CIO's guide to data protection in the enterprise
Data protection is simple to define: it is all about ensuring data isn’t accessed by unauthorized people. However, it is much more difficult to achieve. The concepts of both security and privacy are fully encompassed within the ambit of data protection. A single misconfigured device or a few keystrokes displayed on a publicly visible screen can bring an organization’s reputation down to its knees.
Traditionally, enterprises implemented strong perimeter defenses to thwart the perennially increasing number of breaches – which numbered 1,862 in 2021, up 68% from 2020 – and threats.
However, enterprise data is now being shared with and across vendors, customers, suppliers, business units, partner organizations, consultants, and remote employees, rendering the strongest perimeter security meaningless. The outsider is now an insider.
And so, enterprises need a complete end-to-end data protection strategy that secures data across applications, servers, networks, user devices, databases, and the cloud, right from the core to the edge – at all times, regardless of whether that data is at rest, in motion, or being used.
What Is “Enterprise” Data and What Data Needs to be Protected?
Before an organization even begins to secure its data across multiple locations, it must understand the data it has – the types, formats, and so on – as well as the variables that influence the access, storage, and transfer of that data. Knowing which data is important enough to secure has long been a headache for enterprises.
Identifying sensitive data is easier and more accurate today with ML algorithms, which automatically classify it as important as well as categorize it based on content. This approach is far more scalable than its manual alternative.
There are also data discovery tools that save endless hours for admins by scouring the enterprise network for structured and unstructured data.
Classification of Sensitive Data
Once all sensitive data is identified, IT admins need to determine the various confidentiality levels, decide where to store each unit of data, and decide which users or roles will have access to it (and to what extent).
While most organizations have their own custom categories of data, the four classes into which sensitive data is typically grouped are:
- Public: Freely available information that anyone inside or outside the organization can access anytime. Examples include contact information, marketing materials, and prices of goods and services.
- Internal: Data that isn’t meant for the public’s or competitors’ eyes but is shared freely within the organization. Examples include organizational charts and sales playbooks.
- Confidential: Sensitive data that can negatively impact the organization if shared with unauthorized people. Examples include supply contracts and salaries of employees.
- Restricted: Highly sensitive corporate data that brings legal, financial, reputational, or regulatory risk to the organization if leaked. Examples include customers’ medical data and credit card details.
Which Factors Affect Data Security?
When done right, a security policy protects against data loss and unauthorized access across all devices, systems, and networks. It is delivered, monitored, and managed via a combination of standardized processes and technologies such as firewalls, antivirus programs, and other tools. These standards and processes vary according to the use and criticality of data as well as the regulations that bind it.
Security admins need to be aware of and understand the evolution in data storage and usage from the perspective of both technology and nature of work. Some of these changes that directly affect data security are:
Big data: The amount of data generated every day is huge. IDC has projected that the size of the global datasphere will reach 175 ZB by 2025. And yet, much of this data isn’t useful or used on time. Or can’t be analyzed cost-effectively.
Further, this data comes in a variety of different formats that can’t easily be categorized or processed. According to research by MIT, 80% to 90% of all data today is unstructured – in the form of audio/video-text combinations, server logs, social media posts, and so on.
End User Computing (EUC): The number and variety of devices that connect to the enterprise network (individually and through the internet) have risen exponentially. They include IoT devices, wearables, sensors, and industrial robots.
This means enterprise data is no longer a static entity residing only in well-defined, controlled locations. It spans each and every device and application that users access. All of these make the job of securing data increasingly complex, although enterprises are making inroads in simplifying things with data virtualization.
Hybrid environments: IT infrastructure is increasingly converged and moving from data centers to a cloud-based environment. And a hybrid cloud at that for the enterprise. This makes security (the public cloud parts, at least) a shared responsibility between vendors and customers.
Remote work: The COVID-19 pandemic necessitated an overnight shift to remote work and work-from-home for most, if not all, companies. Many enterprises were left struggling to enable their employees to access business-critical apps and files from home. Even before they could assess the risks and implement adequate security procedures, WFH became the norm.
Bearing all these tremendous shifts in mind, CIOs, CTOs, CISOs, and security admins need to take some far-reaching steps to protect their companies’ and their customers’ data at all times.
What Security Measures Can Enterprises Take?
No two security threats are alike. IT leaders need to be aware of different kinds of threats that apply to their work environment and make sure their systems are being vigilantly monitored for intrusions.
Educate employees on security best practices: Every employee needs to understand how vital data is to the business and the consequences that follow if it is compromised. Make sure employees pay attention to where emails are coming from, open emails only from trusted senders, and don’t click on links or attachments that they’re unsure of. The same goes for using a browser – all employees should be able to recognize warning signs on web pages and tell a dodgy site from a trustworthy one.
Password management warrants special attention; easy-to-break and shared passwords are still the number one cause of worry for enterprises. “Passwords are obsolete at this point. Ten years ago, it was time-consuming and processor-intensive to create a list of a billion passwords to hack a user account. But now it’s a trivial task,” said Goodwin.
Implement granular control: Security experts recommend deploying a zero trust model, which involves giving users and applications bare-minimum access to the resources they need to function effectively. This entails microsegmentation of networks and building very specific policies around servers, VMs, platforms, applications, and services that adopt a “least privileged” approach to data that is classified as sensitive.
Implementing Identity and Access Management (IAM) best practices coupled with Multi-Factor Authentication (MFA) is key to enforcing zero trust security in the enterprise.
Encrypt all data: Encryption is the process of obfuscating data using an algorithm that scrambles data. Only users with the right key (or access level) can decrypt the data and view or process it. This ensures the security of data at rest as well as in transit. Encryption comes in four flavors:
- Network level
- Application level
- Database level
- Storage level
Securing Data Inside Out
Data is the currency that drives every organization, large or small. Nothing is more important for an enterprise than protecting its data against loss, corruption, and theft.
Concurrent connections between customers, vendors, partners, and a mobile workforce have blurred the lines between insiders and outsiders, rendering perimeter defenses ineffective. A solid data protection strategy extends from the core – where key data repositories reside – to the edges – where data is gathered and used. Enterprises need to take this spread into account at all times, whether they’re in the middle of consolidation, transition, or transformation.