Data is quite possibly the most critical asset within any organization and is at the heart of most, if not all, cyberattacks. Organizations struggle to implement the appropriate processes to ensure data is being protected from both internal and external threats. When talking about protecting data, Data Security and Data Privacy go hand in hand. In order to ensure data privacy, the appropriate data security controls need to be in place. It’s important to understand the difference between these two concepts in order to implement a successful data protection strategy.
What is Data Security?
Data security is the set of practices and processes deployed to protect data from a variety of circumstances, including (but not limited to) unauthorized access, accidental loss, destruction, or corruption. It involves a wide array of methods and technologies that are catered to the unique complexities of each organization’s requirements. Examples of data security measures include;
- Physical access controls to servers
- Multi-factor Authentication (MFA) requirements
- Least-privilege access controls
- Password complexity requirements
- Data encryption
- Identification and remediation of stale data
While all organizations should have a data security strategy, the processes that are deployed ultimately will depend on the type of data the organization maintains.
In Comes Data Privacy
Organizations are storing more information than ever related to their customers and consumers in general. It’s likely some businesses know more about their customers, their likes, dislikes, and habits than their own families! With more information being captured, the greater the possibility of that information being exploited or stolen. According to research done by Gartner, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations by 2020. For this reason, among others, the need for appropriate data privacy controls has become extremely important.
Data Privacy refers to the rules and regulations set forth to ensure that personal or private information is being controlled in line with the preferences of the individual or individuals to which that data pertains. When thinking about data privacy, an important question to ask is what type of data is subject to data privacy regulations. While these definitions vary across regulations, it generally comes down to information pertaining to a specific individual. That is, personal information or data as defined in our “What is Sensitive Data” blog post.
While there is no data privacy law at the federal level in the United States, several U.S states have enacted privacy regulations such as California, New York, and Hawaii. This is following the enactment of the EU GDPR in Europe, which is arguably the most comprehensive data privacy regulation worldwide. The varying definitions presented through these different legislations put organizations in a predicament, especially when forced to abide by more than one compliance standard. When combined with the lack of operational guidance within each of these regulations, organizations are faced with the difficult task of establishing a modern and comprehensive privacy program.
Data Privacy Meets Data Security
The delineation between these two concepts comes down to this: Data Privacy pertains to the governing of private data in line with the wishes of the individual, while data security pertains to the protection of data from a threat. However, the various data privacy regulations require the appropriate security controls to be put in place in order to ensure the appropriate handling of personal data. Therefore, data security can be achieved without data privacy, however, data privacy cannot be achieved without data security. Data Privacy is often achieved through an iterative process following steps similar to the ones listed below:
Step 1: Create a Data Map
One of the first exercises that companies need to work through when planning out their data privacy program is data mapping, which should aim to determine:
- Where data exists
- Who has access to these data sets
- What inconsistencies in access controls exists
Step 2: Perform Sensitive Data Discovery
Once a data map has been created, the next step is to perform sensitive data discovery in order to understand what type of data exists where allowing organizations to prioritize repositories that pose the highest business risk.
Step 3: Identify Data Owners
An important aspect of any governance program is to identify data owners. They will be the data steward who will have the most knowledge of why personal data exists, or if it should exist within a given repository, and will ultimately be responsible for attesting to and governing access to the data they own.
Step 4: Monitor the flow of data
Understanding how data is moving between repositories or locations is an extremely important aspect of data privacy and security. For starters, it is important to ensure that all the places sensitive data exists to have the appropriate security measures and access controls in place. Furthermore, while the GDPR, for example, doesn’t technically have any data residency or localization requirements, Chapter 5 provides guidelines dictating that data should not move outside of the EU without cause. Independent of the GDPR, other local and national laws that exist do impose this type of control over where data can exist, forcing organizations to monitor the flow of data both from a server or application perspective, as well as from a geographical perspective.
Step 5: Identify and remediate data risks
Once the above steps have been completed, an organization should have a good picture of where the highest business and data risks exist and can start devising and implementing the security strategy necessary to ensure data privacy. This strategy often includes an array of security products such as Data Discovery and Classification, Encryption, Tokenization, and Masking, Privileged Access Management, Data Access Governance, Data Loss Prevention, and more, in order to ensure all security controls are in place.
It’s important to understand that the aforementioned steps need to be iterative. As more applications and data sets are introduced, organizations need to ensure they have an understanding of what type of data is being stored, who has access to that data, how that data is flowing throughout the organization, and ultimately be able to remediate any inconsistencies or risks identified.
While Data Privacy and Data Security are ultimately different, one thing should be clear – you can’t have data privacy without having data security. Stealthbits can help to provide and streamline many of the functions necessary to ensure data privacy through data security by helping to;
- Discover the repositories that contain data assets
- Determine which of these repositories contain data that is personally identifiable
- Ensure that the proper data controls are in place by providing an understanding of who has access to what, and how they are leveraging that access
- Identify the most probable owner of the data
- Providing out of the box governance workflows to allow data owners to review sensitive data and govern who has access to that data
- Monitor for real-time threats, and respond as necessary
- Deploy policies to prevent unauthorized access to critical or sensitive information
Farrah Gamboa is a Director of Technical Product Management at Stealthbits Technologies. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University