How to get ready for this new era of data protection

Data protection is becoming crucial for organisations. Governments are also stepping in to ensure organisations put in place necessary safeguards. In India, one such instance is the DPDP (Digital Personal Data Protection) Act passed by Parliament in August. All of these require organisations to reevaluate their data security and privacy strategies.

One mistake that a lot of organisations make is to directly jump onto a data protection or DLP (data loss prevention) solution, says Vikram Jeet Singh, partner for digital trust, and national leader for data security services at KPMG, says. “That will fail. DLP, for instance, is an engine, which you are coaching that this is what you need to look for. Typically, it will throw you a lot of data, and tonnes and tonnes of that would be false positives. You cannot derive any meaningful inference out of it, it just creates more problems because you now have to handle so many alerts,” he says.

Organisations, he says, must first understand the compliances and regulations they need to meet, and then get into the data governance layer. “That is about understanding what your business functions, departments are, who would be the data custodian. And don’t expect that the IT or CISO office will manage all data. The first line of defence has to be the businesses or functions which have data, collate data. The CISO organisation, and external partners will bring the solutions,” he says.
In data governance, the first step is to discover and classify data. And that’s the most difficult step, says Pradeep Vasudevan, country leader for security software at IBM India & South Asia. That’s also, he says, because data is today spread across on-premise data centres and multiple clouds. Ranjith Purushothaman, CISO at Dhanlaxmi Bank, says it took them two months to complete this process.

The next step, Vasudevan says, is to analyse the data and assess the risk associated with different kinds of data. After that comes frameworks and controls around protecting the sensitive data. “It could be controls, such as encryption, or access policies, and even real-time database activity monitoring – who is accessing what, what kind of actions have been performed on the data,” he says.

Finally, keeping in mind that a breach is likely to happen, Vasudevan says, there must be a strategy and execution plan around how to respond to threats in real-time and send actionable alerts to whoever is supposed to take remedial action.

Purushothaman says it’s useful to look at data in its different states – data in rest, data in transit, and data in use. For sensitive data in rest, one could have storage layer encryption, and even database level encryption. For data in transit, Dhanlaxmi Bank has defined all the areas where data is shared with, for instance, third-party service providers. “And we have ensured that there is encryption and also DLP, to monitor or block if the sensitive data is shared without any business-asusual case,” he says.

For data in use, there should be classification around who should have rights to what data. “If I am generating a credit card number, the database administrator or a normal user may not require the full master data. So, we have to segregate, ensure that a person gets to see only the data that he or she needs to see,” he says.
Vasudevan says a platform-based approach to security is necessary today, where you address the complete data security lifecycle, from discovery to classification to protection to response, and at the same time be compliant with regulations.

KPMG’s Singh emphasises that this whole process of building a security and privacy architecture is an “infinite game.” “Don’t assume that you will reach a Nirvana state at some point. You will need to keep at it and continually improve (the system) on an everyday basis,” he says.