Where is your organization’s data? From global data centers to PCs to mobile apps, data is strewn all over the place. So how do you protect it all?
You can’t encrypt everything, right? It’s too expensive and time-consuming. Even the most stringent regulations don’t demand that level of data protection. For example, GDPR focuses primarily on personally identifiable information (PII). Still, you also want to protect your intellectual property from a data breach.
How can businesses determine which data needs to be protected? What is a data security strategy built upon? And what are some best practices to help avoid a company data breach? Let’s find out.
Data Protection Begins with Data Discovery
You can’t protect something if you don’t know where it lives. Data can be found stored in data centers, file shares, laptops, desktops, mobile devices, cloud storage and edge computing infrastructure. But you have to locate the data to protect it.
IT, security, legal and privacy teams can all participate in data discovery. As users create and add data throughout your enterprise, the data should not remain hidden in silos. The objective is to locate and index existing data and develop a system that continuously surfaces the data.
Before we look at data discovery solutions, let’s examine the next step in the process.
When you properly classify, tag or label your data, it’s easier to decide about data protection priorities. Classification helps put everyone on the same page about database security and data governance.
In the context of information security, data classification should be based on the level of value and risk the data represents. Ask yourself: what would be the impact on your organization if the data was disclosed, altered or destroyed?
Some organizations use these categories to classify data:
Restricted: Breach of restricted data would lead to significant organizational/affiliate risk or damage. This could be protected by privacy regulations and/or confidentiality agreements. Restricted data deserves the highest level of security.
Private: Exposure of private data represents a moderate level of risk to your organization. By default, all data not classified as restricted or public should be classified as private data. A reasonable level of security should be applied to private data.
Public: Breach of public data exposes you to little or no risk. Examples include press releases, blog articles, marketing videos and other widely available content. For public data, some level of control may be required to prevent unauthorized modification or destruction of the data.
The classification of data can also include data types, such as individual files, emails and database fields. Accurate classification (what the data is and the level of sensitivity) evolves over time. That’s why a systematic data lifecycle approach works best to keep security up to date.
If it seems like data discovery and classification are mountain-sized tasks, it’s because they are. For this reason, network analytics, AI and machine learning-based tools exist to streamline the process. These tools provide visibility, context and insight to continuously find and catalog sensitive and protected data. Proper data classification can also help form your data breach response plan.
Learn about IBM Security Guardium Insights
Determine Data Contextual Insight
Once your data has been classified, factors such as data flow and data use further determine specific protection methods. For example, you may have identified the location of restricted data, but how do you know who has access to it? Also, how do you manage the access? At this level, data visibilities, policies and monitoring are critical to helping discover vulnerabilities and risks.
The location of the data, such as on-premise or cloud, will influence your choice of security measures as well. Finally, your approach to compliance with privacy mandates will vary depending on the type of data and its use case.
So no, you don’t have to encrypt everything. But you want to identify the context when encryption is necessary, such as for sensitive data that transverses internal or external networks.
Apply Intelligent Security Measures
While we can’t address the full spectrum of data security in this article, we can highlight some of the most effective methods. While the above processes remain critical, the following tactics help achieve robust security for any organization. They can even fill gaps until data discovery and classification reach maturity.
Identity Access Management (IAM)
IAM establishes a detailed, nuanced evaluation of anyone that attempts to access your networks. It doesn’t matter if they are employees, partners, customers or threat actors.
With AI assistance, IAM follows pre-established access rules while also providing real-time insight into access trends. IAM enables accurate, contextual authentication that can account for user, device, location and behavior patterns. For example, instead of employees accumulating access privileges, they can be identified and granted only the access they currently need. With IAM in place, even non-humans (IoT) are required to pass authentication by API and application security.
The goal of zero trust security is to create a secure layer around every user, device and connection at all times. This consists of the unification and integration of security tools to protect your most valuable assets and proactively manage threats.
Zero trust works from the premise that every user is considered a threat and requires ongoing validation. One key aspect of zero trust is the principle of least privilege. This means users get access to the smallest amount of IT resources they need to complete their tasks.
Obsolete data sitting around on your servers isn’t just a storage problem. Old data retention represents an ongoing security risk. Therefore, it’s wise to develop a defensive data disposal plan.
If sensitive data is no longer required by real business interests, compliance mandates or data preservation obligations (investigations, litigation, etc.), then it should be disposed of. This can follow a process of data storage offline with eventual full decommissioning of hardware and disposal.
Data obfuscation involves using data abstraction and obfuscation techniques like encryption, tokenization and masking. Data masking enables you to transform complex data elements such as credit card numbers, email addresses and other identifiers while retaining their contextual meaning. Obfuscated data is difficult to decrypt or recover, and therefore it has no value on Dark Web marketplaces.
Big Data Security
Even big data can be secured with automated data discovery and classification. Also, data activity monitoring and machine learning can uncover unusual activity to prevent the cost of a data breach. Advanced big data security tools enable administrators to block suspicious user IDs and meet compliance based on pre-built regulation templates.