Interest in data privacy has never been higher on the heels of the EU’s General Data Protection Regulation (GDPR) and a constant rash of serious data privacy breaches making the news. The trend will continue, and it’s important for everyone to understand that the lens through which we view data privacy has a major impact on business. Recently, I spoke with Ashley Arbuckle, our vice president of Security Services, and author of a regular Security Week column, about the current data privacy landscape and how customers and all digital citizens can navigate through the complexity. Find our full conversation at here.
Be sure to keep up with Privacy Sigma Riders Podcast and visit the Trust Center to learn more.
Michelle totally agree with your thoughts in recent article "Data is Currency. Treat it That Way to Strengthen Privacy" and data curation topic.
I've been in the security, authentication and encryption space for a long time. Companies need to start thinking about the security of data differently since there is no longer perimeter. Curation is a great description of new way to think about data. Companies in past have focused on locking down servers, isolating data and full disk technologies that don't supply adequate protection in a ubiquitous data landscape. MFA and encryption are fundamentally tools that help although don't focus on a more data-centric thinking approach.
As a number one step companies need to set risk profile on all PII/IP. Then be able to know where that data resides within the enterprise – not only on servers but user systems, 3rd party and cloud – not an easy task. Once initial data discovery has been done(should be ongoing). Does that data need to exist? Is it where it should be? Who should have access? Do we need to move, delete, redact, classify or secure based on profile and tools available? Does this meet our security audit and or compliance requirements? What more can we do?
Once you know where the data is located it would help to start classifying "labeling/tagging meta data"to begin process to better manage data in future. If you found it might as well start labeling the data i.e. You wouldn't want a file labeled "sensitive PII" leak out so make sure you isolate where this data is located, how it is used and put in correct access controls, policies, encryption and or security controls.
Curation and data security I believe will need automation to be successful. Since data is moving around between systems and users – the proper policies to automate the security and how new or old data is managed can't be just isolated to security of specific servers. Data is everywhere and you need to have risk and security policies follow the data flow.
I believe to actively "curate" data the ability of automating process that discovers, classifies, monitors and most important invokes a real-time security action based on that data risk profile. This has to be enabled across servers and user systems that interact with sensitive data.
Curation is a great topic and thanks so much for sharing your thoughts,
Bill Lewis -PKWARE