Data security is a risk-reward process because you just cannot protect everything, and you want to be judicious with encryption since there are performance and cost considerations. Yet the goal is to implement a reasonable degree of data-centric cybersecurity based on the level of acceptable risk that stakeholders determine is appropriate.
The question to ask is — Do you know where your sensitive data is? That's a simple question without a simple answer.
Discovery should be ongoing
Every organization's data is constantly changing, so data discovery should be an ongoing process, not a one-time event. You need an automated data discovery solution that identifies, classifies and tags your data so you can take actions to strengthen your data security posture.
And you want a data discovery tool that is not a standalone solution because you want a solution that mitigates risk by integrating with tokenization and encryption tools, API frameworks, and other security solutions.
The next question to ask is — What's worth protecting?
That's really about risk management, so you want a data protection strategy that facilitates business activities with as minimal an amount of friction as possible while prudently protecting sensitive information.
Integrate discovery with protection
Seamless data protection is one of Voltage's strengths, and even if you use another solution for data discovery, Voltage can pick up from there and layer-in the data security you need.
Voltage combines data discovery, protection, monitoring, and governance into an integrated data security platform that gives you the ability to understand, manage, and protect your enterprise data across multi-cloud, hybrid environments.
Voltage Fusion scans any repository on premise or in the cloud to give you a complete, ongoing picture of your enterprise data. Then Voltage SecureData enables you to protect any type of data, such as personally identifiable information, personal health information, financial data, or intellectual property.
The key difference with Voltage is how it simplifies this process of taking actions on your data once discovery is complete so you can proactively reduce risk.
Keep in mind that data risk has financial implications, and in the prior article, we discussed why data minimization and archiving reduces risk. Beyond that, when you de-identify data sets in persistent ways, it is often possible to remove those systems and controls from the scope of an audit.
By integrating discovery with protection, you can take risk out of the system. Even if you use another discovery solution already, Voltage can still add value because Voltage implements persistent protection that travels with the data as it moves through your environment.
Optimize protection and performance
Every data security project has different security and performance requirements, so you want a data security platform that gives you the most flexibility in how you anonymize, redact, and protect your confidential information. These are some of the more frequently used methods:
- File-level encryption is used for unstructured data, such as emails, messaging and metadata where the data does not follow a consistent schema as it would in tables, so you protect information as specific files.
- Tokenization replaces the data with a unique identifier or token which is stored in a secure database. That way a transaction can be processed using the token value without revealing the original account number, as you might want with credit card purchases.
- Format-preserving encryption (FPE) is used for data that fits a consistent pattern such as you might find with a social security number. The advantage in keeping the format consistent is that the data retains its reference value for data processes, applications, and analytics platforms such as Snowflake or Databricks, yet the data is useless to attackers.
- Format-preserving hash (FPH) provides non-reversible de-identification with the same security and reference integrity that you get with FPE. Yet because FPH is a one-way transformation of the data, it complies with the GDPR's provisions for anonymization, so you can still use the data in applications and analytics without running afoul of the regulations.
With these, you really want to be thinking about how the data is processed, what upstream and downstream applications interact with it, and whether those systems need access to the original values or not.
When you use format-preserved protected data elements such as credit card numbers, social security numbers, and account numbers, it has no impact on the cross-application dataflows. You don't need to make any changes to the way your applications handle the data, yet you are taking risk out of the system.
And because the data is in a protected, anonymized state, the business may be more comfortable expanding access to the data across a broader set of analysts without concern of compromising on security and privacy. That in turn might assist in discovering more ways to monetize your data.
Remember that Voltage is cloud-agnostic, so you don't have to worry about whether or not the protection is platform-specific. The protection travels with the data on-premises or in the cloud, wherever it goes.
And stateless key management means there are no key vaults for you to manage because the keys are derived dynamically and consistently with access managed by centralized policies for added efficiency.
Voltage neutralizes the impact of a data breach by making protected data worthless to an attacker, whether it is in production, analytic systems, or test environments.