Want to avoid seeing your corporate data appear in WikiLeaks?
However much you thrive on the roller coaster of business, one adrenaline rush you want to avoid is finding out that your corporate data is on WikiLeaks.
CIOs face the dichotomy of running an agile, flexible, data-sharing organisation while ensuring they are keeping corporate data safe. Much of the data being shared is sensitive in nature and if it gets into the wrong hands the results would be disastrous.
The good news is that it is possible to strike a delicate balance between an agile data model and strong data security.
When it comes to safeguarding data, establishing role-based, data-level security settings and encryption at rest are key to ensuring that data is only shared with appropriate individuals or organisations.
Take, for instance, the activities involved in supporting NHS patients or insurance customers. A doctor or financial analyst should have access to a great deal of patient or customer personal information. On the other hand, a call centre handler booking appointments or renewing policies only needs a restricted view of the same data.
Based on our work with security-conscious organisations, including global banks, here are the key factors that need addressing:
Redaction: Using redaction makes it easy to mask sensitive data for certain audiences. By removing, replacing or blocking out details such as personally identifiable information (PII), it is easy to share custom views of your data and prevent leakage. This feature has the added bonus of helping with compliance as it provides support for regulations including EU GDPR.
Advanced encryption: To protect data from cyber criminals and insider threats, organisations need to implement encryption in a more systematic way. Advanced encryption involves the selective and transparent encryption of data, configuration and logs. With its automatic and fast granular key rotation, standards-based cryptography and advanced key management, advanced encryption provides separation of duties between the security administrator and any system, network or database administrator to decrease the risk of potential exposure.
Standards Focus: Ensure you use data management products that support standards such as Common Criteria Certification, a stringent standard for computer security. Additionally, look for compartment security, data auditing, strict access controls as well as authentication tools that work with your organisation’s existing IT infrastructure.
Principle of least privilege: This is the process of deciding which users, programs and processes require access to the information in any particular layer of a computing environment. This includes application security controls around the database’s APIs and security capabilities.
RBAC at scale: Role-Based Access Controls that manage individual users’ access to data dependent on their role have to be deployed at scale – or designed with very granular roles and access controls – to ensure performance isn’t impacted at times when there are high volumes of data being added or queried.
Element level security: While older databases offered security at the document level, the latest technology has made it possible to increase granularity and hide specific elements within a document from users. Security at the element or property level – based on an employee’s role – enables companies to protect sensitive information throughout the life cycle of a document.
Certificate-Based Strong Authentication (CBA): CBA ensures the use of an encryption key that is unique to the authentication device and the user. CBA can also be used to digitally sign transactions and provide proof of the integrity and origin of data, also known as non-repudiation.
Effective data governance policies: It’s important to implement and follow effective data governance policies and best practices such as maintenance of access controls, metadata, data quality and security features. If your database platform allows attributes to travel with the data, then the policy enforcement can be more granular and effective.
Separation of duties: This security method is used to manage conflicts of interest, the appearance of conflict of interest and fraud. By carefully restricting the types or amount of data any one individual employee can access, it creates a natural barrier to fraudulent activity.
Use the strongest available authentication: Using the highest level of authentication ensures the security and quality of the data. Examples include, LDAP, Kerberos and an external Key Management System.
Use SSL/TLS: Last but not least, Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) is essential to encrypt all communications between all the different nodes and hosts.
We believe enterprises don’t need to make a trade-off between data sharing and security. When your most sensitive and valuable data is being integrated across multiple silos of data, it takes a combination of products and processes to ensure that data is secure. But these capabilities can protect against some of the most sophisticated security threats companies are facing today—and in doing so, provide a competitive advantage.