2018 might well prove to be the year when the world took decisive steps to protect personal data of individuals. With the GDPR (General Data Protection Regulation) expected to go active by May 2018 in most of EU, and countries like India planning to introduce more stringent Data Protection laws by then, protection is arriving in a big way.
Data Breaches on the rise
On the other hand we have been witness to major data breaches every couple of months now. Last month the Equifax breach has exposed sensitive personal data of 143 million people, in july verizon reported personal data of 14million customers being exposed, so did Deep Root Analytics in June, OneLogin in May, Chipotle in april and so on and so forth.
Considering the size and frequency of exposures and how vulnerable the enterprises have been, the lackadaisical attitude towards implementing stronger data protection architectures has been surprising. Quite a few of the data breaches this year (like Deep Root Analytics) were not even sophisticated attacks. The unencrypted, unprotected files were freely available on the cloud for people to access for weeks.
What is the missing piece of the puzzle? Why are data breaches so common? The reason is a faulty understanding of how personal data should be protected. We list the three common myths on how to protect personal data.
Myth 1 — We need a better Firewall
Don’t get us wrong, everyone needs the best firewall that is available, but getting a better firewall is not data protection.
Protecting personal data is about implementing mechanisms within your organization to handle data in a protected manner. A well designed system will expose minimal data even after a breach of perimeter defenses. So, the primary action in personal data protection is at the core of an enterprise’s IT infrastructure and not at the perimeter.
Consider for a moment the personal data of the 14 million that was exposed by verizon. The data was available freely for download on the cloud in a readable format. A well designed system would never have stored personal data in a single easily identifiable database with no encryption.
Investing in Pseudonymization and application level encryption would have ensured none of the data exposed at verizon would have impacted a real customer.
Myth 2 — We need to enforce stronger passwords
Good, strong passwords are essential to protecting an enterprise against sophisticated attacks, but beyond a point a stronger password does not add significant value to data protection.
What is instead required are techniques and mechanisms like role based access controls to ensure data is accessible only on a need to know basis, centralization of data storage to a limited set of locations with encrypted and role based streaming access, preventing even temporary storage of really sensitive data at any location other than the designated secure stores and ability to monitor and audit third party applications through behavioural checks.
Myth 3 — Our Data is not personal or sensitive
What is personal data can be a tricky question. More often than not, enterprises mistakenly believe the data in their systems in not personal or sensitive.
For example in the case of verizon, the data exposure happened at the voice recording system, which being a part of the voice infrastructure would not have received the same attention to data protection in comparison to a system handling card processing data.
Another famous exposure that happened at AOL was of anonymized search strings. When this data was exposed, it was discovered that the search strings could be used to identify the exact people who made those searches, including potentially embarrassing information.
Similarly, different parts of an IT infrastructure handle sensitive data that is not apparent on a cursory check. A thorough and holistic review of the data flow in an enterprise, along with automated systems for regular monitoring, will go a long way in protecting both the personal data of individuals and the reputation of enterprises.
GDPR : 3 Common Myths about Protecting Personal Data was originally published in Assertion on Medium, where people are continuing the conversation by highlighting and responding to this story.