Friday, March 8, 2019

How does your enteprise cope up with sensitive data?


1      Background


·         Enterprise security spending is $75B+
·         93% of enterprises feel vulnerable to security threats
·         61% have had data breach
·         781 breaches compromising 169M records happened in 2015. This figure is rising since then.
·         $217 per record is the cost of data breach

The proliferation of customer identifiable data processed by financial firms drives increased scrutiny of practices to ensure end customer rights. These regulations impose obligations and penalties for non-compliance on the treatment of customer data, storage, distribution and access. The person’s data access changes based on location. There is a hard requirement to lock down customer identifiable data (CID) with infrastructure, regional, services and people based boundaries using compliant policies.

The above stringent conditions have put the organizations on tenterhooks and these organizations continue to spend a lot in this area. As a result, lot of potential for outsourcing and cost savings have become difficult to realize. Moreover, as data becomes proliferated through horizontal and vertical lines, few organizations have a grip on what constitutes sensitive data, where the data is lying and complete intelligence on them.

EU's GDPR regulation came into effect on May 2018. The GDPR imposes specific requirements on data controllers (for example, Deutsche Bank or Credit Suisse) and data processors (for example, a FinTech or IT Service provider). Both the data controller and processor are held accountable for ensuring Subject Rights enforcement, including Right to Access (what customer data is held, how is it processed, what is it used for and who is it shared with), and Right to Forget. Similar laws are applicable in the US and UK.

2      FS(Financial Services) space & Use Cases


Currently, the intelligence on sensitive data is driven by human declarations, and process driven enforcement to policy. This can turn out to be extremely costly for a firm in the event of a breach or non-compliance.

First, there is an urgent need to perform scientific identification the sensitive data. Today, many financial organizations have little clue when it comes to categorizing and inventorying the data. This has many dimensions like attribute, location, access rights etc. Most banks tend to keep the sensitive roles in the same location as they deal with the data. Even within the function, the question becomes more relevant when it comes to considering different roles.

DBAs have enhanced levels of access, not just from an application, but also using back-end entry points such as database client applications and scripts, and access to log files, which may contain sensitive data. In order to unlock the benefits of right-shoring for talent and cost, the definition of DBA security policies must provide comprehensive and effective anonymization mechanisms to ensure DBAs, irrespective of location, access mechanism etc.. are productive in their roles.

3      ESDM (Enterprise Sensitive Data Management) Solution


The ESDM solution is about achieving the following:

·         Establish a complete intelligence system on the sensitive data lying throughout the organization
·         Eliminate roadblocks in adoption of location strategy or cloud deployments driving faster TCO (Total Cost of Ownership) Optimization
·         Drive responsive compliance and evidence based reporting to evolving data protection regulations
·         Achieve total protection of sensitive data

There are many by-products of implementing a solution on ESDM. Some of them are:

·        A dynamic repository of complete sensitive data and its whereabouts
·         Optimal access based on such sensitive data
·         Freeing up resources at onsite to move to other locations based on clear implementation of   ESDM solution
·         Amenability for outsourcing or elimination of roadblocks for more outsourcing
·         Elimination of barriers for adoption of new technologies

Here are few examples of sensitive data grouped by different categories:

1.      Personal Identification (Name, Gender…)
2.      Address
3.      Personal IDs
4.      Customer Identification
5.      Career details
6.      Birth details
7.      Family details

Any ESDM solution should look at the entire stack and be tool driven. Our guiding principles are:
-        
  • Right tool: selecting the right tool is critical. For this, a technical PoC is recommended. This can be used for verifying the usefulness of the tool, scalability of the model and the cost-benefit analysis. Possible operations for managing sensitive data could be static masking, dynamic masking and finally retirement.
  • Easy adoption: Critical use cases are to be covered first.
  • Scalable operating model: The service delivery model should be aligned to the outcome.
  • Co-existence: The solution must co-exist in a heterogeneous environment supporting non-greenfield estate.

4      A point of view 


Many products have come to address this with each one advertising various features, ability to do statics / dynamic data masking etc. Gartner has also published its ranking too. Whatever be the product, it should be used to discover the sensitive data accurately, mask seamlessly, monitor continuously and retire securely.

The product or tool should address the challenges posed by different environments in the life cycle such as Test, Pre-production, Production etc. covering data, code and the user community as depicted below.




The approach starts with the PoC, development of business pilot, realizing quick wins before rolling out to the rest of the organization.


Subsequently, the solution can be rolled out to other units over the next year. By end of this, the organization has control on its sensitive data and its usage, access and deployment. Any future regulation in this area can be easily addressed.

Organizations should adopt ESDM culture from top down.

Potential Benefits

They accrue in the form of an established sets up an ecosystem with:

·       Complete inventory of sensitive data lying in the organization covering type of data, repository, artefacts, programs accessing the data, users, locations etc.
·        Ability to consume mature IT services delivery
·        Optimise Infrastructure spend by adoption of multi-location models and platforms (Cloud)
·        Clear segregation of roles with respect to data access
·        Unlocking of previously held roles at the customer’s location to other low cost locations after analysing and implementing a suitable solution
·        Elimination of roles that are no longer required in this connection
·        Compliance to the local laws and ability to report clearly


Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)