DEFENSIVE DATA MASTERY: THE LINES OF DEFENSE TO SHIELD YOUR DATA

Last week it was made public that the personal information of 33 million French citizens could be exposed after two French health insurance operators suffered a data breach early February. Unfortunately, this isn’t an isolated incident. Other recent breaches occurred at i.e. EuroParcs, Air France KLM, JD Sports, T-Mobile, Sony, Cloudflare, …

Cybersecurity goes beyond network, application and endpoint security. Especially in today’s digital age, where data is the lifeblood of organizations, safeguarding sensitive information has become paramount. As organizations amass vast amounts of data, protecting it from unauthorized access, breaches, and misuse has become a complex challenge. In this context, implementing robust lines of defense through techniques such as data masking, data encryption, data  security gateway and data governance policy management is crucial to fortify an organization’s data management strategy.
 

Data Masking: Concealing the Vulnerabilities

 

What is Data Masking?

Data masking involves the transformation of sensitive information within a database, making it unintelligible to unauthorized users. The primary objective is to protect sensitive data while maintaining its usability for testing and analytics and overall usage in your processes.

 

The Defense Mechanism:

Data masking acts as the first line of defense by obscuring sensitive data such as personal identifiers, financial details, or confidential business information. This ensures that even if unauthorized access occurs, the exposed information is rendered useless and non-identifiable. This mechanism can also be useful in the context of specific compliancy driven initiatives such as i.e. GDPR.

 

Data Encryption: Securing the Data Source

 

What is Data Encryption?

Data encryption is the process of converting plain text into ciphertext, making it unreadable without the appropriate decryption key. It is a fundamental technique in securing data during transmission and storage.

 

The Defense Mechanism:

By implementing data encryption, organizations create a robust barrier against unauthorized access to sensitive information. It safeguards data in transit, preventing interception and tampering, and protects stored data from being deciphered by unauthorized entities. This mechanism can also be useful in case your infrastructure is outsources to a third party. Depending on the setup, even internal or external IT personal doesn’t have access to encrypted data.

 

Data Security Gateway: Active Control for Holistic Protection

 

What is a Data Security Gateway based on Data Virtualization?

A Data Security Gateway based on Data Virtualization acts as a centralized control point for securing data access, ensuring that only authorized users can retrieve and interact with sensitive information based on their role or profile.

 

The Defense Mechanism:

 

By implementing a Data Security Gateway, organizations gain real-time visibility into data access and usage. This proactive approach allows for immediate detection and response to potential threats, providing an additional layer of defense alongside masking, encryption, and governance.

 

The security layer of the data virtualization platform not only offers extra authentication functionality but also offers row, column and even cell-level security. With this approach you can enforce a security layer that is more strict than the underlying data sources.

 

Data Access Governance: Establishing Regulatory Compliance

 

What is Data Access Governance?

Data governance policy management involves defining and enforcing policies that dictate how data is collected, stored, processed, and shared within an organization. It provides a structured framework for managing data assets and allows you to easily create data access policies with a few clicks and preview them before they’re implemented. 

 

The Defense Mechanism:

Data governance policy management acts as the overarching defense strategy, ensuring that data is handled in accordance with regulatory requirements and internal standards. By establishing clear guidelines and enforcing policies, organizations mitigate risks associated with data breaches and non-compliance. Depending on the technology this can be enabled with a no-code approach to configure and execute a policy in a matter of minutes accross .

 

 

Conclusion: Integrating Defense Mechanisms for Holistic Protection

While each technique offers a specific layer of defense, their true strength lies in their integration. Data masking, encryption, data security gateways and governance policy management work synergistically to create a comprehensive and resilient data protection strategy.

By combining these techniques, organizations not only mitigate the risk of data breaches but also ensure compliance with industry regulations and standards. This is crucial in maintaining the trust of customers and stakeholders and avoiding legal repercussions.

By adopting the combination of these techniques, businesses can fortify their data management practices, instill confidence in stakeholders, and navigate the digital data landscape with resilience and security.

CONTACT US

Interested in elevating your data security to the necessary standards? Discover how Datalumen can assist you in achieving this goal. 

 




THE GDPR BUSINESS VALUE ROADMAP

Getting a good understanding of the requirements but also the opportunities and business value is not easy. We designed a GDPR business value roadmap to help you with this and also make you understand what capabilities you need to get the job done.  


