Light Dark
January 3, 2022 By Jonathan Reed 4 min read
Data Protection
Incident Response
Risk Management

Where is your organization’s data? From global data centers to PCs to mobile apps, data is strewn all over the place. So how do you protect it all?

You can’t encrypt everything, right? It’s too expensive and time-consuming. Even the most stringent regulations don’t demand that level of data protection. For example, GDPR focuses primarily on personally identifiable information (PII). Still, you also want to protect your intellectual property from a data breach.

How can businesses determine which data needs to be protected? What is a data security strategy built upon? And what are some best practices to help avoid a company data breach? Let’s find out.

Data Protection Begins with Data Discovery

You can’t protect something if you don’t know where it lives. Data can be found stored in data centers, file shares, laptops, desktops, mobile devices, cloud storage and edge computing infrastructure. But you have to locate the data to protect it.

IT, security, legal and privacy teams can all participate in data discovery. As users create and add data throughout your enterprise, the data should not remain hidden in silos. The objective is to locate and index existing data and develop a system that continuously surfaces the data.

Before we look at data discovery solutions, let’s examine the next step in the process.

Data Classification

When you properly classify, tag or label your data, it’s easier to decide about data protection priorities. Classification helps put everyone on the same page about database security and data governance.

In the context of information security, data classification should be based on the level of value and risk the data represents. Ask yourself: what would be the impact on your organization if the data was disclosed, altered or destroyed?

Some organizations use these categories to classify data:

  • Restricted: Breach of restricted data would lead to significant organizational/affiliate risk or damage. This could be protected by privacy regulations and/or confidentiality agreements. Restricted data deserves the highest level of security.

  • Private: Exposure of private data represents a moderate level of risk to your organization. By default, all data not classified as restricted or public should be classified as private data. A reasonable level of security should be applied to private data.

  • Public: Breach of public data exposes you to little or no risk. Examples include press releases, blog articles, marketing videos and other widely available content. For public data, some level of control may be required to prevent unauthorized modification or destruction of the data.

The classification of data can also include data types, such as individual files, emails and database fields. Accurate classification (what the data is and the level of sensitivity) evolves over time. That’s why a systematic data lifecycle approach works best to keep security up to date.

If it seems like data discovery and classification are mountain-sized tasks, it’s because they are. For this reason, network analytics, AI and machine learning-based tools exist to streamline the process. These tools provide visibility, context and insight to continuously find and catalog sensitive and protected data. Proper data classification can also help form your data breach response plan.

Learn about IBM Security Guardium Insights

Determine Data Contextual Insight

Once your data has been classified, factors such as data flow and data use further determine specific protection methods. For example, you may have identified the location of restricted data, but how do you know who has access to it? Also, how do you manage the access? At this level, data visibilities, policies and monitoring are critical to helping discover vulnerabilities and risks.

The location of the data, such as on-premise or cloud, will influence your choice of security measures as well. Finally, your approach to compliance with privacy mandates will vary depending on the type of data and its use case.

So no, you don’t have to encrypt everything. But you want to identify the context when encryption is necessary, such as for sensitive data that transverses internal or external networks.

Apply Intelligent Security Measures

While we can’t address the full spectrum of data security in this article, we can highlight some of the most effective methods. While the above processes remain critical, the following tactics help achieve robust security for any organization. They can even fill gaps until data discovery and classification reach maturity.

Identity Access Management (IAM)

IAM establishes a detailed, nuanced evaluation of anyone that attempts to access your networks. It doesn’t matter if they are employees, partners, customers or threat actors.

With AI assistance, IAM follows pre-established access rules while also providing real-time insight into access trends. IAM enables accurate, contextual authentication that can account for user, device, location and behavior patterns. For example, instead of employees accumulating access privileges, they can be identified and granted only the access they currently need. With IAM in place, even non-humans (IoT) are required to pass authentication by API and application security.

Zero Trust

The goal of zero trust security is to create a secure layer around every user, device and connection at all times. This consists of the unification and integration of security tools to protect your most valuable assets and proactively manage threats.

Zero trust works from the premise that every user is considered a threat and requires ongoing validation. One key aspect of zero trust is the principle of least privilege. This means users get access to the smallest amount of IT resources they need to complete their tasks.

Data Disposal

Obsolete data sitting around on your servers isn’t just a storage problem. Old data retention represents an ongoing security risk. Therefore, it’s wise to develop a defensive data disposal plan.

If sensitive data is no longer required by real business interests, compliance mandates or data preservation obligations (investigations, litigation, etc.), then it should be disposed of. This can follow a process of data storage offline with eventual full decommissioning of hardware and disposal.

Obfuscate Data

Data obfuscation involves using data abstraction and obfuscation techniques like encryption, tokenization and masking. Data masking enables you to transform complex data elements such as credit card numbers, email addresses and other identifiers while retaining their contextual meaning. Obfuscated data is difficult to decrypt or recover, and therefore it has no value on Dark Web marketplaces.

Big Data Security

Even big data can be secured with automated data discovery and classification. Also, data activity monitoring and machine learning can uncover unusual activity to prevent the cost of a data breach. Advanced big data security tools enable administrators to block suspicious user IDs and meet compliance based on pre-built regulation templates.

 |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature