Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
November 2017CIOAPPLICATIONS.COM9ing sensitive data?" It's a broad question and it seems to be on the minds of C-level, manager and procurement level people in every company, especially after the very public stories of data loss coming from some of the world's biggest companies. More recently, the threat of a data breach has expanded to include the threat of a ransomware attack. While the first scenario creates risk of sensitive data being exposed publicly, the second risks data being lost or a company being shut down altogether. Both are scary and very expensive to recover from.While traditional protection methods, like firewalls, encryption, and multi-factor authentication help, there is no single answer to protect data against all threats. However, the idea that a business can evaluate the risk of a breach and make an ROI decision on investing in security is outdated. It is no longer a decision but instead is a basic tenet of doing business in an ever-changing digital world. Knowledge about your data and how it is stored is fundamental to surviving audits and designing protection that lets you sleep at night.Information security audits that result in a SOC2 or HiTrust certification are deemed as good benchmarks for a company's commitment to protect data. It's true that both force a company being audited to evaluate, correct and maintain internal processes, as well as technology infrastruc-ture that protects data. They also require standards around password change frequency, security training for employees and patch management. All of these things help assure that the most common vulnerabilities are dealt with and that all reasonable steps are being taken to protect information. How-ever, most of these methods are focused on putting a fence around applications and databases that were not necessarily designed with security in mind when they were built. I believe that the way the security space will evolve includes getting into the database architecture itself. What do I mean by this? Let's start by defining two types of data. The first is data that belongs to a person. This includes PII (Personally Identifiable Information) and PHI (Personal Health Information) as well as other categories. By definition, these are only sensitive, and therefore are targeted, because they are tied to a person. Knowing who the data belongs to gives it value. For instance, a birth date isn't valuable by itself but if it is tied to a person, it definitely does have value. Combine a birth date with gen-der and a geographic data point (like city address) and there are plenty of ways to figure out the exact person to whom the data belongs, even if their name is unknown. In contrast, individual data points like height, weight, BMI, salary, or prescription drugs taken are of no value without linking them to a person.The second type of data is harder to "de-identify" and harder to secure because it has value in and of itself. A list of software vulnerabilities or a decryption code is hard assets and valuable to someone who wants to cause harm. Sure, a list of people who are using the vulnerable software is of value too, but is not necessary to do real damage if the wrong per-son gets their hands on information like this.Architecting for security involves rethinking how you structure databases and applications. This includes when you should use logical versus physical separation of data as well as how you minimize the need to access the data points that create truly identifiable and therefore valuable information. If you create a random identifier to store with a transaction, and remove all the PII in the process, you've made the transaction data less valuable and reduced your risk. There are very few systems or workers who really need to know to whom that transaction belongsAt the end of the day, protecting information is hard. Broad use of strong encryption, like cryptography, is coming and will help companies protect data better. However, there aren't a lot of experts to help you figure out what it is and how to use it today, so don't expect to find a silver bullet out there waiting for you. As a technology leader, you need to take data security seriously and make it a priority. No matter what your role is in the organization, you need to convince those above and around you that your company needs to deal with this. If they haven't already, customers and consumers will soon be knocking on the door asking for more proof of protection against the latest threats. The risks are just too great.Three things to do this month are:· Get educated· Talk to your peers, go to a conference, listen to a security podcast· Spend some time and money on security architecture· Look for independent outside help but don't defer responsi-bility to them.· Ask your application, database and infrastructure teams a simple question: "Is our data secure?" Knowledge about your data and how it is stored is fundamental to surviving audits and designing protection that lets you sleep at night
< Page 8 | Page 10 >