Last updated: 02 October 2019
In a quest for digital transformation, an increasing number of organizations across the globe are adopting the practice of Bring Your Own Device (BYOD) and encouraging their staff to use their personal devices for business work.
While BYOD definitely enhances operational flexibility and reduces IT costs, it opens up doors for cybersecurity threats like data breaches and data leaks as personal devices don’t offer the same security as centrally managed business devices. And in today’s times where we read about data breach incidents almost on a daily basis, traditional security approaches like merely securing the network no longer work. The need of the hour is to rethink the data protection strategy across the organization and shift the focus from securing the network to securing the data itself – wherever it resides!
Below are the 4 prerequisites to developing a cohesive enterprise data protection strategy:
1. Assessing the various internal and external data breach risks
2. Formulating a robust ‘breach mitigation’ strategy
3. Developing a fundamentally strong strategy to secure a data breach, and
4. Implementing vital data protection technologies to contain the breach.
Before we deep-dive into each prerequisite, let’s first understand the various types of data that organizations need to protect. Sensitive data can be broadly categorized in 7 types: personally identifiable information, financial information, health information, intellectual property, competitors’ information, legal information and IT security information like username-passwords, encryption keys, etc.
Now that we know the types of data that need to be safeguarded, let’s deep dive into each prerequisite of a robust data protection strategy.
1. Assess Internal and External Data Breach Risks
Cybersecurity experts across the globe accept the bitter truth that when it comes to data breaches, it is not a matter of “if” but “when”. And to delay the eventuality of a breach, IT security teams across organizations need to regularly assess potential cybersecurity risks that may originate from within the organization as well as from outside the organization.
Internal risks can be commonly attributed to weak IT security policies like the lack of strong passwords, poor user authentication and identity management, unrestricted access to external storage devices like USBs and external HDDs, etc.
External risks arise from deliberate data breach attempts through the use of malicious attacks using social engineering tactics like phishing, vishing, smishing, insertion of malware or viruses, SQL injections, DDOS (Denial of Service) attacks, etc.
2. Formulate a ‘Data Breach Mitigation’ Strategy
With cybercriminals getting smarter with every passing day, organizations need to extend the ambit of IT security beyond the perimeter and formulate a cohesive strategy that revolves around securing their data wherever it resides.
To achieve this, organizations should start by asking three pertinent questions:
1) Where is our sensitive data?
2) How is this data being used?
3) How do we ensure only authorized access to this data?
Once concrete answers are known to these questions, developing a ‘Breach Mitigation’ strategy to secure data breaches would become relatively easier.
3. Secure Data Breaches
To prevent data breaches, organizations should:
a) Identify where their sensitive data resides – on premises, in the cloud or in hybrid environments. In the meantime, organizations should also consider their network traffic i.e. their data in motion. Once the locations of sensitive data are identified, the next step is to encrypt all sensitive data in order to render it useless to hackers in the event of a cyber attack.
b) Securely store and manage the encryption keys to ensure they don’t fall in the wrong hands. As a best practice, encryption keys should be stored only in Hardware Security Modules (HSMs) and centrally managed using a Key Management Solution.
c) Implement a robust Access Management Policy to make sure that only authorized personnel can access the encrypted data on a ‘need-to-know’ basis.
4. Implement Data Protection Technologies
Here’s a quick list of 4 technologies that play a pivotal role in optimal enterprise data protection:
1) Data Encryption
Widely considered as one of the best ways in protecting any data, data encryption is the process of scrambling plain data into an unreadable format through the use of an algorithm that creates a unique ‘key’ known as an ‘encryption/crypto key.’
Tokenization is the process of assigning a random surrogate value (also known as a ‘Token’) to the original data to avoid easy identification. Token is initiated with a special software ‘Tokenization Manager’, the original data is first received at its initial entry point by the Tokenization Manager and then encrypted.
3) Data Masking
Also known as ‘Data Obfuscation’, data masking is the process of hiding (or obscuring) the original data with random characters or other data. The primary purpose of data masking is to protect the original data while having a functional substitute for occasions when the original data is not required.
4) Key Management
Since encryption keys go through multiple phases during their lifecycle: generation, distribution, rotation, archival, storage, backup and destruction, Key Management Solution is vital to efficiently managing these keys at every stage in their lifecycle for data protection.
To Sum It Up
In today’s world where data is considered as the most precious organizational asset, no stone should be left unturned to protect sensitive data. Enterprise data protection is not only important for an organization’s financial wellbeing but it is also important from a regulatory perspective with new IT compliances being introduced every day.
Thales provides a robust, highly scalable Data Security Platform that prepares organizations to rapidly meet the next data security challenge and new compliance requirements.
Our solutions enable organizations to move to the cloud securely, achieve compliance with confidence, and create more value from their software in devices and services used by millions of consumers every day.
Effective data breach strategy can be summarized as:
1. Accept the Breach – Perimeter security alone is no longer enough.
2. Protect What Matters, Where It Matters – Data is the new perimeter.
3. Secure the Breach – Attach security to the data and applications because insider threat is greater than ever.
Learn more about Vormetric Data Security Platform and how Thales can assist with your enterprise data protection strategy.