too overzealous or not granular enough. Each request represents disruption and a loss of efficiency and could result in a huge strain on company resources. And sending a file like that might move it outside the audit logging process. Months or years later, an investigator may want to know how and why that file was sent, and you might not be able to bring the receipts.

    Or maybe they shouldn’t have access. Perhaps they’re about to leak it. But, in an environment where the system isn’t perfect, it’s hard for your staff always to do the most secure thing. If they previously had to work around the safeguards to get their job done, the trend will be towards more serious violations over time.

    How Mage Data Helps with HIPAA Compliance

    There’s a good chance your company already has a compliance system. But, if it’s slowing down your work or not giving you complete protection, then you’re not just getting reduced benefits; you might as well not be getting any at all. Mage’s solutions can replace or sit on top of your existing provider, allowing for near-real-time, comprehensive access logging. And it can increase your flexibility with dynamic data masking, where doctors, administrators, and financial staff can access the same file but only be allowed to see the information they need to do their job.

    With Mage data, you can have the security you need while ensuring that your employees can do their job unencumbered. Schedule a demo today to learn more about what Mage Data can do for you.

  • SOX Compliance and Data Privacy: What Companies Need to Know

    SOX Compliance and Data Privacy: What Companies Need to Know

    The Sarbanes-Oxley Act (SOX) was passed by the United States Congress in 2002 to protect the public from fraud by business entities such as corporations. The purpose of this act is to increase transparency in financial reporting with a formal system of checks and balances. SOX brings a legal obligation to what was already good business practice. Financial security controls implemented for SOX compliance have a lot in common with the best practices for data protection, which helps prevent data theft. Prioritizing cybersecurity reduces the risk of data breaches, whether by insider theft or cyberattacks.


    Which Companies Need SOX Compliance?

    The Sarbanes-Oxley Act applies to all publicly traded companies in the United States. It also applies to publicly traded foreign companies or wholly-owned subsidiaries that do business in the United States. Tangentially, SOX also applies to auditors and accounting firms that audit SOX-regulated entities. Finally, any private company planning an IPO should be SOX compliant before going public.
    Private organizations (including companies and nonprofits) are not required to be fully SOX compliant, though they may be affected in some cases. For example, the Sarbanes-Oxley Act contains language about penalizing any organization that knowingly falsifies or destroys financial data.


    Data Retention vs. Data Protection

    The requirement to retain some financial data can create problems. In many applications, best practices dictate that sensitive data be deleted when no longer needed: Companies should only retain the minimum amount of sensitive data, and for the absolute minimum amount of time possible. However, data cannot be erased or destroyed if it is required to prove SOX compliance, which is where the tension occurs.


    This may seem like a catch-22, but data privacy laws do account for instances when data retention is mandated by other reporting requirements. SOX does not normally contradict GDPR, CCPA, and other data privacy regulations, for example. All of these regulations exist to encourage greater accountability on the part of companies, and (despite potential challenges) policies are not drafted to create impossible situations.


    Exceptions: When SOX and Data Privacy Regulations Collide


    SOX typically applies to the company’s financial data, not to any individual’s personal data. However, there are areas where a company’s financial data overlaps slightly with an individual’s data. For example, companies have to retain customer invoices for five years, tax returns for seven years, and payroll records forever. This is financial data related to the company, but it is also likely to include sensitive information related to individuals.


    Can Data Be Safe and Useful?


    A data privacy strategy is tested in these kinds of situations, where data must be retained, but also kept completely secure. There are numerous steps to a comprehensive data protection solution. First, it is important to identify and locate all sensitive data throughout the entire enterprise. From there, a plan should be put in place for all sensitive data discovered.

    At this point, it is crucial to understand the difference between data encryption, tokenization, and masking. Encryption is an excellent solution for data that will be stored for the long term. Tokenization is ideal for data that must be moved or migrated. Masking is a great way to protect sensitive data while preserving its utility. Depending on an organization’s specific needs, there are applications where all three techniques are useful (both in the context of SOX compliance as well as the broader data privacy strategy).


