Data is the digital age’s hottest commodity – the sheer number of high-profile breaches in the last few years bear testament to this.
By Kervin Pillay, chief technology officer at Internet Solutions
This makes it absolutely essential for businesses to put in place an overarching data management strategy that covers collecting, processing, storing, protecting and transferring the organisation’s data.
First and foremost, enterprises need to have a data management policy that understands the sources and flow of data into and out of the organisation, as well as within the organisation itself. With that understanding, they’ll be able to establish what data needs to be stored, where it needs to be stored, who has access, and how it can be protected.
A key challenge is that with exponentially increasing volumes of data, it’s difficult to tell what qualifies as sensitive data – and what emerges as sensitive is often only revealed in a breach. This is why effective data management places security and compliance at its heart. Data handling, and its consequent storage, cannot exist without security as a priority in an age where data breaches are commonplace.
That means putting the most robust security controls in place.
Enter homomorphic encryption
Data encryption is a well-established data security mechanism, but the key challenge of encryption is that data is vulnerable as soon as it is decrypted for use. Homomorphic encryption offers a highly sophisticated alternative, in that data remains encrypted and protected even while it is worked on.
Homomorphic encryption, along with other new and advancing forms of encryption, will be the holy grail of data management, both for data at rest and in transit. Data at rest is typically more at risk of being breached especially if it has been replicated or backed up. The Advanced Encryption Standard of 256 bits (AES256) is currently one of the most advanced encryption protocols to protect data at rest.
Although data at rest is regarded as higher risk, data in transit faces its own dangers – making it just as important for organisations to encrypt. Many enterprises choose to encrypt it before it moves – or else make use of secure connections such as Hypertext Transfer Protocol Secure (HTTPS), Secure Sockets Layer (SSL), Transport Layer Security (TLS) or File Transfer Protocol Secure extension (FTPS).
Managing the who, how and what of data access
Access to data is a key component in an enterprise’s data management strategy. As well as encryption, organisations also need to prioritise control of the keys to make data more secure through restricted access via mechanisms like multi-factor authentication. Individuals who need to use the data should have simplified and secure access, but data should not be accessible to everyone forever. Subsets of data should typically only be available to some of the people in the enterprise, some of the time.
As such, enterprises need to establish how they go about restricting access according to who needs it and at what levels they need to access and use the data. It’s crucial to be able to track precisely what individuals are doing with the data they have access to in order to ensure that they’re using it in the authorised manner.
In this way, businesses also need to work out how to revoke permissions to ensure that people only have access to data for as long as they need it and then for the key to change to prevent the risk of data leakage.
Access control is a key element of compliance with regulations, which is one of the central tenets of a sound data management strategy. Another major element of compliance is how the data is stored and moved, which in South Africa is most often regulated by the Protection of Personal Information (POPI) Act, Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR).
POPI, PCI DSS and GDPR broadly manage how data is being used and have put controls in place to protect individuals’ data and their right to privacy. It’s important for enterprises to ensure that they comply with these regulations to avoid penalties for non-compliance.
Data lineage will become mainstream in the future
Equally as pivotal to an effective data management strategy as compliance, access control and security is data lineage. Data lineage allows enterprises to track the source of the data, get additional information about what happened to the data at every point at which the data was modified and catalogue all data sources and sinks within a business.
Data lineage is in its relative infancy but will become an increasingly important trend in the coming years – it’s currently only really being done by enterprises that are advanced in terms of how they handle data, but it is extremely complex, making it an area that many businesses haven’t prioritised yet.
Another challenge that data lineage will face is the rise of ‘functions as a service’. It enables the development, running and management of app and system functionality only when needed. The challenge with that is data can no longer be traced to its source because the source only exists for as long as the functionality is required.
Enterprises are going to have to come to terms with data lineage if they hope to put a solid data management strategy in place, though. Together with compliance, access control and security, these are the main elements that businesses will need to focus on to ensure that they are able to keep up with an ever-increasing amount of data and a complex data management environment.