Traditional data protection has been about securing data behind the corporate perimeter, locking down IT systems and endpoints with firewall and data loss prevention (DLP) technology. Now there is an increasing recognition that traditional data protection is not working. Faced with the new realities of cloud, shadow IT, BYOD, increasing collaboration with 3rd parties, and “last mile” endpoints like USB devices… no matter how well you secure data behind the perimeter, your data will eventually leak.
In their DLP magic quadrant analysis, Gartner said “At present, even with extensive DLP coverage across endpoints, networks and data repositories, there are still gaps and data flows where data can leak. The better answer is a data security strategy focused on securing the data itself, as opposed to trying to secure every system that comes in contact with sensitive data.”
What Gartner is talking about is a revival of Digital Rights Management (DRM) technology, that embeds encryption directly in a company’s valuable data assets themselves – their sensitive files and e-mails – so that even if the data does leak beyond the perimeter, it’s still protected.
Much like AI and Blockchain, Digital Rights Management technology is an extremely attractive concept that has had implementation challenges, but is now starting to overcome those implementation obstacles to go mainstream, most notably Microsoft Azure Information Protection (AIP). Here’s a look at what to expect.
Last year I was fortunate to attend several all-day Chief Security Officer (CISO) roundtables on data protection with some of the top CISOs from Fortune 500 and beyond. Imagine being the CISO of a huge company like Honeywell with over 100,000 employees made up of hundreds of loosely coupled acquisitions worldwide, or Thales, a $17B organization and itself an industry leader in security. Imagine being the CISO of one of the major international banks like JP Morgan. As the CISO, what would be most on your mind? What would be keeping you up at night? Here are the 5 recurring themes I heard.
There’s a lot of excitement in the security world today around artificial intelligence (AI) and, more specifically, machine learning (ML). CSO Online lists their top 5 use cases for machine learning in security which include detecting malicious activity in the network, automating repetitive tasks, and analyzing large volumes of data for threat intelligence. But another immediate application of machine learning will be in data protection and the prevention of data leaks.
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) introduced a higher bar than ever before for data protection, in all industries. It applies to any company that comes in contact with any form of European personal data. Article 32 of the GDPR, covering the security of processing recommends the use of encryption for personal data. In fact, encryption is increasingly recognized as the “get out of jail free card”, because GDPR does not require you to report a data breach if it involves data that was encrypted, giving companies a powerful incentive to re-think their company-wide encryption strategy.
Here in Canada we had a small online payment processor, Koho Financial, get breached. They are a startup, only 107 employees, but process billions of dollars of payments a year. The breach cost them millions. FinTech has not had a lot of major public data breaches in recent years compared to most other industries. Perhaps they are more diligent in their security practices, or maybe they're just better at keeping it under wraps?
When an incident does occur though, even to small companies, so much money flows through them that the impact can be spectacular.