    Benefits of SOX Compliance


    Ensuring SOX compliance creates benefits that ripple across an entire organization. It leads to more consistent financial reporting, which appeals to shareholders. Beyond the benefits of superior financial reporting, compliance with SOX also reduces exposure to data breaches. Preventing cyberattacks helps reduce costs and protect the brand. Finally, SOX compliance makes it easier to navigate an audit and avoid penalties.


    Penalties of SOX Non-Compliance


    The penalties for SOX non-compliance can be severe, and may occur in a number of categories. There may be fines, invalidation of directors and officers (D&O) liability Insurance, and removal from public stock exchanges. Individual executives, especially CEOs and CFOs or any others who intentionally submit incorrect information during a SOX audit, may be faced with millions of dollars of fines and lengthy prison sentences.


    Preparing for a SOX Compliance Audit


    As with any other type of audit, the best way to prepare is to stay prepared. In the case of SOX compliance, that means conducting a thorough discovery of all sensitive data, then protecting that data appropriately. When a company is audited for SOX compliance, they must prove they’re using the relevant controls to ensure appropriate data protection and accurate financial reporting.


    Key Sox Compliance Requirements


    There should be no need to scramble to prepare for an audit, because the strategy should already be established and maintained. That said, there are six especially important areas to consider before a looming SOX compliance audit:

    1. Section 302 – Corporate Responsibility for Financial Reports – This section states that the CEO and CFO are responsible for the accuracy, documentation, and submission of financial reports and the internal control structure to the SEC. These two executives must also establish and maintain SOX controls and validate their internal controls during the 90 days prior to their report.
    2. Section 404 – Management Assessment of Internal Controls – This is considered to be among the most complicated parts of SOX compliance, and is therefore among the most expensive. All annual financial reports must include an Internal Control Report confirming that management is responsible for an adequate internal control structure, and must include management’s assessment of the effectiveness of their own control structure. This report must include any shortcomings, and the accuracy of the report must be validated by an independent auditor.
    3. Section 409 – Real-Time Issuer Disclosures – Companies must immediately disclose any material changes in operations or financial condition, in order to protect investors and the general public.
    4. Section 802 – Criminal Penalties for Altering Documents – Unsurprisingly, it is illegal to tamper with investigations in any way. There are penalties for any employees, accountants, or auditors who willfully violate normal procedures to influence investigations.
    5. Section 806 – Employees who disclose corporate fraud are protected. Any retaliation over whistleblower complaints can lead to criminal charges.
    6. Section 906 – Certifying a fraudulent or otherwise misleading financial report can carry a criminal penalty of upwards of $5 million in fines and 20 years in prison.
      The commonality between these six sections is that honesty and transparency are of utmost importance for SOX compliance. When a company has a robust security strategy and other necessary controls in place, the only thing to do for a SOX audit is to let the auditors do their jobs while you accurately report the appropriate information. The focus should be on maintaining SOX compliance at all times, rather than preparing for an upcoming or potential audit.

    Data Protection for SOX Compliance and Beyond


    The same capabilities a SOX auditor will look into are part of a good data protection plan anyway. Areas to consider include, but are not limited to, the following:

    • Access – Is there a least permissive access model in place, such that every user has the minimum access required to do their jobs? Access should be controlled with physical controls (such as doors, badges, locking file storage) as well as technological controls (login policies, permission audits, and least privileged access).
    • Change Management – Are there defined processes to install new software, add new users, modify databases, or change applications that relate to finance?
    • Data Backup – Are all financial records backed up off-site in a SOX-compliant manner?
    • Security – Can you demonstrate that you are protected against data breaches?

    SOX provides organizations with a framework to help them manage their financial records. It is the legal minimum, however, and is not intended to be a full replacement for a thoughtful data protection plan.

    The Sarbanes-Oxley Act lays out measures every company must take, and it falls upon individual business leaders to take additional steps based on their specific situations. Contact a cybersecurity partner to learn more about Data Governance, or schedule a demo to see specifically how a cybersecurity plan contributes to SOX compliance.