Protecting Sensitive Data is Number One Security Priority

Protecting Sensitive Data is Number One Security Priority

Monday, December 19, 2011 | Enterprise Management Associates

With an explosion of data breaches in recent years, the protection of sensitive information has become a top priority for security organisations worldwide. According to the Privacy Rights Clearinghouse, more than 535 million records have been breached in 2,651 incidents made public since 2005.1 Attackers have targeted virtually the entire gamut of sensitive content, from personal financial account data to intellectual property and high-value information of concern to the most senior levels of government.

Regulators have responded with a profusion of both industry and legislative mandates to protect sensitive information. National data privacy laws have sprung up worldwide on both the national and local levels. Regulators have targeted industries where personal data is central, such as HIPAA in healthcare and the Gramm-Leach-Bliley Act (GLBA) in financial services. Lawmakers are not alone in imposing mandates for data security. Industry leaders have produced some of the most prescriptive requirements for IT for those who participate in their field, such as the Payment Card Industry Data Security Standard (PCI DSS), which applies to anyone who handles payment card data with participating card brands worldwide.

Data encryption has long played a leading role in addressing data security risks. Encryption applies protection directly to sensitive data. This protection travels with the data no matter where it may be found, regardless of whether data is copied, moved, or remains at rest. It enables privacy control through the management of encryption and decryption keys (the unique factors used to encrypt and decrypt data through the application of an encryption algorithm), giving organisations and individuals direct control over sensitive information by obscuring the data itself.

For these reasons, encryption figures prominently in a number of regulatory requirements, such as Requirements 3.4 through 3.6 of the PCI DSS. Changes made to the HIPAA Security Rule with passage of the HITECH Act require healthcare organisations to issue notifications in the event of a security breach unless electronic protected health information (ePHI) is stored and transmitted in encrypted form. California’s data privacy law and others make similar provisions for encrypted data, to name just a few of the many regulatory issues addressed through the application of encryption.

Nowhere has the need for data security been emphasised as much by IT professionals as it has among those weighing the advantages of Cloud computing. In a recent EMA survey of over 150 IT professionals whose organisations had adopted or were considering Cloud alternatives to on-premises IT, the use of data security and privacy controls was by far the most important aspect of Service Level Agreements (SLAs) with Cloud providers, identified as a priority by 14% more respondents than any other requirement. Here too, regulatory requirements such as those described above remain just as much a factor as on-premises - but with the limitation that without suitable tools enterprises may be less certain of their ability to control sensitive information subject to compliance.

  • Print
  • Send to a friend