Sensitive data includes a broad spectrum of information, including:
- Transactional data: Credit card, bank account, and social security numbers
- Personal data: Phone numbers, physical and virtual addresses, and medical history
- Business-related data: Trade secrets; planning, financial, and accounting information
- Governmental data: Restricted, confidential, secret, or top-secret information
The exponential growth of a global information economy, driven by new technologies and disruptive business models, means that an ever-increasing amount of sensitive data is collected, used, exchanged, analyzed, and retained. In all cases, this data requires protection from unauthorized access to ensure the privacy and security of both individuals and organizations.
Sensitive Data and Compliance Regulations
However, the sheer volume of sensitive data also means there is an ever-increasing number of accidental or intentional data breaches, incorrect or lost data records, and data misuse incidents.
Each high-profile case of data breach or misuse brings increased demand for organizations to ensure the privacy, integrity, and security of sensitive data entrusted to their care. At the same time, SOX, HIPAA, PCI, and GDPR compliance regulations demand that organizations provide complete visibility into, and an uninterrupted record of, what data is accessed or changed, when, and by whom.
The challenge of keeping up with threats and exploits that derive from both internal and external sources, combined with the requirements of regulatory compliance, necessitates constant vigilance and awareness of the latest vulnerabilities and counter-measures.
Protecting Sensitive Data
Data has varying degrees of sensitivity, based on risk potential. Companies must prioritize data risks by creating a classification policy based on data sensitivity. At a minimum, three levels of data classification are needed.
- Restricted: This is the most sensitive data that, if compromised, could cause great risk to individuals and/or organizations. Access is be on a need-to-know basis only.
- Confidential or Private: This is moderately sensitive data that, if compromised, would cause a moderate risk to individuals and/or the company. Access is internal to the company or department that owns the data.
- Public: This is non-sensitive data that would cause little or no risk to the data if accessed. Access is loosely, or not, controlled.
Policies must be developed and implemented that determine what types of information are sensitive and what methods, such as encryption, should be used to protect that information. In addition, companies must monitor the transmission of information to ensure that the policies are adhered to and are effective.
Users need to be aware of the sensitivity of the data they work with and the guidelines established for keeping it safe. This often involves educating users about best practices and what practices to avoid. IT-savvy organizations must have a compliance officer to ask the question, “How does this deployment affect compliance with SOX, PCI, or GDPR?” Having an expert on board that knows the regulatory landscape is a definite plus.
Companies must also implement a continuous auditing of the overall IT environment. Auditing solutions that provide real-time information about unauthorized or malicious changes help ensure visibility across the IT infrastructure. In addition, auditing solutions validate the effectiveness of security policies, and the security of sensitive information. Continuous auditing will help detect a breach in its early stages, assist during in-depth analysis, and ultimately expose weaknesses that can be remediated to strengthen the security of a company’s IT infrastructure.
Finally, and most importantly, companies must add security layers to data shared in the cloud. The acceptance and adoption of cloud-based application services make it easy for businesses to collaborate and share content with multiple users. But this convenience has its downside, as data leaks become an increasing concern. Typically, these services lack the visibility necessary to mandate and track how, when, and with whom files and content are shared.
Conclusion
The need to secure applications on-premises, in the cloud, and during the transition period from on-premises to the cloud, requires a strong monitoring and auditing solution. In addition, the complete visibility of an organization’s infrastructure, including receiving verified vulnerability intelligence, is essential to securing sensitive data. By constantly monitoring the corporate environment, your company will be able to pinpoint where the dangers lie and tactically prioritize your remediation efforts. Quick and coordinated control and mitigation are essential to bring the balance of defense back into the defender’s court.
Learn how Imperva solutions can help you protect sensitive data.
