SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Why every business needs more control over its data

Data security is a bigger and more pervasive issue for businesses now than in any time in history. It has been elevated to a boardroom issue, and with good reason, since getting information security wrong can have significant negative impacts for the organisation.

There are three main drivers for organisations to think more carefully about how they manage the security of the information they store, transmit, and use.

First, there is an increasing focus on information security from governments around the world. This is evidenced by new and emerging regulations around how data is treated within organisations. In Australia, the Privacy Act and its mandatory notifiable data breaches (NDB) scheme have caused companies to re-examine their security measures.

In Europe, the General Data Protection Regulation (GDPR) is having a similar effect. Furthermore, the GDPR has long arms that reach out to encompass every business that deals with European customers, regardless of what industry the business is in or what country it's based in.

Second, organisations continue to embrace cloud services in recognition of the significant benefits they can deliver. The cost savings, increased efficiencies, and superior agility delivered by cloud services means businesses that fail to leverage the cloud are potentially missing out on a significant competitive advantage.

However, securing information in the cloud comes with its own challenges and requires businesses to understand the shared responsibility model.

This means that cloud providers are responsible for the security of the infrastructure, while cloud users are responsible for the security of the data and workloads they put in the cloud.

Third, and perhaps most obvious, is the exponentially increasing number and severity of cyberattacks that compromise data. Threats come from phishing attacks, malware exploits, zero-day vulnerabilities, and brute force attacks.

Every endpoint device is a potential entry point for cybercriminals and businesses are all but overwhelmed by the sheer number of threats that must be addressed.

Furthermore, businesses are operating in a new era in which the customer really is king, and a business can live or die by its reputation for keeping customer information secure. All businesses face intense pressure to accelerate business velocity and improve customer engagement while maintaining compliance with industry-specific regulations, many of which can be complex.

Controlled information sharing is essential for effective business collaboration but, without the proper controls, information sharing becomes a source of regulatory and business risk.

These security challenges are far from insurmountable. They do, however, require a concerted and strategic approach from organisations that understand the threat and are committed to combatting it.

Many business leaders believe they've created an impenetrable security barrier by erecting and maintaining a firewall. Keeping information secure inside this firewall is relatively simple.

However, the stricter the controls, the more difficult it can be to do business effectively with partners, suppliers, and customers. Since most companies do business outside their firewall and even outside their own national borders, they need to understand how to keep information secure once it leaves the firewall, no matter where it is in the world.

This makes data sovereignty a key issue in information security. Data sovereignty refers to the physical location of data, which can be a concern because of different privacy laws and regulations in different countries.

Businesses need to know that information won't be stored or transmitted offshore without the appropriate safeguards. This can mean, for example, that an Australian bank needs to keep all customer data stored within Australia's borders to maintain compliance.

This doesn't mean the bank can't use cloud services, or even the public cloud. It simply means the bank must choose a cloud provider that complies with relevant privacy requirements and appropriate security measures in place.

When data was exclusively stored in data centers owned or rented locally by businesses, data sovereignty wasn't a concern, and keeping that information secure was simpler because it was all in one location. Now that information can be spread across data centers, across the world, businesses need a new way to define the location of their data, beyond that physical location.

These companies can use the point of control of encryption as the logical location of data. Controlling the ability to decrypt data gives businesses more control over how that data is stored and transmitted than simply restricting it to local data centers. When the business has full control over the logical location of the data, the physical location may become less relevant.

And, since businesses need to maintain control over who sees and uses their information even once it's left the organisation, it's easy to see how maintaining control over encryption keys simplifies that control process and puts the power back in the company's hands, rather than in those of the data center operator.

Retaining control over those encryption keys, sometimes known as customer managed keys (CMK), lets businesses control the information over its entire lifecycle. Combined with information rights management (IRM), this gives the business more control, letting it allow and revoke permission to read or edit documents as needed.

Businesses can add to this control with information rights management (IRM) technologies that relate to each specific document. This can enable virtual shredding for documents that shouldn't be viewed, while ensuring only authorised people can access sensitive information.

Businesses with a special concern regarding the physical location of data should look for technology that provides regional storage and processing, which can keep sensitive content securely within a specific geography. That information never leaves the region, keeping the company in full compliance with data sovereignty requirements.

Used together, these technologies can help businesses retain total control over documents and information regardless of where in the world they're stored or transmitted. They can support a customer's business strategy to maintain full compliance with all applicable privacy regulations without compromising their ability to do business in an agile, flexible, and collaborative way.

Follow us on: