Data privacy demands a unified view across siloes
- By Brent Hansen
- Apr 30, 2021
If the ongoing reporting and scorecards for the Federal Information Technology Acquisition Reform Act have proved anything over the past several years, it’s that many agencies have had trouble quantifying sensitive data -- where in their infrastructure it is located, who can access it and how susceptible it may be to cyber threats.
This is particularly true when data is distributed across siloes. That very structure makes it difficult not only to understand the scale of sensitive data, but also to create and implement securities policies and controls. Still, the volume of data continues to increase daily across government, in data centers, file shares, databases and cloud storage and backup.
Added to this basic organizational shortcoming in data protection is the risk arising from third-party access. Any entity sharing data with an agency (whether vendors, partners, service providers or others) further complicates the data privacy puzzle and adds to that agency’s susceptibility to a data breach or failed audit.
The high-profile data breaches over the past couple years alone have prompted very strict data privacy laws to be enacted internationally. While this is commendable, it also creates confusion. The maze of industry, state, federal and international guidance makes implementation and compliance difficult.
There must be a more simple path to security -- one that consolidates all of an organization’s data in a unified view for better risk assessment, remediation and reporting. Before addressing any of that, however, it’s important first to understand the difference between data privacy and data security.
Data privacy, data security and the case for a unified platform
While both data privacy and data security aim to protect sensitive data, the two are not identical.
With data privacy, the emphasis is on the use of and control over personal data. Data privacy establishes policies to properly collect, share and process personal information. Authorized access and control are paramount.
On the other hand, data security emphasizes how sensitive data is protected from unauthorized access or attack from bad actors. To enforce policies around data security, IT professionals use a wide range of encryption protocols as well as identity and access controls.
To underscore the difference, consider an agency that secures sensitive constituent data through such tools as encryption, key management and access controls. While these are reasonable and practical data security measures, they do not address whether the data is collected, used or shared with the citizen’s consent. Without that consent, even if the data is secured, it is still possibly a violation of data privacy requirements.
What is required to bridge that gap between privacy and security is a means to completely manage sensitive data, enabling data discovery, classification and risk analysis, whether it resides in the cloud, in big data applications or in traditional legacy environments. That demands a single view of all data and its location.
A single view to identify and mitigate potential risks to data privacy would enable IT managers to streamline their processes and respond to continually changing regulatory requirements. With that type of tool, it becomes easier to develop policies while also simplifying classification, risk analysis and reporting.
Taking a consolidated view across operational siloes allows teams to define their data privacy policies while better understanding data stores and classification profiles. Data discovery is simplified by being able to locate both structured and unstructured sensitive data, whether it is stored in multi-cloud environments, relational databases or file storage systems.
Similarly, this unified view makes it easier to classify sensitive data with proven classification techniques. Risk analysis is facilitated with better visualization of data and its likely risk scores. These risks can then be efficiently remediated through encryption and tokenization solutions, and detailed reports regarding risk analysis, status and alerts can be generated at any point in the life cycle of the data.
Basic requirements for data privacy
What should a solution for data privacy address? First and foremost, it must be able to identify and locate both structured and unstructured sensitive data, regardless of whether that data is in the cloud, big data applications or more traditional data stores.
To improve efficiency and to allow the solution to scale with an agency’s needs, it must be able to be deployed with or without agents.
A cross-enterprise solution is the best way to accomplish an agency’s needs. It improves workflow and allows the creation and implementation of unified data privacy policies. With a centralized approach, organizations gain a clear understanding of sensitive data. This in turn allows for better-informed decisions regarding cloud migration, data sharing, and
It is essential to have a solution that can help score potential risks. Privacy gaps can be uncovered, remediation efforts can be better prioritized and detailed reports made easier, which is essential in demonstrating compliance with laws and regulatory requirements.
As data proliferates and cyber threats continue becoming more sophisticated, IT managers are faced with the reality that their distributed data is exposed to compromise. That is perhaps the strongest argument for a single platform to manage and protect sensitive data.
With a unified approach, every aspect of data privacy and security is made easier, from discovery and classification through risk analysis, protection and reporting.
Brent Hansen is federal CTO of Thales Trusted Cyber Technologies.