Data-driven organizations need to effectively and efficiently manage data privacy and security without slowing down the organization.
It is said 90% of the world’s data has been created in the last two years and that the pace of creation is increasing. By 2020, it is estimated that 1.7MB of data will be created every second for every person on earth, all of which we want to capture and use. According to a recent Accenture study, almost 80% of enterprise executives believe that not embracing big data will cause companies to lose competitive position and risk extinction.
Yet of the 16,000 Kaggle analytics practitioners surveyed, one third said a top challenge is difficulty accessing or obtaining data. The issue is no longer a lack of data to mine for opportunity, but instead competing agendas for the enterprise. Traditional security practices tightly control access to an enterprise’s “crown jewels” while the business desires greater data sharing across the enterprise, with partners and third parties.
If we accept that data is the new oil and successful organizations will be the ones that monetize the insights from it, we must accept that access to data is a burgeoning barrier for data-driven organizations. Imagine if a trip to the gas station involved opening a support ticket, getting executive approval, waiting for access control changes, and this was required every time you went to a gas station. Data-driven organizations need to effectively and efficiently manage data privacy and security without slowing down the organization.
Companies Are Compounding the Problem
Companies need a data strategy and Chief Data Officer (CDO) in place to think strategically about the flow of data, the management, and governance of it, and the best way to use it to deliver new business value. The modern enterprise is a web of platforms, tools, and repositories built to manage rapidly growing data sets and a need to access them. The result is often a data duplication and access control strategy that synchronizes parts of the data to get it into the hands of the “right” people across their often global organizations. Doing this well and securely becomes problematic at any level of complexity – anyone who has tried to delete a photo that synced from their phone to the cloud can attest to the difficulty of knowing it is, once and for all, actually deleted.
The traditional elements of an enterprise security approach provide a false sense of protection, especially when it comes to data. If a layer of the security solution fails, the data within is often “in the clear.” Growing volumes of data and data silos have driven adoption of point solutions to protect some aspects of the enterprise, yet in between those data silos are gaps that are currently being exploited.
Encryption Is Not Enough
Traditional security practices guard around the data through tools like encryption – where only authorized parties can access it – and authentication – confirming the origin and integrity of systems and users – that are usually “all or nothing” approaches. Protecting around the data like this creates a walled garden on the asset, which slows down an enterprise’s ability to deliver innovation to the market and increases the likelihood of disruption.
We often encrypt the hard drive, but not the data at rest; we encrypt the transportation layer, but not the data in motion; and we protect the perimeter, app, device, and user, but not the data elements they use. This model is conflicted – we protect data like it is the gold in Fort Knox, but want to use it like cash in our wallet. This method of security makes using the data slow, cumbersome, and vulnerable to configuration errors.
By not protecting the data, companies are making themselves vulnerable to a variety of cyber-attacks. Unlike tokenization, encryption and authentication do not materially improve compliance with an increasing number of privacy standards that represent enterprise data liability. Encryption, like death or pregnancy, is all or nothing – the minute one person or system needs a piece of data, it is all off, and your private information is in the clear and no longer secure.
Encryption also brings with it vulnerabilities and own set of implementation challenges. Cryptographic keys themselves are vulnerable to exposure and must be treated with the same care as the data as compromised keys could result in a breach of the encrypted data, no matter what the strength. Encryption can also negatively impact usability as it changes the appearance and increases the size of the original data. Applications and databases must be able to read specific data type and length in order to accept it, so if data types and lengths are incompatible with systems, they will effectively break. Tokenization, on the other hand, replaces sensitive data, regardless of its nature (including PII, PHI, PCI), with non-sensitive substitutes which preserve type and format, mitigating impact should a breach occur without the need to modify systems.
What It All Means for the Enterprise
Nearly half of all companies have sensitive files that are unprotected and open to every employee, according to a 2018 Data Risk Report by Varonis. These numbers tell us that many businesses are just holding their breath until the next breach, praying it is “the other guy” that gets hacked and kicking the can down the road. “Insurance economics” has been a primary driver of enterprise security spend since the beginning of the security industry. The catalyst for change is the onslaught of privacy laws that not only heavily penalize the loss of sensitive consumer data, but assert privacy entitlements to the consumer like “the right to be forgotten.”
Just consider the recent news story that the international hotel group Marriott is to be fined almost £100m by the Information Commissioner’s Office after hackers stole the records of 339 million guests, including credit card details, passport numbers, and dates of birth in a colossal global hack of guests’ records. This is a clear sign that governments are starting to take these breaches of consumer data more seriously and hold companies more accountable.
This allows consumers to hold businesses accountable for their sensitive data, which is a different set of economics than those of a breach. We are asking enterprises to know, manage, protect, and prove compliance for the data of individual citizens while simultaneously using it inside and outside of the organization to create new experiences for us. I cannot imagine a way to do this that does not start with a data-first approach.
Data security is complex; it can be overwhelming and costly to figure out how to best protect your enterprise. In order for any organization to maximize protection without slowing down growth, agility, and innovation, CDOs and VPs of Analytics should look for a data-first protection solution that supports the complex, hybrid and multi-cloud environments of today’s businesses while simultaneously increasing their ability to be compliant with evolving privacy laws.
Data storage and protection that is infinitely scalable and optimized for analytics increases data agility that can power global ecosystems with privacy and security baked into its foundation by Design. By protecting the data first, enterprises protect and gain powerful benefits from their most valuable asset.