How to leverage accountability to ensure sustainable enterprise data security

As post-pandemic economic recovery continues to drive rapid acceleration in digital transformation, documented data breaches and service disruptions caused by cybercriminal activity have become an unwelcome part of our daily news feed. In spite of the regulations and compliance requirements that have been mandated across various industries and jurisdictions, the outcome seems to continuously drift toward the inevitable breach of controls, trust, and ultimately, loss of data. It is widely assumed that getting breached is no longer preventable which has prompted regulators to shift their attention to response strategies as well focusing on timely disclosure of such breaches.

Should organizations simply wave a white flag and surrender? Absolutely not! Organizations must continue to develop extensive strategies to double down on their security controls by understanding that data breaches are a symptom of a gap in controls and accountability that are geared to specifically reduce the risks of data breaches and service disruptions.

Accountability is key during digital transformation

The pandemic-driven acceleration of digital transformation has further underlined the value of the data which now underpins global economies. Various mandates on compliance and governance for data protection have focused on a singular aim – to reemphasize the significance of archiving accountability across all spectrums of data lifecycle management. Thus, the objective of organizations is to ensure that they continuously demonstrate accountability and control of data when it is in motion and at rest to ensure sufficient data governance.

Organizations can simplify their compliance, privacy and security requirements by looking at accountability from a focused perspective. Accountability drives the clear understanding of what needs to be safeguarded, who is responsible for ensuring that there are adequate controls in place to achieve the safeguarding, and continuous validation that the controls are indeed working to safeguard sensitive data.

Organizations often mistake data accountability as a security technology problem. They wait for security teams to handle the risks without considering alignment to overall business objectives, competitiveness and in extreme cases, survivability. However, the dramatic growth in the number and frequency of data breaches that we continue to witness illustrates that it has become burdensome for organizations to develop a cohesive strategy to meaningfully address risks attributed to lapses in data lifecycle management.

Accountability is key in cybersecurity management

Security of data is directly underpinned by accountability. Throughout the data management lifecycle, visibility into design, implementation, storage and usage of data needs to be driven by a security-first approach. This approach ensures that there are no blind spots in data management to account for where sensitive data resides, who has access to such data from both the custodian and user perspectives, and lastly, how the data is consumed. Developing an agile data protection program brings accountability into focus and allows organizations the means to meet their obligations with full traceability into:

1. Where data resides
2. Who has access to the data
3. What is the data used for
4. When is the data used and,
5. Why is the data used

Accountability is key in privacy programs

As illustrated in why accountability is important to a security program, those efforts invariably lead to the ability to develop a robust ‘Privacy Program’ that lessens the burden of privacy regulations on an organization. With proliferation of data in a digital-centric world, the boundaries of data as strictly a business property has diminished. With a central focus on the question – who owns the data, the rights of users now sit at the core of digital transactions. Consequently, we now have Privacy Laws from various sovereign states that require organizations to foster data programs that put accountability to users at the center of data traceability.

To summarize privacy requirements, organizations need to be able to account for the following:

1. Where is the users’ data?
2. Give users control over their data
3. What is the data used for?
a. Request for removal of data
b. Ability to rectify their data
c. Option to restrict access to their data

Data traceability poses several challenges for organizations on the technical logistics side. Organizations must first know where customers’ data reside, understand the processing of such data, and provide users ability to control the data. Even when an organization has reached the maturity required to align its security and privacy obligations to its business strategy, meeting those requirements is no trivial task. This is where partnership with Imperva makes the difference by giving organizations full visibility across their data landscape, accounting for usage of the data and enforcing security controls over data operations.

Sample Use Case – A Large Enterprise Bank (Security and Privacy)

The large enterprise bank in this use case is a global commercial banking firm. It has been going through revitalization of its business through strategic acquisition of regional banks in Europe and Asia to expand its global footprint, as well as creating a virtual banking platform in a shift toward digital-first to better serve its customers.

As the bank seeks to align its global business objectives across vast jurisdictions, lack of visibility into data usage has been identified as an immediate challenge impeding its ability to meet compliance and regulatory obligations. To address this risk, the large enterprise bank seeks to consolidate its approach to data management through targeted initiatives.

To achieve these goals, the bank aims to create an expansive framework that will help the business streamline its data management practices and standardize its procedures to continuously archive compliance, address data privacy and secure data regardless of jurisdiction.

The bank has developed three key areas of focus:

1. A data management program to continuously classify critical customer data in the form of PII and other critical business data
2. Develop a frictionless approach to support data management strategies across hybrid cloud
3. Account for security and privacy throughout data management lifecycle

Proposed Solution

Imperva was consulted to assist the large enterprise bank with its strategic goals to enhance its data governance. Imperva provides an enterprise security platform for data management with an automated framework to ensure security and privacy requirements are embedded into all stages of the data lifecycle. This approach simplifies the bank’s ability to meet its compliance and regulatory obligations while enhancing its data security posture across all jurisdictions through a framework that brings accountability into all facets of data usage across the organization.

For this large enterprise bank, Imperva provided:

1. Native support for all distributed architecture throughout the bank’s hybrid cloud. Imperva ensures that regardless of where data resides for both structured and unstructured data – on-premises or cloud, the platform approach assists in bringing consolidated visibility across the enterprise data lifecycle management and enables the bank to enforce controls.
2. Capability to ingest from disparate data sources – structured and unstructured. The hybrid cloud model brings an added complexity of vastly disparate data sources. Imperva solves this problem with its highly extensible Sonar platform that is able to rapidly ingest and normalize data from any source and allow the bank to start both supervised and unsupervised models to contextualize the enterprise data threat landscape to meet their security requirements at speed, as well as address privacy and compliance obligations.
3. Consolidate the bank’s approach to archive continuous compliance, enforce data protection and simplify meeting data privacy requirements across all jurisdictions through automation. Partnership with Imperva allowed the bank to rapidly move beyond compliance and start addressing outcomes that allowed the bank to secure its data by leveraging full contextualization of data life cycle across its full data estate by enforcing accountability into data ownership, data authorship and data usage.