It’s easy to overlook how connected and interconnected things are in the modern world. Today, data flows across companies, systems and international boundaries with few barriers. All of this makes it possible for companies to operate and innovate in ways that would have been unimaginable in the past. However, there’s a downside: protecting data and ensuring privacy is now incredibly difficult.
Make no mistake, the Internet—and the growing array of connected devices that comprise the Internet of Things (IoT) and Industrial Internet of Things (IIoT)—have profoundly changed the stakes. Legacy security tools are no longer enough to protect an enterprise against data loss, theft and abuse. In addition, data regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) complicate the task.
The challenges are growing. A recent ruling from the highest court in the European Union (EU) has introduced a new level of disruption—and thrown global business into even greater disarray during the pandemic. In July 2020, the European Union ruled that a Privacy Shield Agreement between the U.S. and EU was invalid. The judges asserted that the current framework doesn’t adequately protect European citizens the way GDPR had intended.
The fallout is significant. Despite massive investments in cybersecurity, organizations must once again rethink the way they manage, store, use, and protect data. For many, this means adopting a more holistic framework that focuses on data-level safeguards and protections. “You have to be able to trace where every piece of data resides, where it goes and, if someone wants it changed or removed, how to find it and comply with the request,” says CEO of Protegrity.
PASSPORT TO PROBLEMS
The challenges of managing and protecting data aren’t lost on a typical business executive. Clouds, APIs, IoT and increasingly entangled global supply chains introduce remarkable complexities. Yet, all too often, a focus on business agility and data flexibility blinds business leaders to the realities of today’s environment. Increasingly, data movement occurs automatically and invisibly. When a data problem surfaces, organizations wind up trying to address the symptom rather than the underlying problem. For example, they may use static data masking (SDM) and dynamic data masking (DDM) techniques that are rife with problems and risk.
Legacy security systems—things like firewalls, antivirus and data leak prevention (DLP)—ratchet up the risk further. While these tools continue to play an important role, they alone cannot address today’s data protection requirements. In a cloud-first world, data doesn’t reside in a single database or data center. It is shared across applications, systems, devices, storage components, and even multiple cloud providers. What’s more, edge and fog components muddle analytics, machine learning and other forms of automation and AI. As Farnell puts it: “It’s a very different environment than the closed enterprise model.”
A starting point for improving data privacy is to recognize it’s necessary to view data as a currency. Becoming a data-driven enterprise and investing in the proper security tools is critical. It’s important to understand how data impacts everything from customer interactions and operations to revenue streams and privacy. Successful organizations understand that there’s a need to have a granular view of data and data security. Simply masking data when it’s accessed is risky and ineffective. This approach makes it difficult, if not impossible, to fully protect sensitive data and comply with regulations like GDPR and CCPA.
The recent EU court ruling snaps all of this into focus. The judges decided that current U.S. law does not protect EU citizens from data privacy violations in the way that GDPR had intended. The ruling encompasses issues relating to data transfers, cross-border trade and case-by-case data transfers. The net impact is that companies doing business in the EU—along with the ecosystem of companies they exchange data with—must reexamine their data privacy approaches and policies to demonstrate they understand the court ruling—and the risk associated with not complying. For many businesses, this may mean going back to square one.
It’s also important to note that the impact from the ruling is only beginning to take shape. For one thing, there are numerous issues and inconsistencies that must be sorted out—and discussions between the U.S. and EU are ongoing. For another, it’s not clear what penalties may result from non-compliance, or how the U.S. will respond to the ruling. Nevertheless, the potential financial impact on businesses doing business in the EU is significant. Factor in the additional requirements of the CCPA and it’s clear that organizations should not hope for data regulation challenges to go away.
BEYOND THE BASICS
In this environment, an effective data management strategy is paramount. It requires a focus on data discovery, classification, protection, enforcement, and monitoring. All of this must take place at the speed for today’s business transactions. Organizations that hold onto a reactive and passive approach to data management place themselves in the firing line. A duct tape approach that involves humans and manual processes simply won’t work. It’s expensive and ineffective. Today, the focus must be on data-centric protection. This requires business leaders and security teams to recalibrate to a lifecycle approach. There’s a need for data encryption at rest and in motion, data tokenization to validate data and de-identify personally identifiable information (PII), and a deeper and broader understanding of data use cases and the specific granular protections required to guard data and identify it. Moreover, there’s a need to recognize that all data and interactions aren’t equal. A banking transaction is not the same as a marketing inquiry, though both need to be addressed within the context of security, data privacy, and regulatory frameworks. A best practices approach—one that adheres to the principle of following data wherever it goes—ultimately involves several core components:
- A data protection technology framework that spans applications and systems.
- A data and security governance framework that can identify sensitive fields and actual risk.
- An automated discovery process that finds all sensitive data.
- A framework for automated discovery of sensitive data.
- A process to address security policy creation and management.
- Role-based access controls that function under a model of least privilege and separation of duties.
- Scalable, flexible protection and deidentification.
- Tamper-proof monitoring, logging, reporting and auditing.
- Support for all data types and formats within a platform.
- An environment that spans legacy data systems and applications as well as cloud-based data.
PUTTING DATA ON LOCKDOWN
As data management, storage, and security become more challenging—and as regulatory concerns and the recent EU court ruling increase the pressure on organizations to keep data protected—global companies must rethink existing data protection methods. It’s simply not enough to fly on autopilot. A robust data security platform is the baseline for business in an interconnected world. The existing U.S. Privacy Shield cannot be viewed or used as a safeguard.
Although there’s no way to eliminate all risk, a data-first approach can lock down data security and privacy at a far more granular level. This allows an organization to better respond to initiatives like GDPR and CCPA, and be prepared for other regulations and standards as they arrive. Equally important, it improves an organization’s stature with business partners and consumers.
In the end, companies have to be equipped to deal with new regulatory measures and sudden changes in data security and privacy. When they are, they have the agility and flexibility to react to a changing business world and still have control of their data. In a world where trust matters and reputation is everything, these organizations are positioned to take data protection to a best practice level.