You are here

Why the new privacy laws demand data-centric security

public://pictures/michalg.jpeg
Michael Gutsche, Security Strategist, Micro Focus

Regulations such as the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR) require companies to take a more data-centric approach to security. Instead of focusing simply on protecting data at different layers of the technology, enterprises need to pay attention to securing data through its entire lifecycle—from the moment it is first acquired to when the data is ultimately disposed of.

Organizations haven't taken a data-centric approach to security because of how daunting the task can be. Many CISOs and other security leaders who might otherwise love the concept are unable to implement it because they have no idea where their data is or how it is used across the entire enterprise.

So they have focused on protecting data on disks, in databases, in applications, and in other segments of the technology stack, which means that when data moves from one layer to another, fundamentally that protection is broken.

Here's why going data-centric with your security matters more than ever.

[ Get up to speed on new privacy laws with this Webcast: California’s own GDPR? It’s not alone. Plus: Go deeper with TechBeacon's guide to GDPR and CCPA. ]

Segmented data protection is no protection

For a lot of companies, their idea of protecting data is to encrypt it on disks. However, the chances of someone bringing a U-Haul truck to the data center, stealing your data disks, and rehydrating them in another data center to steal your data are highly unlikely. What does happen is that when you power up your computer, it downloads the key that unlocks your hard drive, leaving your data virtually unprotected. So disk encryption really isn’t effective.

Database encryption is another way organizations traditionally protect data. But what happens when you move data from one database to another? When data flows in an organization, either from application to application or from technology stack to technology stack, massive security gaps can open up, which are exactly what adversaries are after. That is where they look to compromise data, because those are the weak points.

The reality is you can't just find a database, encrypt it, and think you are going to comply with these regulations. Rather, the regulations are about making sure organizations have the people, the process, and the technology around their data and data lifecycle.

It is about making sure you can protect data and comply with legal requirements such as the right to be forgotten, the right to opt out, and the right to notification. If a consumer asks you to delete all their data, could you do that in a day, a week, a month, or a year?

The regulations do not carve out exceptions for data on tapes. So when a consumer asks for data to be deleted, it applies to any data of theirs, including that in storage. Would you be able to really delete all of it?  

Most organizations would struggle with these requirements because they don't know where all their data resides. These are things that most haven't built into their processes, their solutions, or their consumer offerings because it wasn't a requirement before.

Preventing a data asset from turning into a liability

A data-centric approach to security is about protecting your most valuable data assets and ensuring they don't turn into a liability. It is about fixing the actual business process, which is the data lifecycle. 

There are two ways organizations can go when it comes to implementing a data-centric strategy. For those that want to take a strategic, holistic approach, the best place to begin is discovery. You start down the path of understanding your entire data lifecycle, learning where your data exists and how it is used. You then decide on the appropriate action that is needed to consolidate and protect that data and to get rid of what you don't need.

Organizations that prefer a more tactical approach can start with a closed-loop, well-defined data model—such as a data warehouse or data lake. You know where the inputs and outputs are, so you can apply a data-centric approach to that one particular asset. The tactical approach yields a very quick time to value.

Regulations such as GDPR and CCPA emphasize "privacy by design"—or the practice of ensuring that data protection is a primary consideration when organizations are developing and building software, systems, and products. The goal is to ensure that software developers, for instance, think about security and privacy considerations when writing code. Security is built into, rather than bolted onto, the enterprise software development lifecycle and data models.

It's a fundamentally different conversation that requires enterprises to think about security and privacy in the conception, design, architecture, build, development, and release of products. In such a world, security vulnerabilities in software are no longer security vulnerabilities, but defects in code.

[ Get on top of access with TechBeacon's guide to identity governance. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]

Minimize risk by minimizing the footprint

Data minimization is critical to data-centric security. Most companies do a very poor job of getting rid of data they no longer need. Data that is just stored someplace with no requirement for it is a liability. Similarly, when collecting data, enterprises need to know what data they are collecting, how it flows through the organization, and how it is consumed and used. Again, data that presents no value to your organization presents a risk.

Implementing a data-centric approach requires cooperation and participation from across the organization. This is really about changing the way you view data and how you protect it, so it is not something that the CISO or the CSO alone can necessarily implement. Mandates such as CCPA and GDPR require conversations and cooperation between the chief data officer, chief privacy officer, chief security officer, and other C-suite leaders.

Security, regardless of where data travels or lives

The protection of data within most enterprises has traditionally been very segmented, via database encryption, application encryption, and all kinds of different approaches. Responsibility for data security can sometimes reside in 10 to 15 different groups within the enterprise. Data-centric security emphasizes best-in-class protection done one way throughout the organization so all data gets the appropriate level of protection regardless of where it sits, how it is transmitted, or how it is used.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]