In today’s business, protecting your data is no longer a luxury. I recall a CIO friend telling me after the Target data breach that, “Target wasn’t stupid; the business case for data security is just difficult to make.”
Things have changed since then. Timely, integrated data has become essential to how enterprises operate. Just look at who replaced the Target CEO as proof – Brian Cornell, universally revered for his success with analytics at Walmart.
Protecting data is no longer a business luxury. In fact, the level to which enterprises protect data can determine the following:
Data protection has become core to the success of every business. “Privacy by Design,” or building data protection and privacy into every IT project and initiative, has become the norm. Given this, the next logical question as a business leader should be, “How can I best protect my organization’s data?”
No! Protection today is not just about attempting to keep bad people out. Inevitably, they will get in. So the question is what will they find when they do? This is driving the shift from only protecting the perimeter to protecting the data itself. For most, this should feel intuitively obvious. If you agree the conversation should be about protecting data and not only network boundaries, then read on.
We need to, as Sharon Pitt, CIO at Binghamton University said, “protect data wherever it pools or flows.” For most organizations, data freely moves between applications – think about how many applications share customer concept-related information. For this reason, Ann Cavoukian, Executive Director of the Privacy and Big Data Institute and author of "The 7 Foundational Principles of Privacy by Design," says data protection needs to be full functionality and end to end.
CIO’s and CISO’s are realizing siloed, stand-alone, platform-by-platform or application-by-application security is no longer effective. CIOs tell me that security needs to move from perimeters and applications to the point of data collection and consumption. Protecting the data itself needs to be effective now that the relentless blurring of network boundaries has turned the entire Internet into the organization’s perimeter.
In contrast with the ‘big iron days’ where all data was in one secure place, today’s hybrid cloud, Software as a Service (SaaS) rich networks have data flowing everywhere across blurred perimeters. This is why the focus needs to shift from protecting the systems to protecting the data itself, even if it may be a little more complicated to achieve.
Josh Olson, Chief Information Officer, Michigan Technological University, put the problem this way: “You know those flight maps in the airline magazines? Those are our data flow maps; we have in our environment data flying all over the place. Today, protecting data needs to become a bigger discussion. It needs written policies, user transparency, and data protection and attention needs to be given not just to the pieces, but to the whole enchilada.”
Taken together, CIOs and CISOs need to refocus their attention from perimeters, application security and even identity management to what Michelle Dennedy, Chief Privacy Officer for Cisco and co-author of "The Privacy Engineer’s Manifesto," describes as “dynamic data-centric and person-centric” protection.
For some, encryption may seem like a good answer, but is it really? I remember using database encryption to protect our customer’s personal financial login credentials at my Internet startup, eBalance, but this coarse-grained protection was limited to ‘all or nothing’ access to the entire database and negatively impacted system performance.
Most who need data protected, need it protected internally and externally, and they need to provide differentiated rights to access data. Using encryption to provide only coarse-grained protection adds little value from a risk mitigation or threat management perspective. Data protection needs to provide much more granular access control and minimal operational and performance impact to be fully accepted or even embraced by the business.
Encryption also creates several business problems. The most important are impacts to performance, changes to physical data models and increased data volumes, especially where a large number of small fields require protection.
Organizations need to be able to use data to gain the insights needed for business innovation and advancements. This goal should not to be stymied by data integration or regulatory compliance requirements involving customers’ data privacy rights. Data should be available and usable for analytics and other critical business processes while protecting non-public Personally Identifiable Information (PII) from internal or external parties that do not have an authorized need to view protected data in the clear.
A better way involves intelligent, dynamic data-centric and person-centric fine-grained (field or column level) data protection. No one person should have complete access to all data. A CIO shared a situation with me describing what happened when they had a data security breach involving a single compromised set of user credentials – what would have been a minor incident became a major data breach because a certain executive insisted on complete access to all data.
What’s needed is an approach that involves building data protection cross-silo and cross-application. Making this work requires centralized governance of data and the use of pseudonymization to protect the identity of data subjects, such that additional information would be required for re-identification.
With centralized governance and pseudonymization, protection can be applied wherever the data goes. The power of this approach can be understood by considering a healthcare example: I may want my doctor to see my entire medical record, but I may not want them to see my financial records, as well. Or I may want a researcher studying how to derive better care to see my entire medical record but without them knowing it is mine.
A pseudonymization approach leveraging tokenization uses a consistent token for each unique name and requires access to additional information to re-identify protected information. Here, with the pseudonymized data, we may not know the identity of the data subject, but we can correlate entries with specific data subjects. Additionally, if a user is authorized to access re-identified data via the token code books, then only they can access the real identity of an individual. With fully anonymized data, there is no method to re-identify the data.
As we have been saying all along, data matters to all businesses. We need to make data available and usable by authorized data stakeholders, but we need to ensure that only the right stakeholders can access PII. Without these safeguards, the bad guys only need to acquire or compromise one privileged person’s credentials. We must raise the bar making it harder to gain access to sensitive or regulated PII even if a privileged administrator’s credentials are compromised. This requires centralized data governance and policy control and the pseudononymization of PII.