By Trevor J. Morgan, Ph.D., Product Manager at comforte AG
Protecting sensitive data is a challenge facing every business and enterprise. The value of data is rising to the extent that it is often referred to as ‘the new gold’ and a fundamental business asset. This value naturally means that many criminals are turning their efforts to focus on procuring highly sensitive personally identifiable information (PII) handled and processed by companies. While data is very dynamic, it is essential to ensure that it is secured across all stages of its lifecycle. This is especially true as many companies prioritize network agility and digital transformation over data security in an effort to continue business operations through workforce enablement. In fact, according to the KPMG CIO Survey 2020, this year has seen innovation taking greater priority alongside improving security, however “cybersecurity can sometimes become a secondary priority.” Yet, if enterprises wish to stay on the right side of data security regulations, then protecting the data itself is imperative. In fact, budgetary shifts across many industry verticals have resulted in more money being focused on securing the crown jewels of PII.
One alarming trend is that data is increasingly shifting from secured corporate networks to private servers as the trend towards home working continues. This has resulted in a widespread distribution of data within unsecured environments, ultimately meaning a loss of data control and security. If this data were to fall into the wrong hands by any means (unintentional leak or concentrated intentional attack), then the consequences would be massive. Not only would it negatively impact brand perception, but it could also result in compliance penalties from regulating bodies and severe loss of trust from savvy customers who are becoming more aware of just how valuable their data is. Regardless of how a breach happens, be it by a careless employee or malicious criminal intent, the consequences unfortunately remain the same. Therefore, business decision-makers should ensure that systems and mechanisms are in place that supersede traditional security measures. Instead of protecting siloed data at rest, or simply protecting corporate networks with a firewall, businesses should instead pivot to protect their most critical asset at the point of value: the data itself.
Why do hackers want my data?
The global pandemic has greatly altered the current state of data security. As workers migrate away from internal security processes within corporate networks (mostly access- and perimeter-based), the availability of data stolen and harvested on the dark web has increased exponentially in the past few months. In fact, the cost of data on the dark web has plummeted up to 60% as of October 2020, and as of December, PII is being sold on the dark web for as little as 50 cents (USD). This perceived commoditization poses several questions. Primarily, if data is the new gold, why is obtaining it so cheap? The biggest reason that so much of this data has not been taken advantage of is because of the relative low transaction volume as a result of pandemic restrictions.
The biggest challenge that enterprises face is to understand where their data is held, who has access to it, and where it is stored. Organizations must seek out and discover their data, be it structured (in a database) or unstructured data. This will not only provide security teams with a holistic understanding of their current data security posture, but it will also assist with regulatory compliance and auditing. Only by undertaking this procedure will enterprises be able to properly secure data, as you cannot defend what you cannot see. This exercise of data discovery is a deliberate attempt to known the unknowns within the total data environment.
Data is a highly mobile and dynamic asset that crosses traditional boundaries of on-premise and in the cloud. Often it’s a hybrid approach, existing somewhere in both environments. This situation requires a security strategy that prioritizes the data instead of access to it or the borders around it. The only solution is to protect the data itself and not just the perimeters around it. This data-centric approach to security focuses on the focal point that criminals are striving to attack, removing the incentive for cybercriminals if the data is protected and ultimately worthless to them because it cannot be leveraged.
Protecting PII
But how can businesses look to deploy data-centric security to their advantage? The most widely accepted solution when it comes to data-centric security is tokenization. In plain terms, tokenization replaces PII data with a substitute representational token. This means that protected tokenized data is still available for analytical purposes and other aspects of corporate workflows, but in the wrong hands it has no discernable meaning and thus no value, and as it cannot be transformed into plain text it means that even if this data were misplaced or mishandled then the pseudonymized data would not be considered punishable under CCPA. Regulatory compliance is still met.
Tokenization also allows businesses to protect data upstream, allowing downstream applications and systems to inherit protection and close security gaps across the enterprise. Referential integrity means the protected values can be used for analytics without the need to de-protect the data, passing all system and validity checks across the system. This condition helps to meet another best practice in data security, which is to avoid de-protecting data as much as possible.
Currently, organizations spend considerable money in order to reduce risk, be it in the form of endpoint and mobile protection, cloud security, app security, or network defense. These traditional perimeter-based security methods only protect against known attack vectors, meaning that it is impossible to totally prevent data breaches and mitigate this threat with current piece-meal security approaches. In fact, further benefits of deploying data-centric security, and in particular tokenization, include the clear return on investment capabilities. This approach to security offers more comprehensive coordination when it comes to complying with industry regulations. Indeed, for PCI DSS, such an approach can save thousands or even millions in audit costs and time. Furthermore, where data protection is considered your responsibility (and this is always the case with data your process and store in the cloud), data-centric security offers peace of mind by protecting against data breach or loss of data.
For security teams struggling to enact digital transformation, trying to ensure network agility, and laboring to prevent embarrassing data breaches, data-centric security is a promising solution. It’s also one that can be deployed in weeks rather than months or years, without modification to existing applications and workflows. So, what’s stopping you from taking the fundamental step of protecting your data with data-centric security?
About the Author
Trevor J. Morgan is responsible for product management at comforte AG (https://www.comforte.com/, where he is dedicated to developing and bringing to market enterprise data protection solutions. He has spent the majority of his career in technology organizations bringing to market software, hardware and services for enterprise and government customers. Trevor has held senior-level, lead positions in sales engineering, product management, software architecture and product marketing in companies like Cisco, Capital One and Ciena. He holds a Ph.D. from Texas Tech University and a bachelor’s and master’s from Baylor University.
Trevor can be reached online at https://www.linkedin.com/in/trevor-j-morgan-ph-d-8b663515/