1
2
3
4
1

  • How will you understand what in-scope data is used for, for what purpose and by whom?
  • How will you demonstrate how you’re aligning to the principles?
  • Is your approach mostly manual, using interviews, questionnaires & static documentation?
  • Is your approach inaccurate, time consuming, resource consuming, out-of-date –or all of the these?


2

  • Do you understand where in-scope data is across your organisation and how it is shared?
  • How will you demonstrate you understand the size & shape of the data problem across domains and data subjects?
  • Is your approach mostly manual, using interviews, questionnaires & static documentation?
  • Is this approach inaccurate, time consuming, resource consuming, out-of-date –or all of the these?

3

  • How will you capture, manage and distribute consents across channels and business units?
  • How will you demonstrate you have captured the lawfulness of processing across all in-scope data sources?
  • Do you have anything in place already? Or are you planning on extending existing preferences capabilities?

4

  • How will you put protections and controls around identified in-scope data?
  • Can you demonstrate you have relevant control over the relevant in-scope data?
  • Are you planning to manually apply controls? Or apply masking, deletion & archiving solutions as required?
  • Will this approach give you a holistic view around the protections & controls you have in place?





Complete the form and download this Datalumen infogram (A3 PDF).



The Datalumen privacy policy can be consulted here.

More info on our Advisory Services?

Would you like to know what Datalumen can also mean to your GDPR or other data governance initiatives?

Have a look at our GDPR or Data Governance
contact us and start our Data Conversation.



RABOBANK GIVES CUSTOMERS ANIMAL & PLANT NAMES TO ADDRESS GDPR REQUIREMENTS

The Dutch bank Rabobank has implemented a creative way of using customer data, without having to request permissions. If you are one of their customers and they use your data with internal tests to develop new services, there is a chance that you will get a different name. With special software data is pseudonymized and they do so with Latin plant and animal names.

Your first name will become i.e. Rosa arvensis, the Latin name of a forest rose, and your street name i.e. Turdus merula, the scientific name of a blackbird. It is a useful solution for the bank to be somehow in line with the General Data Protection Regulation (GDPR) that takes effect on the 25th of May. When developing applications or services, analyzing data or executing marketing campaigns based on PII (Personally Identifiable Information) type of data, companies require to have an explicit consent. In order to be able to do this after May and without getting your consent, the bank uses data masking / pseudonnymization techniques.

 

Explicit consent & pseudonymization

With the new privacy law the personal data of citizens are better protected. One of the corner stones of the GDPR is the requirement to get an explicit consent and linked to that the purpose. Even with a general consent, companies do not get a carte blanche to do whatever they want to do with your data. Organizations must explain how data is used and by whom, where they are stored and for how long (more info about GDPR). Companies can work around these limitations if they anonymize / pseudonymize this PII type of data because they can still use and valorize this data but without a direct and obvious link to you as a person. You as a person become unrecognizable but your data remains usable for analysis or tests.  


Why scientific animal and plant names?

‘You can not use names that are traceable to the person according to the rules, but suppose it is a requirement to use letters with names, you have to come up with something else,” explains the vendor that delivered the software. “That’s how we came up with flower names, you can not confuse them, but they look like names for the system. Therefore, it is not necessary for organizations to change entire programs to comply with the new privacy law”.° 

Note that data anonymization/ pseudonymization technology does not require you to use plant and animal names. Most of this type of implementations will convert real to fictitious names and addresses that even better reflect the reality and perhaps better also match the usage requirements (i.e. specific application testing requirements). Typically substitution techniques are applied where a real name is replaced with a another real name.

 

Take aways

Pseudonymization vs anonymization

Pseudonymization and anonymization are two distinct terms that are often confused in the data security world. With the advent of GDPR, it is important to understand the difference, since anonymized data and pseudonymized data fall under very different categories in the regulation. Pseudonymization and anonymization are different in one key aspect. Anonymization irreversibly removes any way of identifying the data subject. Pseudonymization substitutes the identity of the data subject in such a way that additional information is required to re-identify the data subject.  With anonymisation, the data is cleansed for any information that may be an identifier of a data subject. Pseudonymisation does not remove all identifying information from the data but only reduces the linkability of a dataset with the original identity (using i.e. a specific encryption scheme). 

