The Latest Data Risk Landscape
It’s the end of 2016, and enterprise data continues to change rapidly in form, size, use, and residence. Rarely does it remain in siloed constructs anymore, limited to certain business units or untouched by the outside world. Data now freely crosses the prior conceived thresholds that limit business potential. It floats about in the cloud, spreads between business units, and flows everywhere.
For all this change and opportunity that data represents, once it’s created or collected, it must now also be protected. With unyielding waves of data breaches and the massive Internet outage caused by October’s DDOS attack, our reliance on information more than ever depends on its security.
The hacking and misuse of sensitive data, on what now seems to be on an industrial scale, is also accompanied by a growing backdrop of data privacy legislation. Companies and government agencies collecting and handling personally identifiable information (PII) must comply with Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) requirements in the United States, the General Data Protection Regulation (GDPR) in Europe (taking effect in 2018), and similar laws afield.
Data breaches also carry explicit costs. The 2016 Ponemon Institute Cost of a Data Breach Study found that the average cost per compromised record is $154 to $158. And what’s the probability of that? The study put the risk of a having 10,000 stolen or lost records in the next two years at 26%. So, you have just above a one-in-four chance of losing 10,000 records. Maybe you can take the chance and risk it. But would you take the risk if you had to step on one of four landmines, one of which is live, when you could easily avoid the risk entirely?
Organizations stuck in old operational models and mindsets fail to recognize the importance of company-wide security protocols. To improve, they must address their need for what Gartner now calls Data Security Governance, so as to secure information in structured and coordinated events, not as an afterthought.
What is Data Security Governance?
Gartner defines data security governance (DSG) as “a subset of information governance that deals specifically with protecting corporate data (in both structured database and unstructured file-based forms) through defined data policies and processes.”
You define the policies. You define the processes. There is no one-size-fits-all solution to DSG. Furthermore, there is no single product that meets all of the needs of DSG. You must look at your data and weigh which areas have the greatest need and the most importance to your company. You take data governance into your own hands to avert disaster. Remember that your information is your responsibility.
While there are multiple pathways to safeguarding data — logical, physical, and human — two primary software methods that IRI customers successfully employ are data masking and data-centric audit and protection (DCAP). Both are described below, and both benefit from extensive data discovery (search, profile, classify) and auditing (record, query, report) facilities that IRI also provides.
According to Gartner analyst Marc Meunier’s most recent (11/28/16) research note, “How Data Masking Is Evolving to Protect Data from Insiders and Outsiders:”
Adopting data masking helps organizations raise the level of security and privacy assurance for their sensitive data — be it protected health information (PHI), personally identifiable information (PII) or intellectual property (IP). At the same time, data masking helps meet compliance requirements with security and privacy standards and regulations.
Most enterprises — either by virtue of internal rules or data privacy laws — have been, are now, or will soon be, making data masking a core element of their overall security strategy.
Data-Centric Audit and Protection
“Poor user security practices are still the biggest single threat to enterprises.”
– Intel report “Grand Theft Data”
Data-Centric Audit and Protection (DCAP) products manage data security centrally by actively controlling, monitoring, and logging the activities of data users. They automatically detect unusual behavior and react accordingly, either by shutting the suspicious user out or by alerting someone to the behavior. And according to Gartner’s Market Guide for Data-Centric Audit and Protection, “all activity is recorded in an audit log (for compliance, reporting, and forensic analysis).”
DCAP relies heavily on data protection functions, including blocking, redaction, encryption, tokenization, and masking. These technologies separate users from data as defined for their roles. Minimizing contact with critical data and monitoring user behavior are keys to preventing the mishandling of information.
Intel’s Grand Theft Data report found that employees are responsible for 43% of data breaches (half actively malicious attacks, the other half accidental). Whatever the reason for the breach, data is compromised. Security has failed. This is why DCAP is so important. Actively protecting your data through monitoring and real-time reaction to policies can remove nearly half of your company’s information security risk.
Software for Masking and DCAP
Meunier’s data masking note cited above made the following recommendations:
- Look beyond static data masking.
- Mask data in the big data platforms.
- Mask unstructured content.
- Evaluate re-identification risks.
- Consider data virtualization with data masking.
- Consider format-preserving encryption or tokenization.
IRI provides static and dynamic data masking solutions for databases, flat files, proprietary mainframe and legacy application sources, and big data platforms (Hadoop, NoSQL, Amazon, etc.) in its FieldShield product or Voracity platform, as well as data at risk in Excel via CellShield. These functions include format-preserving encryption and tokenization, in addition to redaction, pseudonymization, and several other functions which can (or cannot) be reversed.
Voracity also folds masking into data integration and migration operations, as well as federation (virtualization), reporting, and data preparation for analytic operations. Built-in data discovery, classification, metadata management, and audit logging features facilitate both automatic and manual assessments of the re-identifiability of affected records.
So, masking data can nullify the effect of a breach. But how about preventing the breach in the first place? That’s where DCAP comes in, and Chakra Max software for firewalling data in 20 different database platforms. Chakra Max allows you to set DB access and SQL approval policies, block unauthorized activity and redact specific columns dynamically, and monitor and log all activity for DSG-related audits.
See www.iri.com/solutions/data-governance for more information, and contact your IRI representative if you need help creating or enforcing your DSG framework.