Protection of private information has become serious business, so much so that both governments and industry organizations...
have formalized data security rules with associated penalties for data exposure. Within the United States alone, there are numerous laws and industry agreements that require organizations to institute policies and procedures for identifying data exposure risks (see sidebar). These risks must also be further classified based on their levels of severity, and the rules require instituting specific safeguards and controls to protect the data. Companies are further required to provide public reports in the event of data exposure, whether they are done accidentally or through malicious intent.
But despite these numerous, very specific data protection compliance guidelines, challenges remain. In 2015, there were 781 data breaches with over 700 million records compromised. Cybercrime has exhibited a fundamental change, transitioning away from website-crippling distributed denial-of-service attacks or credit card number theft to much more insidious criminal intent. Intellectual property theft, hacktavism, government intelligence operations, and data breaches to facilitate organized crime have become commonplace. Some noteworthy breaches from recent years include the following:
- The exposure of corporate intellectual property through the Sony breach.
- The exfiltration of millions of individuals' personally identifiable information (PII) stored in databases managed by the U.S. Office of Personnel Management (OPM). The PII included social security numbers, names, birthdates and addresses of the individuals.
- Over 100 million health insurance member records have been stolen, with the largest breach being 78 million records from health payer Anthem.
Protecting sensitive data is important from a compliance perspective, but also provides business value. The common theme among the aforementioned breaches is that the potential loss caused by the breach of the organization's security measures is directly associated with the value of the meaningful content that was stolen. For example, the leaked Sony data likely contained information about business operations and deals that could be leveraged for stock market manipulation. The OPM breach might allow a rogue nation to develop profiles for all government employees and contractors, while stolen healthcare data can be exploited for insurance fraud.
In general, organizations have employed network perimeter security methods that are intended to resist breaches and provide notification when the system has been compromised. This approach still harbors some degree of risk: The ability to detect when a breach has occurred might not happen in real time, and in many cases the breaches occur long before the effects were noticed or there was an understanding of what data assets had been stolen. Network perimeter security is certainly a required component for preventing data exposure, yet remains insufficient for a complete data protection plan because once the firewall is breached, protection will be limited.
U.S. data protection compliance regulations
In the United States, several industry-specific compliance rules outline procedures to identify and alleviate data security risks. Some of the many examples of U.S. data protection compliance rules include the following:
Online data collection: The Children's Online Privacy Protection Act (COPPA) requires reasonable procedures to "protect the confidentiality, security, and integrity of personal information collected from children."
Financial institution data collection: According to the Gramm-Leach-Bliley Safeguards Rule, "financial institutions must develop a written information security plan that describes their program to protect customer information." This plan must include processes to "identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of current safeguards for controlling these risks."
Protected health information: The goal of the HIPAA Privacy Rule is "to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare ... " Correspondingly, the HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information, which is generally an "impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."
Federal agency data protection: The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to develop programs to provide information systems security that help protect information assets. FISMA directs the agencies to "provide for development and maintenance of minimum controls required to protect Federal information and information systems."
Credit card processing: The Payment Card Industry Data Security Standard (PCI-DSS) is an industry standard that mandates a number of controls to protect stored cardholder data and restrict access to that data.
Operationalize data protection compliance
Greater insight is required for more comprehensive sensitivity analysis, risk assessment and institution of data protection compliance controls. To strengthen the methods for complying with data protection laws and industry directives, address these three key issues for operationalizing information and content protection:
Data awareness: Before a data asset can be protected, one must be aware that it exists. Many organizations lack a shared, accessible catalog of its major data sets, let alone a detailed assessment of the workgroup or desktop artifacts that would be of interest to a cybercriminal. Therefore, create a catalog of data assets in a shared inventory to help support data protection compliance processes.
Sensitivity assessment: Devise a process for assigning levels of sensitivity to identified data assets. However, be aware that although not every data asset contains sensitive information, it is possible that blending data from different data sets can create information sets that require increased protection. Develop and institute methods to assess the levels of data sensitivity and assign specific designations to data assets.
Data protection: For those data assets that contain sensitive information, specific applications methods must be applied to protect the content in the event of a security breach. Establish access controls and defined roles and rights for data access. This may include both a means for encrypting data (both at rest and in motion) and masking data based on the user's level of authority.
Because the data security team members may not be familiar with these types of data management best practices, it is critical to establish a partnership between the data management professionals and security management professionals. Technologies will also be needed to support a comprehensive data protection program, and it's important to evaluate tools for data asset identification and management. These technologies can be used to determine whether risks of exposure of protected data are increased when multiple data assets are combined.
Finally, consider the ways that data protection policies can be implemented using encryption and data masking strategies. By bridging the gaps between network perimeter security and content protection, your organization will have a more predictable program for minimizing both information security risks and noncompliance with data protection rules.