There has always been a need for protecting private data, but long gone are the days when sensitive customer documents were locked on a filing cabinet at the end of the workday.
In our digital world, customers share more information about themselves than ever, across a variety of platforms. We often hear in media and at conferences about advances in technology to catch up with regulations on data protection. Yet we also continue to read about breaches like the Colonial Pipeline breach of 7 May 2021, and AXA Asia a week later.
Dispersed data – a by-product of the digital economy
“Breaches of personal information strike at the heart of the relationship between enterprises and their customers. Encryption is at the foundation of data protection, and when organizations don’t prioritize protecting customer personal information, they raise enterprise risk of lost business and reputation,” said John Grimm, vice president of strategy at Entrust.
Grimm cited “a much more dispersed data” as one of the biggest challenges in the digital economy.
“There have been more locations created for sensitive data to migrate to overtime. We are finding that this is one of the top challenges, many organisations do not have trouble identifying the important data, but they have a lot of trouble figuring out all the different places data is going particularly as we have hit the cloud era, and the multi-cloud era, as well as some of the new platforms that are being introduced,” he added.
Why organizations struggle with data protection
During a 2020 FutureCIO roundtable with CIOs and CISOs, one of the points raised by participants was the challenge of protecting data: “IT security has become a complex and expensive process that appear to escalate each year. Our users and customers want simplicity but that doesn’t seem possible.”
Entrust’s Grimm chimed in on this observation acknowledging that data protection has become complex and partly points to the diversity in the types of tools that organisations use to protect their data.
Data protection – a growing complexity
According to the Ponemon Institute study it commissioned, Grimm noted that on average companies use about eight encryption products. Believing the real number to be higher, he noted that many organisations struggle in part due to limited resources, including deep levels of experience in data protection.
“This leads to a situation where you have so many products, but not have enough people to learn how to use them properly. This can open the door for mistakes to be made,” he opined.
He further commented that the number one threat to data protection is not from external attackers or even malicious insider, but the well-intentioned employee who makes a mistake along the way that ends up exposing sensitive data.
Don’t bet on future technologies today
Grimm praised developments around homomorphic encryption as allowing users to operate on data that is encrypted, without decrypting it – hence, potentially reducing the exposure. He also spoke about multi-party computation, where you break up transactions into small parts and have multiple parties execute them and then bring them together.
Still, he believed that in the current environment practising data protection fundamentals, including separating data from encryption keys, is something that can be done now.
“Paying attention to some of those fundamentals of key protection, protecting them in purpose-built hardware, such as a hardware security module (HSM), is a common strategy when you need to up-level the protection of keys when the encryption processes or a digital signing process needs a higher level of protection because the data is particularly sensitive,” he continued.
He also suggested making sure that an organisation’s encryption strategy is aligned with its identification, authentication, and role-based access control strategy.
“We have talked about centralising and simplifying the number of products and try to get a central, single pane of glass and also a good strong root of trust for your encryption keys and the execution of your encryption policy,” he continued.
He warned against a patchwork approach to data protection, including encryption.
“The real way is to take a step back and look at this (data protection) from where is that data that you care about the most going, and make sure that you can apply protections in all those places it is going,” he concluded.
Click on the PodChats player and listen to Grimm talk about data privacy, data protection and what enterprises are doing right and wrong to comply with regulations and customer expectations.
- Where is the holdup when it comes to upholding personal data privacy?
- What is data protection? In a typical large enterprise, what does it encompass, and what is its relationship to data encryption?
- We continue to hear about high profile cyberattacks like the Colonial Pipeline and more recently AXA Asia. Why do organisations seem to struggle with their data protection strategies?
- Speaking of encryption, is there a magic number in terms of how many encryption tools is enough? You spoke of between 8 to 10 as average.
- How do you manage and effectively use this growing complexity that is the cloud and protecting it?
- Specific to the Ponemon Institute report, can you cite reasons why Southeast Asia ranked lowest globally in terms of encryption adoption (50% global average vs 36% in Southeast Asia)?
- How do you see encryption evolving? What can organisations do to better leverage encryption as a foundation for a more holistic data protection strategy?
- Given all the breaches that are occurring today, what needs to happen for this prediction to become a reality?
- In the digital economy, who owns the data? Is it the CIO, the CDO, the marketing department or the customer?
- What must enterprises do to rein back the perceived loss of control in data protection? And what should CIOs be doing to own part of the solution?
- Simplification vs the sprawl of solutions – what is Entrust’s USP (standout)?