With workforce mobility at an all-time high the biggest challenge to protecting sensitive data fields is when they are in use by remote users and across federated business processes.
Traditional protection focused on the user and network components (IPS, firewalls, activity monitoring, etc.) and now with the transition to data-centric protection; the focus is on the data itself, protecting it wherever it is stored (at rest), moved or copied (in transit) and accessed or processed (in use).
Some of the more popular data-centric protection methods include encryption, tokenization, dynamic data masking (DDM), data scrambling, format preserving encryption and a few more. We spent time with Ramses Gallegos who is the International Chief Technology Officer, Cybersecurity at Micro Focus. Ramses is a prominent speaker on the international circuit and a respected technology strategist and information security evangelist.
AXZEL:
Most organisations have terabytes upon terabytes of sensitive data already floating around with employees and with 3rd parties. While new data can be subject to the latest protection methods, realistically what hope do we have of securing legacy data.
RAMSES:
Legacy data may present a challenge because of the format and nature of it. For that, existing technologies such as FPE (Format-Preserving Encryption) and FPH (Format-Preserving Hash) are available to overcome that particular problem. There’s no need to modify the origin or destination of the applications when it comes to data encryption or tokenization.
We live in ‘chaotic’ times with infrastructure that continues to grow but very rarely throws out or decommissions old systems. The mainframe, which holds multitudes of legacy data, is living in one of its golden epochs. Thus, it is crucial that our approach to data governance and data protection is consistent, overarching and considers all our systems, applications, platforms. It is critical that we leave no system behind!
AXZEL:
A lot of businesses are struggling to recover from the ongoing effects of the global economic slowdown, and with the growing trend towards self-service data access and analytics; how can you still justify the performance impact of some of these protection methods? RAMSES:
Justification comes from need. These methods, processes, procedures, standards, guidelines, are fundamental to protecting one of the two most important assets of every company on the planet: data (only second to the most important asset: people).
We may discuss the cost, the timing and the scope of controls; but there is no question that apart from being a regulatory requirement, Data Privacy is a Human Right and one of the pillars of any society.
Consequently, protecting it at any cost, some would say, is a no-brainer; although as we all know, that there will always be business practicalities to contend with.
Self-service data access and analytics are nice but the onus will always be on the Data Processor and from what we see, the tension between risk management and business performance will remain. This makes it even more imperative to establish classified information inventories and only then implement the controls; at every stage of the information lifecycle; that are commensurate with the class of information.