 

Pseudonymization is a method to substitute identifiable data with a reversible, consistent value. Anonymization is the destruction of the identifiable data.

 


Only for test data management?

You will need to look into your exact use cases and determine what techniques are the most appropriate ones. Every organization will most likely need both. Here are some use cases that illustrate this: 


Use caseFunctionalityTechnique
Your marketing team needs to setup a marketing campaign and will need to use customer data (city, total customer value,  household context, …).Depending on the consent that you received, anonymization or pseudonymization techniques might need to be applied. Data Masking
You are currently implementing a new CRM system and have outsourced the implementation to an external partner.Anonymization needs to be applied. The data (including the sensitive PII data) that you use for test data management purposes will need to transformed to data that cannot be linked to the original.  Data Masking
You are implementing a cloud based business application and want to make sure that your PII data is really protected. You even want to prevent that the IT team (with full system and database privileges) of your cloud provider has no access to your data.Distinct from data masking, data encryption translates data into another form, or code, so that only people with access to a secret key or password can read it. People with access but without the key will not be able to read the real content of the data. Data Encryption
You have a global organization also servicing EU clients. Due to the GDPR, you want to prevent  your non-EU employees to access data from your EU clients.Based on role and location, dynamic data masking accommodates data security and privacy policies that vary based on users’ locations. Also data encryption can be setup to facilitate this. Data Masking
Data Encryption
Your have a brilliant team of data scientists on board. They love to crunch all your Big Data and come up with the best analysis. In order to do that, they need all the data you possibly have. A data lake also needs to be in line with what the GDPR specifies. Depending on the usage you may need to implement anonymization or pseudonymization techniques.Data Masking

 

Is Pseudenomization the golden GDPR bullet?

Pseudonomization or anonymization can be one aspect of a good GDPR approach. However, it is definitely not the complete answer and you also will need to look into a number of other important elements:

  • Key to the GDPR is consent and the linked purpose dimension. In order to manage the complete consent state you need to make sure that this information is available to all your data consumers and automatically applied. You can use consent mastering techniques such as master data management and data virtualization for this purpose.



  • Data Discovery & Classification

    The GDPR is all about protecting personal data. Do you know where all you PII type of data is located?  Data discovery will automatically locate and classify sensitive data and calculate risk/breach cost based on defined policies.


    Data Discovery & Classification

  • Data Register

    A data register is also a key GDPR requirement. You are expected to maintain a record of processing activities under your responsibility or with other words you must keep an inventory of all personal data processed. The minimum information goes beyond knowing what data an organization processes. Also included should be for example the purposes of the processing, whether or not the personal data is exported and all third parties receiving the data.

    A data register that is integrated in your overall data governance program and that is linked with the reality of your data landscape is the recommended way forward.




° Financieele Dagblad

Also in need for data masking or encryption?

Would you like to know how Datalumen can also enable you to use your data assets in line with the GDPR?

Contact us and start our Data Conversation.

THE NEED FOR TOTAL DATA MANAGEMENT IN BIG DATA

The buzz about “big data” is here for a couple of years now.  Have we witnessed incredible results? Yes. But maybe they aren’t as impressive as previously believed they would be. When it comes down to Big Data, we’re actually talking about data integration, data governance and data security. The bottom line? Data needs to be properly managed, whatever its size and type of content. Hence, total data management approaches as master data management are gaining momentum and are the way forward when it comes down to tackling an enterprise’s Big Data problem.

Download the Total Data Management in Big Data infographic (PDF).

Data Integration:
Your First Big Data Stepstone

In order to make Big Data work you need to address data complexity in the context of the golden V’s: Volume, Velocity and Variety. Accessing, ingesting, processing and deploying your data doesn’t automatically happen and traditional data approaches based on manual processes simply don’t work. The reason why these typically fails is you because:

  • you need to be able to ingest data at any speed
  • you need to process data in a flexible, read scalable and efficient, but also repetitive way
  • and last but not least you need to be able to deliver data anywhere and with the dynamics of the ever changing big data landscape in mind, this is definitely a challenge

Data Governance:
Your Second Big Data Stepstone

A substantial amount of people believe that Big Data is the golden grail and consider it as a magical black box solution. They believe that you can just get whatever data in your Big Data environment and it miraculously is going result into useful information. Reality is somehow different. In order to get value out of your initative, you also need to actually govern your Big Data. You need to govern it in two ways:

Your Big Data environment is not a trash bin.

