Covid-19 and Beyond: Is Your Data Security Strategy Based on Fact—Or Myth?
We’ve all heard our share of urban myths. Most—like “coffee can stunt your growth”—have little basis in fact. While the coffee myth is an example of one that’s common but harmless, other myths can be dangerously wrong. The saying, “lightning never strikes the same place twice” might actually be hazardous to someone trying to seek shelter from a storm, since science tells us otherwise.
The urban myths of the enterprise data world have a similar dynamic. For example, only 31 percent of organizations believe they bear sole responsibility for securing their data in the cloud whereas in reality, the company—not the cloud provider—is responsible for the costly fallout.
As the majority of firms shift to remote working to help slow the spread of Covid-19, it brings new challenges: keeping sensitive information secure from theft and vulnerability while working in your home environment. Some experts are even saying the volume of security threats during this global health crisis is the largest collection of attacks exploiting a single event.
Luckily, there’s a solution for mitigating risk and protecting confidential company and customer data, whether you’re working remote or in the office. Here are the three most common enterprise data security myths—and what you actually need to know to handle sensitive data with confidence.
Myth #1: “Encryption is the end game.”
“Encrypt everything” is Silicon Valley’s mantra for securing sensitive networks and data. While the intention is good, encryption is not actually working for most companies today. While most people understand that encryption puts a secure perimeter around things that are sensitive, they miss the fact that you also need safeguards to protect the data inside.
As a result, while encryption is effective in some scenarios, it’s not the best solution, especially when it comes to insider threats. From someone carelessly clicking on a dodgy email to security teams setting up cloud servers with lax permissions, insider threats pose a huge challenge to organizations that encryption alone cannot solve. That’s because privileged users (i.e. those who work at the company) have access keys to decrypt data. So, insiders working with encrypted data in non-production environments for development, testing, reporting, and analytics can still access sensitive information about customers or even related to IP, employee data, or sensitive transactions they probably shouldn’t see — and might accidentally let malicious actors inside the perimeter.
Truth: Data masking is a foolproof solution.
Rather than setting up that perimeter, companies need a solution that puts “guard rails” on all data interactions. Data masking is a key tool for ensuring that those handling data see only what they need, and only when they need it. This not only keeps internal activities secure, but also protects data in instances when it needs to be accessed by individuals outside your organization’s walls—including outsourced development and testing, offshore analytics, and auditing purposes.
Data masking, often referred to as de-identification or obfuscation, is a method of protecting sensitive data by irreversibly replacing the original value with a fictitious but realistic equivalent. With masking, software teams can use masked copies of data to build and test their applications without putting customer data at risk. With Delphix’s masking solution, teams can define a policy that controls data access and integrate into their data governance workflows. From the start, internal teams only have access to masked versions of data, operate in regulation-compliant environments, and cannot track real data back to its original source.
Myth 2: “Locking down your production is enough.”
A production ticket has the highest priority in any company. Why? Because everyone knows the business depends on it, and there are sacred rituals for touching production data.
But for every copy of production data, the typical enterprise has at least 10 copies of analytics, reporting, development and backups sitting in lower environments—which means the volume of sensitive data is way higher in non-prod. Non-prod can still be very important, but it’s often less scrutinized from a security perspective.
Truth: Secure all software environments, not just production.
Security-minded organizations pay attention to non-production data, because they know 1) most sensitive data is not actually in production systems, and 2) malicious actors often attack the lowest hanging fruit where data resides. If non-production environments are not secured, a sophisticated attacker knows a simple phishing attempt might be all it takes to access sensitive data living in these systems.
Taking an automated approach to masking data, like partnering with Delphix, allows software teams to automatically identify where sensitive data resides and apply the right algorithms designed to be irreversible, so the original data is not retrievable from the masked dataset. Secure lookup algorithms are designed to mask data consistently but irreversibly, and also stops attackers from “mapping” masked data and using process of elimination to infer more information about it.
In addition, a policy-driven masking program can speed up internal adoption. Policies can be programmed based on regulations — such as GDPR, CCPA or HIPAA — and indicate what is sensitive and how that data should be protected, regardless of source type or data residency. So rather than locking down data to protect it from unauthorized access, Delphix’s policy-driven approach to data obfuscation mitigates risk, while also distributing that data quickly to software teams who need it.
Myth 3: “Cheaper, faster, better — choose two.”
Data serves as the raw fuel powering software teams to develop and test new apps for customers. It can also drive both business insights and forecasts to help improve decision-making and gain an edge on competitors. Most businesses today need fast, repeatable ways to get high-quality data from “point A” to “point B.” Security is also necessary, but often an overhead that slows things down, hence the old mantra popularized by Facebook: “Move fast and break things.”
Truth: You can have your cake and eat it, too.
You can move fast and be responsible. Security today is paramount—but while the common thought is that increasing software agility and quality is at odds with decreasing costs and security risks, it doesn’t have to be.
Instead of simply locking down access to data, which hampers the capacity to innovate, a better solution is to map out and understand the flow of critical enterprise data.
Using a data platform that has a seamless integration of masking and virtualization lets teams deliver masked data in minutes. Automated, policy-driven data masking techniques can instantly change businesses’ risk profile and allow the business to continuously deliver de-identified data to software teams who can use it to drive better insights to reduce costs, improve operational efficiency and delight customers.
Delphix is the only data operations platform that combines data compliance with on-demand data delivery, creating a “win-win-win” situation.
In a world where every company is a data company, innovation, security, and operational excellence must go hand-in-hand-in-hand, especially during the Covid-19 disruption. It’s a reliable way to mitigate and control data risk in a way that unlocks innovation while maintaining compliance and preserving customer trust.