Despite significant security investments made by organizations, data breaches of sensitive information continue at an alarming rate. There are many contributing factors to this situation such as the ever increasing rate of data collection as well as cloud computing, outdated security standards and controls, and flawed applications with security vulnerabilities.
Today’s bad guys are well funded, skilled and organized. When they set their sights on something like personal health information (PHI) or intellectual property (IP), they are quite effective at getting at the crown jewels.
For so long, organizations have spent their money, resources and time on traditional approaches like network, device and application security. While these fundamental security measures are still necessary, relying on them solely isn’t enough today.
Businesses need to fundamentally change their approach to security and focus more on the data layer itself. A good way to start down this path is to discover and classify sensitive data. Unfortunately, many companies still do not have an inventory on their unstructured data – files and documents. They say they do and they believe they do, but in reality, there are bits and pieces of sensitive information copied on desktops, devices, and file shares. There are multiple copies scattered all around.
Once a company gets a handle on its sensitive data, then it can think about classifying it. Classification will help an organization encrypt certain types of data in storage, in transit and/or while the data is in use by authorized users. In some cases, there may not be any need to encrypt public data as it might not contain sensitive information. Many people emphasize the need for classification due to shortcomings in data loss prevention (DLP) tools. Surely data classification can make DLP more effective. However, in larger environments there are far too many other applications and use-cases that can benefit from data/file classification.
Based on the type of classification, certain data may only need protection using simple encryption while in storage or while in transit, or they can be protected by more sophisticated solutions like enterprise digital rights management (EDRM) to control not only who can access the data, but how authorized users can use the sensitive data and for how long. Businesses can monitor activity by user and have real-time ability to detect deviations that differ from normal user activities or processes.
Today, many companies in the financial services industry are leading the way as they implement additional layers of security to their existing postures by implementing persistent data security and ensuring that sensitive information is protected all the time, regardless of location.
We are reminded again and again as we read daily about the data breaches in the news that protecting sensitive data is a complex challenge. It requires a layered data protection strategy, time, money, resources and management support. Implementing individual data-centric solutions without a comprehensive framework can lead to critical gaps in the security posture of an enterprise. Traditional measures must be supplemented with persistent data-centric security to stop the loss of sensitive information.
Photo credit reynermedia