Key for success is that you are able to cleanse, enrich and standardize your Big Data. You need to prove the added value of your Big Data initiative so don’t forget your consumers and make sure you are able to generate and share trusted insights. According to Experian’s 2015 Data Quality Benchmark Report, organizations suspect 26% of their data to be inaccurate. Reality is that with Big Data this % can be even be 2 to 3 times worse.

 

Your Big Data is not an island.

Governing your Big Data is one element but in order to get value out of it you should be able to combine it with the rest of your data landscape. According to Gartner, through 2017, 90% of the information assets from big data analytic efforts will be siloed and unleverageable across multiple business processes. That’s a pity given that using Master Data Management techniques you can break the Big Data walls down and create that 360° view on your customer, product, asset or virtually any other data domain.

Data Protection:
Your Third Big Data Stepstone

With the typical Big Data volumes but also growth in mind, many organizations have limited to no visibility into the location and use of their sensitive data. However new laws and regulations like GDPR do require a correct understanding of the data risks based on number of elements like data location, proliferation, protection and usage. This obviously applies to traditional data but is definitely also needed for Big Data. Especially if you know that a substantial amount of organizations tend to use their Big Data environment as a black hole, the risk of having also unknown sensitive Big Data is real.

How do you approach this:

Classify

Classify your sensitive data. In a nutshell, data inventory, topology, business process and data flow mapping and operations mapping.

De-identify

De-identifies your data so it can be used wherever you need it. Think about reporting and analysis environments, think about testing, etc. For this purpose masking and anonymization techniques and software can be used.

Protect

Once you know where your sensitive data is located you can actually protect it through tokenization and encryption techniques. These techniques are required if you want to keep and use your sensitive data in the original format.



More info on Big Data Management?

Would you like to know what
Big Data Management can also mean for your organization?
Have a look at our Big Data Management section 
and contact us.


 

THE NEVER ENDING WRESTLING GAME OF DATA SECURITY IN THE CLOUD

Despite the growing popularity and actual implementations of cloud applications, the majority of organizations today are not adjusting their governance to secure their cloud data. This is illustrated by The 2016 Global Data Security Report conducted by the Ponemon Institute.

3 KEY FINDINGS FROM “THE 2016 GLOBAL CLOUD DATA SECURITY STUDY”

  • Half of all cloud services and corporate data stored in the cloud are not controlled by IT departments
    On average, 47% of all data in the cloud is not managed by the IT department. You can argue about who should actually be in the driver’s seat when talking flexibility, time to market, etc. However involvement from your security staff is something else and should be a no-brainer. The risk of shadow IT initiatives that go under the radar basically makes that your cloud data is typically the weakest link and generates the highest risk.
  • Only a third of sensitive data stored in cloud-based applications is encrypted
    72% of the respondents believes that protecting sensitive information through data encryption and data tokenization is important. In contradiction with this, only 34% says their Software-as-a-Service (SaaS) data is indeed encrypted or tokenized. Relying on the security function-features from a Cloud platform provider is one thing, it still doesn’t guarantee that your sensitive data is really secure. The only way to get there is using the proper encryption techniques and best practice is that you use the same policies and technology across your complete data landscape (on-premise and cloud).
  • More than half of companies do not have a proactive approach for compliance with privacy and security regulations for data in cloud environments
    73% of about 3500 participants indicated that cloud services and platforms are important. 81% even confirmed that the importance of cloud in the next two years will grow. Despite this trend, 54% says that their organization has no proactive data protection approach. With compliance regulations like the General Data Protection Regulation (GDPR) in mind, this seems a rather scary and risky thought.


THE REALITY GAP

The fact that companies are wrestling with protecting cloud data is somehow caused by the idea that these platforms and data are managed by an external party. Companies should realize that when they approach their data governance agenda, it is linked to both their traditional on-premise and remote cloud data. The data reality is hybrid and the idea of your cloud platforms being disconnected islands is long gone. A uniform and consistent data protection approach covering all your data, regardless of the location, is in essence what companies should target.

.