Knowing what risks impact your business can give security professionals a deeper grasp of what data protection tools are required to effectively protect data stored within the perimeter. However, a major obstacle to mitigating risk and protecting sensitive data is that in many organizations, no one can say precisely where all of their data is, how much there is, and in exactly what ways it’s being used.
There is ‘no one glove fits all’ solution to this as it generally varies by organization, based on each individual risk appetite. These are determined by several contributing factors such as:
- what industry the business operates in
- the type of data collected (if its personally identifiable information (PII) or non-sensitive)
- the regulations that the company must abide by (e.g. GDPR, CCPA, or PCI DSS)
Importantly though, it is the significance and value of the data assets held by the organization that has the greatest impact on data security. If you evaluate the highest valued businesses in today’s market, those that collect, use and monetize data as assets e.g. Google, Uber, Facebook etc. are the most valuable. Therefore, identifying what assets are valuable to the organization will help security teams define what level of security is required. The next points will be where this data is located and how this will be managed.
If security teams aim to mitigate all risks then they may be faced with an unrealistic objective as there will always be risk – it is about reducing the risk level.
Security teams need to ask themselves whether a risk is acceptable. For example, if they recognize the risk and they accept the risk posed without taking action, do they take action to put controls in place to mitigate the risk, or do they transfer the risk to a third-party to handle?
Visibility into the risks posed to an organization’s data is then brought into question. Understanding the data that is in the network, how it is being used and its overall lifecycle within the organization will aid in the data discovery setup. Yet, the truth of the matter is nobody is completely aware of where all of their data is. Yes, they may know where a specific source of record is, or an application where data will reside, but it is highly likely that most will not know where the data is stored, in which repository, where the data is replicated or backed-up etc. This means that businesses that process data must have an intrinsic understanding of where their critical data lies.
But this is difficult given that data is dynamic – it is being created, moved, destroyed constantly; data is only an asset if it has value and can be leveraged. Therefore, data discovery processes need to be conducted regularly otherwise they will become outdated and redundant. Furthermore, they need to be simplified to reduce unnecessary complexities. Automating this process will greatly help businesses and security teams with their data discovery assignments as they seek to paint a full picture of their data landscape to then understand where the greatest risks to their data are.
Automated Data Discovery
Because of governmental regulations, industry standards, and even internal compliance rules, organizations need to take complete control of sensitive data. Managing sensitive data with data-centric security helps organizations to
comply with these mandates, thereby reducing the risk of breaches while leveraging valuable but overlooked data for better business insights and helping to gain a competitive advantage. Automated data discovery enables organizations to detect and analyze all usage of data and its lineage without relying upon organizational knowledge of the existence or location of the data. The process is completely automated! This automation makes it much easier to get a clear picture of how your data is being stored, process, and shared in real-time.
Automated data discovery has numerous benefits, including timely response to Data Subject Access Requests (DSARs) and audits, risk mitigation, data governance, and compliance with key aspects of PCI DSS, GDPR, CCPA, and many other data privacy and protection regulations.
*** This is a Security Bloggers Network syndicated blog from comforte Blog authored by Mark Bower. Read the original post at: https://insights.comforte.com/how-are-you-supposed-to-protect-sensitive-data-when-you-cant-even-locate-it