Data security hinges on clear policies and automated enforcement
In 2003, California became the first U.S. state to require and implement a series of data breach notification laws designed to protect against the misuse of residents’ personal information. The more recently enacted California Consumer Protection Act (CCPA) provides two main benefits: it allows consumers, as individuals or a class, to sue businesses when their personal information is disclosed without their authorization, and it provides a statute that prevents anyone who does business in the state from sweeping a data breach under the rug.
In the two decades since, the conversation around data protection, security, and privacy has ballooned. As a result, businesses of all sizes and across industries now take extra precautions to protect their employee and customer data.
Similar protective measures also exist outside of the United States. Countries around the world are realizing that with the amount of data at our disposal, data privacy regulations are paramount to keeping customers and employees safe and organizations protected. The financial services industry is a great example of why.
For FINRA (the Financial Industry Regulatory Authority), whose mission is to safeguard financial markets, the ability to store data in the cloud (instead of on-prem) proved to be beneficial. But how did FINRA manage the data once it entered the cloud?
“Pretty soon after getting into the cloud, our security group started to say that the security posture could very well be better in the cloud than we had in our data center,” said Aaron Carreras, Vice President of Data Management and Transparency Services Technology at FINRA. Their role as an oversight organization meant their ability to segment and access data was key. With proper tooling for cloud, they were able to find comfort in knowing their sensitive data would remain private and secure.
Data privacy is essential to modern data security
Developments in emerging technologies, data privacy, cybersecurity, and digital assets are proving to be beneficial for organizations. Yet, given the level of sensitive and confidential data held and maintained, companies need to be locked in on how to advance their policy priorities and stay up to speed on the debates that impact their businesses and markets. After all, no organization wants to go through the headache of dealing with reputational and/or financial damage, or other common side effects of a malicious or even unintentional data breach. Put simply, data privacy is an essential component of modern data security.
Dissecting the components of modern data security
For many, the easiest way to think about securing data is the practice of assigning policies to secure a company’s assets and prepare the organization against a potential attack. The way in which policies are designed can range from classification and handling of data to credentials management and network access.
Because incidents aren’t tied to one specific cause, it’s important for organizations to think about:
- The classifications of data they hold
- The combinations and permutations of who gets access to what, and
- What it means if sensitive data are hacked and released.
The key is to establish policy guardrails for internal use to minimize cyber risk and maximize the value of the data.
Once policies are established, the next consideration is establishing continuous oversight. This component is difficult if the aim is to build human oversight teams, because combining people, processes, and technology is cumbersome, expensive, and not 100% reliable. Training people to manually combat all these issues is not only hard but requires a significant investment over time.
As a result, organizations are looking to technology to provide long-term, scalable, and automated policies to govern data access and adhere to compliance and regulatory requirements. They are also leveraging these modern software approaches to ensure privacy without forcing analysts or data scientists to “take a number” and wait for IT when they need access to data for a specific project or even everyday business use.
With a focus on establishing policies and deciding who gets to see/access what data and how it is used, organizations gain visibility into and control over appropriate data access without the risk of overexposure. The reliance on data privacy may at first glance appear daunting and tedious, but with clear policies and automated enforcement, data is governed and protected with little to no extra effort.
Looking forward
With all these challenges to ensure the proper protection of personally identifiable information (PII) and with the growing number of global mandates designed to ensure privacy, organizations need to get ahead of the problem.
Without a doubt, when it comes to protecting and keeping track of the volumes of data, along with who can see and use it, protecting PII will always be challenging. For some, these issues can be mitigated by prioritizing data cataloging and classification, a focal point called out in the EDM Council’s Cloud Data Management Capabilities Framework. With data expanding in type and volume each day, companies will need to keep proactive data access governance at the top of their priority lists.