How to adopt a data-centric approach to data security ~
There is no doubt that data protection regulations, like the Protection of Personal Information Act , are driving investment in data security.Typically, investments have included beefing up firewalls and other barriers to external threats; locking down the ability to extract data via devices such as memory sticks; and ensuring encryption of databases and hard drives. However, while these broad measures are important, they do not provide the level of protection required.
Sometimes, particular data are private, and in other contexts, it is not. That means that, to comply with PoPIA, a data-centric approach to data security must be applied that takes the purpose for which data is being used, and who is accessing it, into account. So how do we adopt a data-centric approach to data security?In general, data privacy regulations such as PoPIA limit processing and access to data based on purpose. In short, data may only be accessed as required for a specific purpose.
The General Data Protection Regulation requirement for a process register can be a great place to start. By linking business processes to roles, systems, and data, we can identify which roles require access to which data sets, and even to which attributes or rows of data. Using a data stewardship platform that makes it easy to identify and trace these relationships can speed the process, and make it easier to track.
Data classification processes need to consider purpose too. Generic classifications, such as “PII” or “Restricted” have limited value as they do not provide sufficient context for purpose-based security. Classification systems need to be more precise – for example, identifying telephone numbers, email addresses, names, ID numbers and so on. This allows data access policies to combine roles with the data that are required to support specific tasks.This is not enough.
A single, centralised platform to manage data access policies on-premise and across various cloud platforms makes this easy, and protects against future changes in cloud-provider.