Having secure data access has never been as critical to an enterprise as it is today. The rise of privacy regulations such as GDPR in Europe, LGPD in Brazil, CCPA and NYPA in the US, and more to come across the state, federal, and international level, has become a major driver of enterprise privacy initiatives to control the use of sensitive information, including customer sentiments, financial information, credit card spending patterns, and more, in which PII is only a small subset.
Digital Transformation Drives Demand for Data
Sensitive data can offer unique insights that lead to better business outcomes and is often leveraged as a competitive advantage in today’s highly competitive business environment. The challenge, however, lies with ensuring the right business units, functions, and people securely access the right data at the right time, while data proliferates across end-points, on-premises infrastructure, one or multiple cloud environments, and regions in different countries with varying data privacy mandates.
Best Practices to Ensure Privacy and Security of Data
In the latest Business Intelligence Journal by TDWI, our CEO and co-founder, Balaji Ganesan, discussed a holistic approach for securing your data that starts with the following steps:
- Determine where your data is located: Data is stored in multiple locations, on premises, in private or public clouds, or both. Knowing where sensitive data lies in each system is critical. This is the data to which privacy and compliance regulations apply.
- Verify characteristics of your data and the systems it “lives” in: Understand the characteristics of sensitive data to determine what data security options are available. Different data types and characteristics must comply with the same overall governance requirements of an enterprise. Additionally, characteristics of a specific cloud provider can impact available options and can impact the cost of data storage and data analytics workloads.
- Understand the life cycle and use cases for your data: Where data is created, moved and utilized determines how you transform it before moving it between systems — all of which is impacted by the geographical regulations themselves. How your data will be used by end-users — typically data scientists and business analysts — determines what options you have for data security.
As a result, the culmination of the complexity derived from different data types, environments, use cases, and geographies can easily create an exponential increase in manual processes and an unsustainable workload on IT security and data infrastructure teams.
Putting Best Practices to The Test With Your Access Control Solution
The tech industry, and many industry participants, have quickly come to the realization that the solution is a comprehensive product consisting of automated data discovery, unified and granular access controls, and data masking and encryption across heterogeneous environments. There exist access control and data privacy solutions that are repurposed, retrofitted, or backward-engineered to equip those features, but fail to factor in the single most important, practical consideration for modern businesses and their IT organizations – whether the solution can support the complete volume and variety of data today and tomorrow without impacting performance and TCO.
There is no dispute that data volumes are increasing exponentially. No enterprise is planning its data architecture for a flat or linear increase in volume. This means data, and in parallel, sensitive data, must be protected and data privacy and security programs must encompass petabytes of data. According to Ganesan, “A data privacy and security solution built from the ground up will be best suited to the task. Just like a car built for the Indy 500 and a Smartcar built for efficient commuting have very different capabilities and limitations, systems repurposed to support data access control will inherently have flaws that will limit performance, functionality, and overall TCO.”
The Pitfalls of Repurposed Solutions
For instance, data virtualization products repurposed for data access control impede query performance at scale. This is because it involves a proxy server that intercepts requests and requires additional authorization. Imagine the impact on multiple queries across petabytes of data. The fact that the solution was not purpose-built for the problem at hand ends up manifesting into a host of symptomatic problems that impede the speed and practicality of a data privacy and security solution.
In other instances, it may be possible to implement a privacy solution at scale by changing the architecture to maintain performance. This provides both the scalability and the performance requirement but adversely affects the economics of the data scientists’ analytics workloads. This is especially prevalent or relevant in cloud environments with use-based charges. As mentioned, when the scope is petabytes of data, impaired cost and performance quickly creates sticker shock.
No enterprise data or IT security team wants more work to do. Re-evaluating or replacing a solution throughout your company is an enormous and unfruitful endeavor. In part 2 of the blog series, we will explore another practical spectrum that enterprises should validate before choosing and deploying an access control and privacy solution companywide.