The current state of data privacy is grim and consumers don’t believe that anyone is doing enough to protect their data. The constant deluge of data privacy mishaps from giants like Facebook and Cambridge Analytica, and the major Equifax breach of last year, continues to undermine confidence in companies and governments who hold citizens’ data.
As a result, government and industry bodies are beginning to impose data-specific regulations on all organizations acting with or processing data collected from a given region, regardless of industry or government affiliation.
Businesses are scrambling to implement cybersecurity tools to secure critical data, but these investments may be rendered useless if poor data governance processes are in place.
GDPR: Harbinger of Change
Previous compliance mandates enacted by the regulatory bodies of countries around the world have either been industry specific (banking and finance, healthcare, etc.) or applicable only within a specific region (e.g. state or city), but conditions are rapidly changing. The European Union recently upped the ante by implementing a broader approach to data privacy with its General Data Protection Regulation (GDPR).
Proper data governance requires this type of holistic approach balancing people, processes and technology by applying relatively simple best practices to data classification, protection, management and access policy enforcement. New investments are undoubtedly required to meet GDPR responsiveness targets, and the rights afforded EU citizens will soon be requested by others suffering the repercussions of unauthorized data disclosures.
A Marathon, Not a Sprint
Implementing a data-centric security strategy that aligns technology, business processes and user workflows can help ensure organizations are always in control over their sensitive data. Putting the wrong technology in place, implementing ineffective business processes, or ignoring key principles in access controls (e.g. access per role or job function policies, managing privileged access, isolating workloads, etc.) will lead to eventual failure in most data governance efforts.
Executed successfully, data governance initiatives will help strengthen data security deployments and empower businesses to trust the integrity of the information at their fingertips.
Embracing Governance Means Controlling Access
Data governance, as a process, aims to solve these types of issues through greater accountability, executing access policies and reinforcing best practices for everyone in a company, entity, or government agency. Moving from theory to execution can be challenging, but technology will play a critical role.
Data governance begins with simple data classification but does not end there. In other words, successful data governance requires the organization (and its data steward or now Chief Data Officer) to first know the basics of their data inside and out and to carefully manage the access and privacy as data moves throughout the organization. To get started, consider the following questions:
- What does your data look like? Determine what data exists across your organization and which stakeholders are responsible for it. Is it structured or unstructured? Will it be in transit, at rest, or require storage? Which data is critical to operations? Should it be monitored closely, moved, accessed or secured? Will it require backup or disaster recovery? Special considerations must be made for data that is considered “personal” (e.g. Social Security Number, credit card number, address, etc.) or “sensitive” (e.g. a racial origin, religious beliefs, health information, etc.).
- Who gets to access it? Define access control policies based on an employee’s job function and role across your organization so only authorized users can decrypt a given file, folder or database. This includes enforcing separation of duties and adopting a least-privileged access model. Consider this: will the intern need access to the same file as the CFO?
- Where and when can data be accessed? Data can be compromised when accessed, even by authorized users, on unauthorized platforms or moved to unauthorized databases. Set rules across the organization that dictate the parameters of file or folder access and prevent exposure during normal IT operations – whether that’s on an internal server, Dropbox, Google Drive etc.
- Why will it be accessed and how do you want to define it? To classify your data, outline a few key groups to allocate that data. For example, “Public,” “Password Protected,” “Restricted Access,” and “Confidential – No Access” based on job role and the minimum access needed to complete the job. Define the characteristics of the data that will fall into each group with straightforward processes for employees to follow when accessing such data.
Considerations for Data Governance
By choosing a data protection solution that positions your enterprise ahead of growing threats to your devices, platforms or datacentres – including cloud-based deployments, and for its ability to prioritize and perform data security necessities, successful data governance can support smoother data operations overall.
In the face of looming data privacy regulations, data governance activities can streamline compliance requirements and improve an organization’s overall security posture. This might include least-privileged access management, role-based data access controls, workload isolation, real-time logging and the ability to integrate with SIEMs for data use and user behaviour analytics, for example. These key capabilities, in conjunction with data governance activities, reinforce compliance with regulatory mandates and will ensure organizations are more resilient in the event of a cyber-attack.
This article was originally written by Jim Varner, CEO at SecurityFirst and published by Infosecurity Magazine here.