Organizations that do not have data management and governance policies are at increased risk for of data corruption and data breaches.
Ascend Technologies’ Data Management team helps clients establish policies that help maintain data security. This ensures that data is not viewed by those who do not need it, and that data is available to those that need it, when they need it. All of this while minimizing risk of data exposure or breach.
Data Access Policies
All too often, developers grant themselves full access to data sources, in the interest of expediency. This carries an increased risk, as more data is available, and permissions exist to modify or corrupt data. Regulators and Auditors routinely raise a red flag when developers and database administrators have unrestricted and unmonitored privileged access to production data. This level of access can quickly cause audit control failures. In this age of data privacy concerns and numerous regulations across the globe, a firm standard policy for how access is granted, what is granted, and for how long, becomes more important than ever before. To assist, there are available technology solutions for managing, monitoring, and auditing privileged access. In some cases, when security vulnerabilities are detected, organizations aren’t actually at risk from them, because their access policies do not allow them to be exploited. This can reduce the risk of emergency patches, while maintaining data privacy and security.
Many small-to-medium sized organizations (and some larger ones, too) have limited policies in place internally on their corporate networks. This allows systems to talk to each other easily, for collaboration and efficiency, but it raises the risk of data exposure from employees, either through social engineering or even by accident. Having firewall and network policies in place between end users, applications, and data sources goes a long way towards maintaining data integrity and data privacy.
Data Retention Policies
Data retention may be a catch-all term for several different governance requirements. In one respect, there are regulations and legal requirements to hold data for a certain amount of time, even though it is unlikely to be touched. It also may involve moving data into an aggregated format, into a data warehouse, for long-term trending. Moving data out of operational data stores and into data warehouses can increase performance and lower response times for transactional, operational activities. Keeping relevant data in a warehouse for historical trending can help drive business success by identifying trends and highlighting areas on which to focus to drive business decisions.
Data destruction is becoming nearly as important as a part of a data retention policy. Several regulations, like Payment Card Industry – Data Security Standard (PCI-DSS) require a process for deleting cardholder data when it is no longer needed. Under the California Consumer Protection Act (CCPA) businesses subject to CCPA need to determine how they plan to document and manage the process for removing consumer data when requested.
Data encryption is one of those tasks that organizations know they should be doing, but they don’t want to think about, so it falls by the wayside. In reality, it’s an important protection method for maintaining data privacy, both at the organization level and at the customer level. Many organizations make connections between services using encryption, such as TLS or SSL, but frequently the back-end communication is not encrypted at all. While there are protections in place, both from access and firewall perspectives, there’s still a risk of data exposure that most organizations could ignore simply by turning on the feature.
It’s becoming more important to ensure that data backups are encrypted as well, both in flight and at rest. Data backups and archives are increasingly becoming targets for hackers and other malicious actors.
Accidents do happen! Most employees don’t intend on mismanaging company data, it just happens. Whether it’s accidently forwarding an email that contains sensitive information or storing unencrypted data on a cloud file share without proper controls in place. Encrypting as a default helps to protect the organization from those accidents.
Having policies around key / certificate management and enforcing encryption policies greatly reduces risk, increases compliance, and protects organizations and their customers from data exposure.
THE BOTTOM LINE
In this age of constant news articles about data exposure and breaches, it’s more important than ever that organizations take steps to protect themselves, their intellectual property (including their collected data,) and their customers’ information. Ascend Technologies can help you protect your data, while using it productively, to make business decisions, improve efficiency, and drive productivity. Contact us today to get started.
By Andy Maser, Data Architect