Data security vs data privacy – they’re not the same thing

Data security and data privacy are both necessary to completely protect corporate data assets. But most companies spend most of their time on the former and much less on the latter.

data security / padlock / binary code / digital display
Gremlin / Getty Images

Most organizations take great care to secure their data from attack, exposure, and/or corruption. Indeed, companies have implemented many layers of security within their infrastructure to accomplish data protection while at rest (data encryption), while in transit (secure transport), and increasingly while being processed (confidential computing). Yet relatively few enterprises have put together a data privacy strategy that can protect them from breaching a growing array of regulatory compliance requirements. Indeed, we estimate that while nearly every organization has a high level of data security protections in place, the number of companies able to confirm they are compliant with all regulatory obligations by keeping personally identifiable data private is currently well below 50%. And with the growth of regulatory restrictions, the requirement for implementing enhanced data privacy in most businesses is becoming critical. To accomplish this, companies must think beyond the typical “SecOps” mentality.

For many industries, regulatory compliance is a mandatory obligation. Indeed, industries like Finance, Insurance, Healthcare, Retail, Public Sector, Education, and Pharmaceuticals, to name just a few, have deployed significant resources over the past few years to make sure they are not in breach of any pertinent regulations (e.g., GDPR, HIPAA, CCPA, etc). But as more states and country-wide regulations are enacted with broader enforcement and wider inclusion, even those industries that were previously not very concerned (e.g., manufacturing, transportation, food processing) are feeling the pressure to comply. And international businesses face the daunting task of staying compliant across many borders and within the regulations of many different enforcement agencies.

Exacerbating this data privacy challenge for most companies is that the move to be a data driven enterprise means that data is shared with many more participants, both internally and externally, in order to provide a more complete business analysis. But not all users are created equal when it comes to data access and manipulation. Indeed, there are many classes of user access to data that needs to be based both on the individual’s position in the organization and the level of data needing to be accessed. Typically, data repositories are not good at distinguishing between various levels of data access, and this presents a challenge to maintaining data privacy and compliance.

We believe that companies must implement a complete data lifecycle management capability that includes management of the data from acquisition, through distribution and analysis, and even through elimination of the data. But most data lifecycle implementations are not very good at compliance and data policy administration. What’s needed is a way to include data access policy information when the metadata is being captured and stored, and have that access policy follow it throughout the data distribution and analysis phases. Indeed, this must become one of the key components of a complete data lifecycle management strategy, as well as a capability of any products deployed to implement such a strategy. This is the only way to fully maintain a compliance stance in order to protect the organization from the costly consequences of regulatory breaches.

An example of such a product is Cloudera’s SDX – a cloud-based platform that captures all the meta data and sets up access policies for that meta data that stays with the data from birth to death. Further, and very importantly, the product can prove that the enterprise is in compliance through verifiable audit logs of all data being accessed, when it was accessed, and by whom. The functionality includes a high granularity of control such that a data manager can write access policies about who gets access to which columns of the available data, and not be bound by higher level policy making applicable only to the complete data set. This capability is increasingly important as more data joining of diverse data sets is being used to produce insights across data boundaries, and even across organizations. And it’s critically important to be able to do this across all deployments - on prem, private cloud or even multi-cloud – as more organizational data is scattered across multiple systems and locations.

Of course user policies do have their limitations. A “bad actor” who has stolen someone’s credentials can have access to all of the data that person would have been able to work with. That will still cause a data breach that has a negative regulatory compliance effect. But, with a full audit trail, the enterprise will at least be able to determine the “what” and “how” of data used, which can be valuable in mitigating any excessive regulatory penalties. And it can provide valuable data to help with security investigations to limit future potential breaches.

A data privacy approach such as outlined above can create two major advantages for companies. First, staying complaint with the myriad of regulations can have real positive business benefits by not having the company fined, nor have the company lose customers. In some extreme cases, non-compliance can even lead to criminal charges.  Second, by implementing an access control function within the corporate data repositories, more of the data can safely be used by more employees, and thus extend the value of the data through more business insights and better business outcomes. Controlling the data lifecycle enables the maximum use (and benefit) of corporate data in a totally compliant fashion.

Bottom Line: Data security and data privacy are both necessary to completely protect corporate data assets. But most companies spend most of their time on the former and much less on the latter. Enterprises must look at creating a full data lifecycle management solution that also includes access control and audit logs to insure that compliance regulations are being met. Most companies should be looking to deploy such capability immediately to avoid a growing list of potential non-compliance regulations and penalties.  Longer term, a blending of more traditional security mechanisms with data access control features will further enhance the capabilities and make enterprise data even safer and more compliant by easing the burden of corporate data managers.

Related: