In the past, securing sensitive data involved placing the information in a virtual vault and only unlocking it (de-protecting it) when the data needed to be used. This may be practical if the data has no ongoing operational value, but if the data is required for existing business operations, being able to use sensitive data in a secure and protected manner is absolutely necessary. Otherwise, what use is there in having that data in the first place? At present, many organisations are conducting data analysis in this format—in the clear—and are sacrificing security in the process. So, when the organisation wants to use the data it is taken out of its protected state and ultimately processed in an exposed and vulnerable manner.
Take, for example, cloud applications. These environments and services are easy to adopt and use, and they ingest troves of data, especially cloud applications that are customer-facing. Yet, if we continue to view the headlines that surround cloud services, we can notice that the more businesses migrating to the cloud, the more data being processed and stored in cloud environments. In fact, reports are predicting that the global public cloud infrastructure will grow by 35% in 2021. However, as the dependence and comfort in using cloud technology rises, an unfortunate trend emerges. Misconfigurations and other security lapses involving the cloud are dominating news cycles, putting a harsh spotlight on serious and reputation-damaging data leaks. Organisations seem to have the mindset that once data is uploaded in the cloud it can be forgotten and the ‘basic’ security implemented by cloud providers is sufficient enough to stop advanced cybercriminals. This, of course, is patently false and, if a breach does occur, responsibility and the penalties for non-regulatory compliance will fall upon the data caretaker. The cloud service provider is not responsible— the business using and storing their data in the cloud is.
A different security method is needed
For organisations that feel lost or overwhelmed by rapid technology shifts, it’s best to acknowledge that protecting data is the most important requirement and that to achieve this a data-centric mindset is needed. A data-centric security method does not secure the wider infrastructure or the boundaries around the data (like firewalls and other perimeter-based security mechanisms), but instead protects the data itself. That way, if a hacker navigates his or her way into the system, the data will still remain safe even in the wrong hands.
Furthermore, one data-centric approach gives organisations that regularly collect and process valuable data the opportunity to replace sensitive information with ‘tokens’ rendering the dataset unusable if an unauthorised individual accesses it. An example is financial data such as consumer credit card information stored in the cloud. To protect customer card details, the organisation could isolate and replace portions of the data with tokens. This tokenisation tactic protects the real data value while still allowing the organisation to conduct any necessary analytics. The best part is knowing that, having data in this protected state, the business is meeting GDPR and PCI DSS regulatory compliance. This is the ideal situation for the modern enterprise – being able to simultaneously conduct operational analysis across sensitive data while keeping the information itself protected.
A data-centric security method does not secure the wider infrastructure or the boundaries around the data (like firewalls and other perimeter-based security mechanisms), but instead protects the data itself.
To achieve this idyllic sweet spot requires organisations to leverage modern tokenisation security. The benefits are quickly realised when using this data-centric security method. Notably, tokenisation can protect data in its earliest stage (when it is created or first collected) and then continue to protect that data throughout the entire lifecycle, until its ultimate destruction. Next, tokenisation permits data to travel securely, meaning data can be transferred to third parties with confidence knowing that the risk of exploitation is significantly reduced in all cloud environments.
While tokenisation is gaining wide acceptance, it is by no means a new approach to data security, and it has been a popular choice for many security professionals for years, largely because of its promise of regulatory compliance with several key data privacy and security frameworks. With trust being a major factor for consumers in how their data is used and protected, organisations must take data security and privacy very seriously as a means of attracting and retaining customers. Thankfully, tokenisation provides this, and it can also be found in every day transactions at the consumer level. For instance, if an individual pays for a product or service with a mobile device or watch, tokenisation technology often ensures that the associated payment information is being protected during the transaction. The consumer may not consciously know it, but tokenisation is a part of the payment process in many point-of-sale transactions.
Tokenisation has been a popular choice for many security professionals for years, largely because of its promise of regulatory compliance with several key data privacy and security framework.
In the past, legacy data security solutions were limited and quite rigid in what they could protect. By contrast, modern tokenisation can extend its security to almost any data type, which means its applicability is quite wide. From credit card numbers, driver licenses, addresses, dates of birth, and medical history – pretty much anything can be tokenised, and given the sensitive nature of these types of information, keeping it safeguarded and unidentifiable from hackers is paramount. Adhering to data privacy laws and industry regulations such as GDPR, CCPA, PCI DSS, and HIPAA is understandably a key driving force for many organisations, and while tokenisation supports these existing regulations, it also provides a stable foundation for any other future regulatory frameworks that may (and will) sprout up in the future.
As cyberattacks become more common, businesses now experience an inherent demand to secure sensitive data in order to meet the privacy needs of their consumers, many of whom are interacting with those businesses via cloud applications and services. Therefore, changing to a data-centric approach can guarantee both confidentiality and security from the outset, even with cloud-based data environments.
