Pragmatic Approach to Identify and Secure Sensitive Data
– by Nikhil Raj
5 Minutes Read May 10, 2024
Introduction
In today’s data-driven landscape, where information holds significant power, organizations are intensely focused on harnessing their data for business intelligence (BI), behavioral analytics, and other initiatives driving business growth. Recent research underscores that data leaders prioritize high-quality analytics insights over compliance.
However, in response to increasingly complex data privacy regulations and cyber security threats, organizations have no choice but to reexamine their data policies and rein in how data is accessed, processed, analyzed, stored and shared. Most recently, the focus of privacy regulations has veered towards safeguarding personal data specifically, forcing teams to shift their data frameworks to remain compliant and secure.
It’s a tricky balancing act, but there are a few best practices data teams can follow to help effectively identify and secure their sensitive data while designing an access control framework. Here are six tips for organizations to help identify and achieve data security success in our current technology environment.
1. Data access controls are based on data classification, not the data itself
Traditionally, data access control has relied on the data itself, with rules often set by data engineers or database administrators on a table-by-table basis. Yet, this method proves to be limited in scalability and raises questions about the suitability of those defining the rules. A more effective approach advocates for the use of data classification. This involves identifying the various data types within your organization and assigning metadata tags or attributes accordingly to establish access controls. Moreover, to navigate complex regulations like Schrems II and GDPR, it’s advisable to involve legal or compliance teams in setting access controls. Anchoring access controls around data classification and engaging the right expertise ensures a scalable model that complies with regulations.
2. Enforce data privacy controls across all data platforms and consumption approaches
Data privacy measures organizations adopt to safeguard sensitive data access are subject to stringent regulations. It’s crucial to maintain compliance and legality in these controls. Equally important is their uniform application across all consumption channels and platforms. Consistency in data access is paramount, irrespective of the platform used. This ensures the prevention of potential data leaks that may arise when users with differing permissions access data across various platforms.
3. Reinforce data sharing process
Despite growing data security concerns, it is clear that data sharing is essential in today’s business landscape. With data volumes expanding and organizations increasingly exchanging data internally and externally, ensuring the security of each exchange presents a significant challenge. This becomes especially critical when businesses aim to adhere to specific data use and licensing agreements, facilitating monetizing their data products. Consequently, organizations must strengthen their data-sharing processes to mitigate the risk of data loss or breaches. Federated models for access control management help the team to share data in a controlled way. Centrally imposed rules for regulatory compliance can be augmented with rules defined by data owners for business and contractual compliance.
4. Ensure visibility into sensitive data management for regulatory compliance
Ensuring compliance with regulations and laws governing sensitive data requires organizations to maintain ongoing visibility into the types of data they possess, where it’s accessed, and the pertinent rules or requirements. This insight is invaluable, particularly as regulations evolve. Achieving optimal visibility in sensitive data management involves collaboration between legal teams responsible for setting policies, data platform teams implementing these policies, and the business teams defining them. This level of visibility demonstrates compliance with regulatory standards and streamlines the process of adjusting access controls as needed.
5. Scale data access controls with organization needs
Managing access to sensitive data grows increasingly intricate with the expanding data volumes, user base, technological advancements, and regulatory requirements. Consistently enforcing policies across platforms and access requests adds to this complexity. With new hires, promotions, and internal transfers, HR departments typically manage JLM (joiners, leavers, movers) processes as organizations evolve. However, data platforms should also integrate such safeguards. Why? Because once a user gains manual access approval, they retain access regardless of future team changes. Leveraging attributes enables automated access provisioning, ensuring users have appropriate data access upon joining and transitioning within the organization. To adapt and thrive, organizations must scale their access controls in alignment with their growing data requirements, effectively meeting security and access needs.
6. Implement a solid and lasting data security strategy
To effectively safeguard sensitive data, organizations need a comprehensive and ironclad data security strategy that combats security threats in increasingly decentralized cloud data environments like data lake houses and data mesh. Again, security must be maintained across all architectures to prevent unauthorized access or non-compliance. Strategies can look very different from business to business but most commonly involve some combination of encryption, data masking, identity access management, authentication, data backup and resilience, and data erasure.
Conclusion
There is no silver bullet for guaranteed data security and access success. Every Organization’s approach will look slightly different and continue to evolve depending on its data and security needs. However, these fundamental best practices are an excellent place to start and are key to establishing a robust, resilient, and scalable data security strategy for years to come.
Nikhil Raj
Chief Information & Security Officer
Nikhil is the group’s Chief Information Security Officer. He leverages over 20 years of experience in IT, Information Security, General Compliance, Business Continuity, Risk and Compliance, and Audit and Accreditation to provide strategic and operational leadership for the company’s global security and privacy initiatives. Nikhil has a track record of implementing and maintaining formal management systems across multiple geographies and industries, such as SOC 2, FISMA, PCI DSS, RBI controls, GDPR, and ISO 27001.