Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Data Protection and Privacy: Think 360, Demand 360

When it Comes to Data Protection and Privacy, it is Important to Evaluate Where You Are, and Where You Need to Go

When it Comes to Data Protection and Privacy, it is Important to Evaluate Where You Are, and Where You Need to Go

If you find yourself reading SecurityWeek articles, you are a person who is aware of and appreciates the importance of (and the difference between) both data protection and privacy.  In the pursuit of securing data and maintaining privacy, we all come to realize that it is both a moving target as well as one that has legal, ethical, and, of course, financial implications.  As such, I’ve been pondering easy frameworks for which everyone can get a better grasp of what’s required. I have come to this conclusion: think 360, demand 360.

Long gone are the days where data and privacy could be protected by putting in the password between what’s important and unknown adversaries.  Now you need to think 360. That means protection from those adversaries, protection from an overreaching authority, protection from your employees and insiders, and finally, protection from yourself.  If any of those vectors remains uncovered, the job is not done.

Protection from adversaries is self-explanatory.  Protection from an overreaching authority refers to governments taking liberties when they are not authorized.  Protection from employees refers to your workforce deliberately or unintentionally accessing information they ought not to have, ranging from salary information to protected intellectual property. And finally, protection from yourself refers to the accidental release of information. 

Considering all of these angles, and I’m sure there are others I have not articulated, is, of course, a tall order.  I would say that in the not so distant past, it might not have even been remotely possible.  But today it’s more possible, more actionable – and more affordable than it ever has been.  You just have to understand the 360 nature of data and privacy protection, and you have to have a strategy to address each individual element.  Some technologies and processes can cover more than one, but you have to realize that many of these protections and processes protect one angle but can ignore others.

Let’s take one tiny example: your cloud CRM provider.  How do they protect your data from their employees?  What about their privileged employees?  Do they detect anomalies in data access and movement?  How do they respond to government subpoenas?  If subpoenaed, do they have the power to release your data, or do you have the only power to do so?  How your data is physically secured?  In what physical locations does it reside?  What is their patching strategy for vulnerabilities?  There are 100 questions like this, and while there’s no perfect answer to all of them, you will never know where you stand if you don’t know the questions to ask… And ask them. 

If you embrace 360 thinking and put everything in place, that’s good only until the ink dries on your plan.  You need to regularly review it because what you’re protecting yourself from, who your adversaries are, and what techniques they use are constantly changing.  Not only must you have a 360 mindset, but you also have to realize that the job is never done.  You have to continuously evaluate where you stand relative to this complex and moving environment.

In subsequent columns, I will explore in more detail how to put this framework into action, how to evaluate where you are, and where you need to go.  And when I say this, it does not matter whether you are a small business or a large enterprise.  The considerations are quite similar even though the tools and methodologies, and of course the costs, vary widely.  Regardless, I hope that this 360 framework serves as both a tool, evaluation criteria, and, most importantly, a mindset representing not only what’s at stake but the actions we all need to take in the pursuit of data protection and the preservation of privacy.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...