A push for data-centric security: What organisations must consider
Ron Arden takes a data-centric approach to security where the focus is on protecting the data within a system, and not just the system itself
Ron Arden, vice president, Fasoo
Today's sophisticated, unpredictable cyber-security environment complicates organisations' traditional approach to securing their data. Recent years have seen significant data breaches to healthcare organisations and financial institutions that were carried out using non-traditional methods, leaving a wake of compromised data—credit card numbers, email addresses, social security numbers, to name a few—with associated financial and reputational consequences. Most organisations focused on securing the systems, not protecting the data. Incorporating a data-centric approach, where the emphasis is placed on the security of the actual data rather than the network or servers, is key.
Data is collected everywhere: while at work, on errands, on public transportation, at healthcare facilities and government offices, whether in person or online. It can be accessed and obtained at any time. At the same time, businesses and government agencies are continually storing data—structured and unstructured—in all sizes and values, from highly sensitive to trivial. Realistically, any data stored can lead to confidential information. While looking for ways to leverage, manage and derive insight from this surplus of data, organisations must not only satisfy privacy, security and compliance—not a small task – but protect the data.
A data-centric approach combines these needs with the goal of protecting the data, not just the system on which it lives. Using a data security framework can help identify where sensitive data is located, control access to that data, and monitor its usage. As an added benefit, using encryption technology secures files at every step and removes the risk of it becoming vulnerable to a cyber-attack. Incorporating this approach can boost any outdated security plan to meet the high standards of today's business environment.
When initiating a data-centric approach, there are three very important considerations:
- Organisations must fully disclose what data is collected and how that data will be used. Offering transparency into their practices will ensure everyone within their network will be aware of catalogued data, who has access to it, and how that process is managed. And, promoting follow-through of these practices will further ensure data is protected in the way it is promised.
- Because individuals have the right to control their personal information and who will be able to access it, organisations must guarantee that only authorised personnel will access this sensitive information. Securing this data is a constant priority as data in the organisation's possession is the organisation's responsibility.
- All security practices and procedures on data sharing fall on the organisation to facilitate properly. Some data that is shared with other entities needs to be constantly reviewed, when the contract is over, permissions need to be revoked or the data rendered useless. There must be plans in place to execute.
Controlling data is a crucial step. Organisations must successfully and confidently support the ability to securely share files, who can view/edit/print the files, limit access time and the number of devices where the data is accessible, revoke access to sensitive files immediately, and trace and control user and file activity in real-time.
A data-centric approach using a data security framework will help to emphasise the importance of the data each organisation is tasked with securing and give them the advanced tools to do it well. A better understanding enhances the ability to maintain control, monitor and analyse the risk in owning and using the data—not only the system.
Contributed by Ron Arden, vice president, Fasoo