Stealthbits, now a unit of Netwrix after being acquired earlier this month, today announced it has added a Data Privacy Engine to its eponymous platform that associates end user identities with the location of their personal data.
Adam Rosen, vice president of product strategy for Stealthbits, said the goal is to make it easier for organizations to comply with data privacy regulations such as the General Data Protection Rule (GDPR) enacted by the European Union that sets out guidelines for how companies gather, store and maintain individuals’ personal data.
Previously, Stealthbits enabled organizations to find personally identifiable information (PII) data, but not to associate that data with specific end users.
The challenges associated with securing data are further complicated by the rise of cloud computing platforms. A survey of 937 IT professionals conducted by Netwrix finds more than half of organizations (54%) that store customer data in the cloud experienced security incidents in 2020. Nearly two-thirds of those organizations (62%) have removed sensitive data from the cloud or soon plan to do so, the survey finds.
The survey identifies the most common types of cloud security incidents in 2020 involved phishing attacks (40%), followed by ransomware or other malware (24%) and accidental data leakage (17%). Over half of respondents stated that these incidents required obtaining extra budget to address them.
At its core, Stealthbits tracks all the ways data is accessed within an enterprise, including through the use of elevated privileges, the data resource itself, Microsoft Active Directory (AD) or a combination of permissions and misconfigurations. The Data Privacy Engine extends that capability by discovering data subjects across all repositories, regardless of physical location or whether data is structured or unstructured. It then identifies which files and tables relate to specific people to enable IT teams to make better decisions about data access, recovery and potential levels of risk.
In general, Rosen said responsibility for data privacy now varies widely from one global region to another. Responsibility for data privacy in the U.S. is more likely to be the responsibility of a security organization, while in Europe it is often the responsibility of a legal team.
Regardless of who is in charge of that data, organizations are increasingly expected to respond to data subject access requests (DSARs) quickly and, if necessary, delete that data within a few hours, noted Rosen.
As it becomes increasingly clear that most cybersecurity approaches that focus solely on defending network perimeters will no longer suffice, cybersecurity teams must focus instead on securing data. The challenge they face is that not all data is of equal value. Today, the extended enterprise today encompasses everything from mobile computing devices to cloud computing platforms. Those are usually managed by someone other than an internal team. As Frederick the Great once said, “To defend everything is to defend nothing.” Cybersecurity teams need to be able to identify the most sensitive data in an organization to prioritize their efforts. There just simply aren’t enough resources to try and defend every piece of data.