By Trevor Morgan, product manager at comforte
The way in which our data is protected often means locking away any sensitive information until it is needed for a specific reason. Though this may be a good idea for some elements of data that aren’t needed, it also de-values data by limiting accessibility. Limited or no access to this data means you can’t use it to its full potential. Even when such data is locked away, it is not always guaranteed that it will be secure. In this more traditional view, data is either locked away and unusable or unavailable for access; seemingly there is no in between.
Modern cloud applications contain vast amounts of sensitive data and are often linked to multiple devices. Look, for example, at Amazon Web Services. Many organisations are leveraging this cloud technology in some shape or form, and as these cloud services become more commonplace, more and more data is stored in them. Although this may seem like an innovative way to store data, human error is bringing the security of these systems down. Far too often, businesses upload their data and then forget about it, assuming that built-in security systems will be enough to protect the data from hackers and cybercriminals; in some cases, unfortunately, security isn’t even implemented. As we have seen time and time again, this approach is failing us. If a data breach were to happen, it is the owners of that data who are punished and pay the hefty regulatory penalty.
Fortunately, this problem has a clear solution. In order to secure data, we have to do just that – secure the data rather than the elements and environment around it. This is where data-centric security comes in to secure both the data as well as the perimeters that surround it. After all, what is the point of securing the vessel if there is a treasure trove of data left unattended inside for a well-versed hacker to come and take?
By adopting a data-centric mindset to secure information, businesses that process and store sensitive information can neutralise datasets. One way of doing this is to put a ‘token’ in place of sensitive information. In this way, organisations can fully protect the data, as the token becomes meaningless by outsiders. For example, if a business wanted to target a group of customers within the same location, then they could isolate this dataset under a location token. This method allows the data to be used in a productive way, while remaining secure in the event of lost or compromised information due to a misconfiguration. Indeed, even if a breach were to occur, the data would be meaningless and uninterpretable. This is what all businesses should strive for: ensuring total security of data while also protecting it from outsiders.
This is where the use of data tokenisation and encryption methods can have a huge impact. The combination of these methods allows organisations to freely use and manoeuvre their data while also enabling its security. Data that is tokenised can also be shared with third parties without the risk of revealing sensitive information, particularly in a low-trust environment. This includes cloud environments where data might be used in a dev-and-test approach, as well as data science environments where data is used for analytical purposes. Essentially, tokenisation and data-centric encryption allow for a secure migration to cloud while also minimising the risk and compliance at the same time.
Why use tokenisation?
The use of tokenisation has become popular within the CISO community because it complies with several critical regulatory frameworks including PCI DSS and HIPPAA. Consumers are also unknowingly using this technology on a daily basis, especially if they use payment services on their phones. This payment method essentially replaces any sensitive information such as card details with a token, keeping that information secure and yet still applicable. Evidently, this reduces the risk in payment environments that still facilitates quick and easy payment.
With these new, modern technologies, tokenisation and data-centric encryption can apply more traditional methods of restriction to almost any dataset that processes individual fields. That means it could be sensitive information like a US tax IDs, UK National Insurance Numbers or personal addresses. Basically, any piece of information deemed sensitive under CCPA and HIPAA can be replaced with a token and, as such, protected in an effective way. Additionally, as regulatory frameworks evolve this may be useful in protecting data that is unsecure.
A key benefit of using tokenisation is it can be scaled to fit the size of the dataset. Tokenisation can also be implemented quickly and efficiently, meaning you don’t have to open the applications and recode them. This approach to data security minimises time and effort and allows for a quick transfer into already existing environments. This need to be more data-centric in how we protect our data is driven by regulations like GDPR, which mandates that security is built into systems processing or holding consumers’ sensitive information. Tokenisation and other modern forms of data protection allow for businesses to truly protect important and sensitive data, enabling them to integrate privacy and security where needed most.