By Sal Faizi, Sr. Consultant
In the digital age, data is gold and data security is the fortress to keep data safe. An organization’s data comes in the form of intellectual property, trade secrets, financial, health or even personal information and must be protected per established company policies, industry standards and regulatory requirements.
In this article, we’ll explore data protection and the ongoing assessment to ensure protection remains adequate.
Any organization dealing with data must implement a data classification policy. After all, in order to conserve limited resources, it doesn’t make sense to apply the highest level of protection to all data which is costly and time consuming. Generally speaking, an organization may implement three classes of data such as public, internal-use-only and confidential.
Many organizations have already established policies for data classification guidelines. However, having an established policy is not sufficient. The policy must be implemented, employees trained to follow the policy and periodic audits performed to ensure data is still stored per the established policies. Data must be clearly labelled as to its classification and employees must be aware of the proper handling of each classification of data.
With the ubiquity of cloud computing, it is even more important to exercise sound data protection policies. With on-premises computing asset, the exposure of data to exploitation is limited, but in a public cloud computing environment, theoretically everyone has the ability to access the stored data. Thus, even more attention must be paid to data security.
Access to the data must be based on credible identities of users. This means that there must have been an in-person check and verification of each user’s identity, and credentials only issued after such a verification. This is different from the non-credible identities that a user can obtain via various public identity providers such as social media sites, email accounts, etc. Along with credible identifies a periodic rotation of passwords can be further enhanced.
Another issue is how to transmit data to maintain security. This is called data in motion. Data must be encrypted while it is in motion. The encrypted data can only be decrypted by the receiving end, and to an interceptor in the middle is not able to see the original data. Once the data arrives at the point where it is stored it must be encrypted using a strong encryption algorithm consisting of 256 bits or more. This is called data at rest which is encrypted using encryption keys. These keys are randomly generated numbers that can be used to unlock encrypted data. These keys should be rotated periodically to limit the time a potential attacker has to try to crack the key. Of course, the keys have to be managed in such a way that they are not lost. Digital key vaults exist for this purpose.
Access to data must be traceable and monitored to prevent data security breaches. Another element of data security is the regulatory compliance. A data breach of sensitive data can result in punitive measures to be levied against an organization or its personnel. Some regulations include Gramm-Leach-Bliley Act (GLBA) affecting financial products such as loans, insurance etc. HIPAA applies to health information. SEC regulations are for financial data. PCI standards apply to credit card transactions. There are others as well. An organization must determine which of these regulations apply to its data.
Today with established management rigor and compliance assessment, technology can be effectively used to protect data whether in on-premises computers or in the cloud. Ongoing compliance assessment requires understanding the needed controls to be in place to protect the data. These can include:
- Why is the control being implemented and what data security risks are being mitigated with the control?
- Is the control verifiable and is it adequate to mitigate the risks to data security?
- Are the controls still adequate or even needed in light of the changing business needs and evolving technologies?
- Are the controls still in place? With a periodic snapshot of the state of the controls to mitigate data security risks, an organization can determine if a deviation to the controls has started to occur
These are some of the core principles that organizations must implement to protect their data in the digital age, where the ‘new wealth’ is in the form of data. Digital data, the new age gold, must be protected with sound management and ongoing assessment. Have additional questions on how to better protect your company’s data? Our Data & Analytics Consultants are here to help!