What Is Data Security Posture? Why It Matters?
Companies have continued to accumulate a ton of data over the past few years. According to some estimates, we have generated more data in the last two years than all data obtained through human history. One of the victims of this massive data collection and processing is consumer privacy. Countries have started passing new privacy laws to protect data and ensure privacy as a fundamental human right of their citizens.
Data security is a prerequisite.
Privacy laws require organizations to take appropriate measures to protect consumer data. Additionally, breaches and privacy violations result in financial damage and cause irreparable damage to a company’s reputation and loss of customer trust.
Storage was cheap before GDPR. However, with penalties, data has become risky and expensive to hold. The new privacy laws, breaches, and privacy awareness have forced many companies to rethink their data collection. As a result, companies have started to manage their data security posture actively.
Compliance processes alone can’t ensure protection.
Better compliance processes don’t mean better data protection. Meeting regulatory requirements is just the first step. As data moves inside the organization, a few managers and policies can’t ensure the data will be used correctly. Protecting data from actual privacy violations and breaches is a much more complex problem that requires technology investment.
Why is data security a complex problem?
As data volume and complexity continue to accelerate inside an organization, delivering data privacy and security is a complex problem. Data security in enterprises has become a multifaceted problem. Here are the reasons why data protection is a complex problem.
- In most organizations, personal data is scattered across thousands of databases and millions of files. In many companies, personal data is stored in unexpected places.
- Moreover, personal data moves through many data processing activities spread across an organization. In many cases, personal data is shared with partners outside an organization, making data protection even more complex. Organizations don’t have a way to track or monitor their activities. DLP-like solutions are prone to false positives and never have yielded the desired visibility.
- Businesses underestimate the magnitude of their enterprise data and the complexity of their data environment. In our experience, we observe organizations have 100 times more data than they think they do.
De-identifying or deleting all personal data is not practical and defeats the purpose of collecting the data in the first place. Without proper visibility and audits, data protection issues remain hidden till a major breach or a privacy incident happens.
Data mapping is grossly inadequate.
When everything is a priority, nothing is a priority. Data mapping tools create a laundry list of personal data. Not every personal data is risky and toxic. A list of sources with personal data is not actionable. Data mapping and other tools are inadequate because they only analyze the content of data, while most of the penalties are caused by data use activities and a lack of proper controls. Data discovery tools and traditional tools aren’t designed for data protection at today’s scale.
Context identifies data security risks.
Not all personal data is toxic and poses privacy risks. But data mapping tools can’t tell the difference between risky personal data and non-toxic personal data. For example, if you have two copies of a data file (A1 and A2), since both the data sets have identical personal data, data mapping tools will flag both files as toxic. However, these files might have different risk profiles. In the above example, if we find only one employee has access to file A1 while a thousand employees have access to data set A2, then their risk profiles are completely different. File A2 is much riskier than A1. Hence to fully understand your risks, you must analyze context: metadata about data, activities on the data, and controls.
Understanding Data Security Posture and DSPM
To determine your data security posture, your security team needs reliable answers to the following questions.
- What personal data do we have? Who has access to it? Who is using the data?
- What data assets/sources pose the highest breach risk?
- What are the factors that are causing the highest breach risks?
Once you have a good understanding of the current state of your data, you can seek to solve actionable risks that can dramatically impact your data security.
Today, most companies spend their resources inventorying data and securing the perimeter without proper investment and tools to look into data security posture. Protecto (https://www.protecto.ai) is the first Data Security Posture Management (DSPM) solution that gives you control over your data security posture. We look deep into data and its context, such as who has access and uses the data to determine data security risks.